Download
| Alert*
|
oval:org.secpod.oval:def:1800001
Alpine Linux 3.5 is installed oval:org.secpod.oval:def:1800856 An SQL injection in graphs_new.php via cg_g parameter was found affecting version 0.8.8f and older. Note that this is different from CVE-2015-8377. oval:org.secpod.oval:def:1800830 SQL injection in graph.php. SQL Injection of Cacti was discovered in graph.php Cacti graphs_new.php SQL Injection Vulnerability. An SQL injection was found in /cacti/graphs_new.php, affected versions 0.8.8f and older. oval:org.secpod.oval:def:1800808 Affected versions PostfixAdmin 3.0 and 3.0.1 PostfixAdmin 2.91, 2.92 and 2.93 Older PostfixAdmin releases are not affected. PostfixAdmin 3.0.2 will fix this issue oval:org.secpod.oval:def:1800038 Affected versions: PostfixAdmin 3.0 and 3.0.1 PostfixAdmin 2.91, 2.92 and 2.93 Older PostfixAdmin releases are not affected. PostfixAdmin 3.0.2 will fix this issue oval:org.secpod.oval:def:1800062 CVE-2017-8903, XSA-213: x86: 64bit PV guest breakout via pagetable use-after-mode-change Reference: CVE-2017-8904, XSA-214: grant transfer allows PV guest to elevate privileges oval:org.secpod.oval:def:1800792 CVE-2017-8903, XSA-213: x86: 64bit PV guest breakout via pagetable use-after-mode-change Reference CVE-2017-8904, XSA-214: grant transfer allows PV guest to elevate privileges oval:org.secpod.oval:def:1800152 CVE-2016-9449: Inconsistent name for term access query CVE-2016-9450: Incorrect cache context on password reset page CVE-2016-9451: Confirmation forms allow external URLs to be injected CVE-2016-9452: Denial of service via transliterate mechanism Affected versions Drupal core 7.x versions prior to 7 ... oval:org.secpod.oval:def:1800215 CVE-2016-9449: Inconsistent name for term access query CVE-2016-9450: Incorrect cache context on password reset page CVE-2016-9451: Confirmation forms allow external URLs to be injected CVE-2016-9452: Denial of service via transliterate mechanism Affected versions: Drupal core 7.x versions prior to ... oval:org.secpod.oval:def:1800600 CVE-2017-5595: File disclosure due to unfiltered user-input Affects v1.30 and v1.29 oval:org.secpod.oval:def:1800110 CVE-2017-5209 The base64decode function in base64.c in libimobiledevice libplist through 1.12 allows attackers to obtain sensitive information from process memory or cause a denial of service via split encoded Apple Property List data. Reference Patch CVE-2017-5545 The main function in plistutil.c ... oval:org.secpod.oval:def:1800888 CVE-2016-7092, XSA-185: x86: Disallow L3 recursive pagetable for 32-bit PV guests. Reference: CVE-2016-7093, XSA-186: x86: Mishandling of instruction pointer truncation during emulation. Reference: CVE-2016-7094, XSA-187: x86 HVM: Overflow of sh_ctxt- oval:org.secpod.oval:def:1800812 Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer. Affected versions: 9.9.3-S1 - oval:org.secpod.oval:def:1800845 Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer. Affected versions 9.9.3-S1 - oval:org.secpod.oval:def:1800811 CVE ID: not yet available File upload access bypass and denial of service . A vulnerability exists in the File module that allows a malicious user to view, delete or substitute a link to a file that the victim has uploaded to a form while the form has not yet been submitted and processed.If an attac ... oval:org.secpod.oval:def:1800016 CVE ID: not yet available Saving user accounts can sometimes grant the user all roles. A vulnerability exists in the User module, where if some specific contributed or custom code triggers a rebuild of the user profile form, a registered user can be granted all user roles on the site. This would typ ... oval:org.secpod.oval:def:1800009 CVE ID: not yet available Saving user accounts can sometimes grant the user all roles A vulnerability exists in the User module, where if some specific contributed or custom code triggers a rebuild of the user profile form, a registered user can be granted all user roles on the site. This would typi ... oval:org.secpod.oval:def:1800806 Fixed in gnutls 3.5.13 Reference Patches oval:org.secpod.oval:def:1800723 Fixed In: gnutls 3.5.13 Reference: Patches: oval:org.secpod.oval:def:1800036 An error within the "tar_directory_for_file" function in GNOME Structured File Library before 1.14.41 can be exploited to trigger a Null pointer dereference and subsequently cause a crash via a crafted TAR file. Fixed In Version libgsf 1.14.41 Reference Patch oval:org.secpod.oval:def:1800919 CVE-2016-6606: Weakness with cookie encryption All 4.6.x versions , 4.4.x versions , and 4.0.x versions are affected. Upgrade to phpMyAdmin 4.6.4, 4.4.15.8, 4.0.10.17, or newer or apply patch. CVE-2016-6607: Multiple XSS vulnerabilities All 4.6.x versions , 4.4.x versions , and 4.0.x versions are ... oval:org.secpod.oval:def:1800636 CVE-2015-9099: The lame_init_params function in lame.c in libmp3lame.a in LAME 3.99.5 allows remote attackers to cause a denial of service via a crafted audio file with a negative sample rate. oval:org.secpod.oval:def:1800338 CVE-2015-9099: The lame_init_params function in lame.c in libmp3lame.a in LAME 3.99.5 allows remote attackers to cause a denial of service via a crafted audio file with a negative sample rate. oval:org.secpod.oval:def:1800265 CVE-2017-5846: The gst_asf_demux_process_ext_stream_props function in gst/asfdemux/gstasfdemux.c in gst-plugins-ugly in GStreamer before 1.10.3 allows remote attackers to cause a denial of service via vectors related to the number of languages in a video file. oval:org.secpod.oval:def:1800287 CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs CVE-2017-7234: Open redirect vulnerability in django.views.static.serve Fixed In: py-django 1.10.7, 1.9.13, and 1.8.18 oval:org.secpod.oval:def:1800997 Memcached version 1.5.5 contains an Insufficient Control of Network Message Volume vulnerability in the UDP support of the memcached server that can result in denial of service via network flood . This attack appear to be exploitable via network connectivity to port 11211 UDP. Fixed In Version:&par ... oval:org.secpod.oval:def:1800885 CVE-2016-2120: Crafted zone record can cause a denial of service Affects: PowerDNS Authoritative Server up to and including 3.4.10, 4.0.1Not affected: PowerDNS Authoritative Server 3.4.11, 4.0.2 Reference Patches CVE-2016-7068: Crafted queries can cause abnormal CPU usage Affects: PowerDNS Authorita ... oval:org.secpod.oval:def:1800091 CVE-2016-10099 Borg before 1.0.9 has a flaw in the cryptographic protocol used to authenticate the manifest , potentially allowing an attacker to spoof the list of archives. oval:org.secpod.oval:def:1800797 CVE-2015-8934: out of bounds heap read in RAR parser. Fixed In Version: libarchive 3.2.1 oval:org.secpod.oval:def:1800784 logger.c in the logger plugin in WeeChat before 1.9.1 allows a crash via strftime date/time specifiers, because a buffer is not initialized. Fixed in weechat 1.9.1 oval:org.secpod.oval:def:1800903 This includes fixes for multiple security issues. - Security: Message printout was vulnerable to format string injection. If specific usernames including "%" symbols can be created on a system then an attacker could run arbitrary code as root when connecting to Dropbear server. A dbclient user who c ... oval:org.secpod.oval:def:1800181 CVE-2016-10128: smart_pkt: verify packet length exceeds PKT_LEN_SIZE Fixed In Version libgit2 0.25.1, libgit2 0.24.6 oval:org.secpod.oval:def:1800199 CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in the host subcomponent of a URL. oval:org.secpod.oval:def:1800763 CVE-2015-8629: Verify decoded kadmin C strings. In all versions of MIT krb5, an authenticated attacker can causekadmind to read beyond the end of allocated memory by sending a string without a terminating zero byte. Information leakage may be possible for an attacker with permission to modify the da ... oval:org.secpod.oval:def:1800706 CVE-2017-8361: The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted audio file. Reference Patch CVE-2017-8362: The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows rem ... oval:org.secpod.oval:def:1800259 musl 1.1.16 and previous are affected by CVE-2017-15650. The issue was resolved in 1.1.17 which is currently in the edge repository. The patch looks simple and is said to apply cleanly to "all recent versions". I suggest including the patch in all currently supported Alpine releases, assuming it doe ... oval:org.secpod.oval:def:1800898 The III_i_stereo function in libmpg123/layer3.c in mpg123 through 1.25.1 allows attackers to cause a denial of service via a crafted audio file that is mishandled in the code for the "block_type != 2" case, a similar issue to CVE-2017-9870. Fixed In Version: mpg123 1.25.2 oval:org.secpod.oval:def:1800789 Munin has a local file write vulnerability when CGI graphs are enabled. Setting multiple "upper_limit" GET parameters allows overwriting any file accessible to the www-data user. oval:org.secpod.oval:def:1800492 Off-by-one error in the tokenadd function in jv_parse.c in jq allows remote attackers to cause a denial of service via a long JSON-encoded number, which triggers a heap-based buffer overflow. oval:org.secpod.oval:def:1800799 Prior to any download in the SCP sink protocol, the server sends a line of text consisting of an octal number encoding Unix file permissions, a decimal number encoding the file size,and the file name. Since the file size can exceed 232 bytes, and in some compilation configurations of PuTTY the host ... oval:org.secpod.oval:def:1800859 A vulnerability exists in Mosquitto versions 0.15 to 1.4.11. Pattern based ACLs can be bypassed by clients that set their username/client id to # or +. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third part ... oval:org.secpod.oval:def:1800684 Commit f86a374 The check opens the logfile with full root privileges. This allows us to truncate any file or create a root-owned file with any contents in any directory and can be easily exploited to full root access in several ways. Affects screen 4.4.0 to and inclusive 4.5.0 oval:org.secpod.oval:def:1800836 A null pointer dereference bug affects the current and many old versions of p7zip. It is because the lack of check for the array variable folders.PackPositions after a loop of initialization. Reference: oval:org.secpod.oval:def:1800863 CVE-2016-10244: parse_charstrings function in type1/t1load.c does not ensure that a font contains a glyph name oval:org.secpod.oval:def:1800868 CVE-2016-10244: parse_charstrings function in type1/t1load.c does not ensure that a font contains a glyph name. oval:org.secpod.oval:def:1801013 An issue was discovered in FreeType 2 through 2.9. A NULL pointer dereference in the Ins_GETVARIATION function within ttinterp.c could lead to DoS via a crafted font file. oval:org.secpod.oval:def:1800923 CVE-2018-6758: The uwsgi_expand_path function in core/utils.c in Unbit uWSGI through 2.0.15 has a stack-based buffer overflow via a large directory length. oval:org.secpod.oval:def:1800984 In version 4.14.0-r0 of the following packages installed from all files installed have owner/group = 1000/1000 which is a huge security hole. xfsprogs xfsprogs-libs xfsprogs-extra xfsprogs-doc oval:org.secpod.oval:def:1801016 CVE-2018-11218: Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2 because of stack-based buffer overflows. oval:org.secpod.oval:def:1801083 CVE-2018-14349: Heap Overflow in imap/command.c¶ Fixed In Version:¶ mutt 1.10.1 oval:org.secpod.oval:def:1801171 A vulnerability was found in the implementation of DNSSEC in Dnsmasq up to and including 2.78. Wildcard synthesized NSEC records could be improperly interpreted to prove the non-existence of hostnames that actually exist. oval:org.secpod.oval:def:1800769 CVE-2017-12172: Start scripts permit database administrator to modify root-owned files CVE-2017-15098: Memory disclosure in JSON functions CVE-2017-15099: INSERT ... ON CONFLICT DO UPDATE fails to enforce SELECT privileges Fixed In postgresql 9.2.24, postgresql 9.3.20, postgresql 9.4.15, postgresql ... oval:org.secpod.oval:def:1800777 CVE-2017-12172: Start scripts permit database administrator to modify root-owned files CVE-2017-15098: Memory disclosure in JSON functions CVE-2017-15099: INSERT ... ON CONFLICT DO UPDATE fails to enforce SELECT privileges Fixed In: postgresql 9.2.24, postgresql 9.3.20, postgresql 9.4.15, postgresql ... oval:org.secpod.oval:def:1800185 CVE-2016-2365: Pidgin MXIT Markup Command Denial of Service Vulnerability. Fixed In Version: pidgin 2.11.0 oval:org.secpod.oval:def:1800857 An out-of-bounds write vulnerability was found in purple_markup_unescape_entity. It can be triggered by sending invalid XML entities separated by whitespace, eg "ஸ". In default installation, this can get called only when receiving data from a server. Fixed In Version: pidgin 2.12.0 oval:org.secpod.oval:def:1800545 An out-of-bounds write vulnerability was found in purple_markup_unescape_entity. It can be triggered by sending invalid XMLentities separated by whitespace, eg "ஸ". In default installation, this can get called only when receiving data from a server. Fixed In Version pidgin 2.12.0 oval:org.secpod.oval:def:1800473 CVE-2016-5350: SPOOLS infinite loop. Affected versions: 2.0.0 to 2.0.3, 1.12.0 to 1.12.11 Fixed versions: 2.0.4, 1.12.12 oval:org.secpod.oval:def:1800595 CVE-2016-5350: SPOOLS infinite loop Affected versions: 2.0.0 to 2.0.3, 1.12.0 to 1.12.11 Fixed versions: 2.0.4, 1.12.12 oval:org.secpod.oval:def:1800393 Buffer overflow in the DecodeAdpcmImaQT function in modules/codec/adpcm.c in VideoLAN VLC media player before 2.2.4 allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted QuickTime IMA file. oval:org.secpod.oval:def:1801560 The bark_noise_hybridmp function in psy.c in Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted mp4 file. oval:org.secpod.oval:def:1800224 CVE-2016-9634, CVE-2016-9635, CVE-2016-9636: Heap-based buffer overflow in the flx_decode_delta_fli function in gst/flx/gstflxdec.c in the FLIC decoder in GStreamer before 1.10.2 allows remote attackers to execute arbitrary code or cause a denial of service via the start_line parameter. oval:org.secpod.oval:def:1800788 CVE-2016-9634, CVE-2016-9635, CVE-2016-9636: Heap-based buffer overflow in the flx_decode_delta_fli function in gst/flx/gstflxdec.c in the FLIC decoder in GStreamer before 1.10.2 allows remote attackers to execute arbitrary code or cause a denial of service via the start_line parameter. oval:org.secpod.oval:def:1800969 CVE-2018-0202: Out-of-bounds access in the PDF parser¶ Fixed In Version:¶ clamav 0.99.4 oval:org.secpod.oval:def:1800017 Integer overflow in the gdImageWebpCtx function in gd_webp.c in the GD Graphics Library through 2.2.3, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted imagewebp and imagedestroy calls. oval:org.secpod.oval:def:1800884 CVE-2016-10024, XSA-202: x86 PV guests may be able to mask interrupts. Reference: CVE-2016-10025, XSA-203: x86: missing NULL pointer check in VMFUNC emulation. Reference: CVE-2016-10013, XSA-204: x86: Mishandling of SYSCALL single step during emulation. Reference: oval:org.secpod.oval:def:1800764 CVE-2016-9932, XSA-200 : x86 CMPXCHG8B emulation fails to ignore operand size override Reference CVE-2016-9815, CVE-2016-9816, CVE-2016-9817, CVE-2016-9818, XSA-201: ARM guests may induce host asynchronous abort Reference: oval:org.secpod.oval:def:1800803 Xen 4.7.x and earlier does not properly honor CR0.TS and CR0.EM, which allows local x86 HVM guest OS users to read or modify FPU, MMX, or XMM register state information belonging to arbitrary tasks on the guest by modifying an instruction while the hypervisor is preparing to emulate it. Reference oval:org.secpod.oval:def:1800376 CVE-2016-10024, XSA-202: x86 PV guests may be able to mask interrupts Reference CVE-2016-10025, XSA-203: x86: missing NULL pointer check in VMFUNC emulation Reference CVE-2016-10013, XSA-204: x86: Mishandling of SYSCALL singlestep during emulation Reference oval:org.secpod.oval:def:1800269 CVE-2016-6906: The read_image_tga function in gd_tga.c in the GD Graphics Library before 2.2.4 allows remote attackers to cause a denial of service via a crafted TGA file, related to the decompression buffer. oval:org.secpod.oval:def:1800011 The bmp_read_info_header function in bin/jp2/convertbmp.c in OpenJPEG 2.2.0 does not reject headers with a zero biBitCount, which allows remote attackers to cause a denial of service in the opj_image_create function in lib/openjp2/image.c, related to the opj_aligned_alloc_n function in opj_malloc.c ... oval:org.secpod.oval:def:1800232 The bmp_read_info_header function in bin/jp2/convertbmp.c in OpenJPEG 2.2.0 does not reject headers with a zero biBitCount, which allows remote attackers to cause a denial of service in the opj_image_create function in lib/openjp2/image.c, related to the opj_aligned_alloc_n function in opj_malloc.c ... oval:org.secpod.oval:def:1800820 CVE-2017-7867: Heap-buffer overflow in utext_setNativeIndex function oval:org.secpod.oval:def:1800896 CVE-2017-7867: Heap-buffer overflow in utext_setNativeIndex function oval:org.secpod.oval:def:1800291 CVE-2017-7592: Left shift of unsigned char without a cast. The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted image. oval:org.secpod.oval:def:1800294 CVE-2017-14632: Invalid freeing of uninitialized memory in the function vorbis_analysis_headerout. Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon freeing uninitialized memory in the function vorbis_analysis_headerout in info.c when vi- oval:org.secpod.oval:def:1800775 CVE-2017-14632: Invalid freeing of uninitialized memory in the function vorbis_analysis_headerout Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon freeing uninitialized memory in the function vorbis_analysis_headerout in info.c when vi- oval:org.secpod.oval:def:1801180 CVE-2017-15232: libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in jdpostct.c and jquant1.c via a crafted JPEG file. oval:org.secpod.oval:def:1800733 CVE-2017-1000100: TFTP sends more than buffer size When doing an TFTP upload and curl/libcurl is given a URL that contains a very long file name , the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too larg ... oval:org.secpod.oval:def:1800283 CVE-2017-1000100: TFTP sends more than buffer size. When doing an TFTP upload and curl/libcurl is given a URL that contains a very long file name , the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too lar ... oval:org.secpod.oval:def:1800737 A localhost.localdomain whitelist entry in valid_host in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server ... oval:org.secpod.oval:def:1800070 A non-privileged X client can instruct X server running under root to open any file by creating own directory with "fonts.dir","fonts.alias" or any font file being a symbolic link to any other file in the system. X server will then open it. This can be issue with special files such as /dev/watchdog. ... oval:org.secpod.oval:def:1800796 A non-privileged X client can instruct X server running under root to open any file by creating own directory with "fonts.dir","fonts.alias" or any font file being a symbolic link to any other file in the system. X server will then open it. This can be issue with special files such as /dev/watchdog. ... oval:org.secpod.oval:def:1800131 CVE-2016-9941: Heap-based buffer overflow in rfbproto.c Heap-based buffer overflow in rfbproto.c was found in LibVNCClient in LibVNCServer before 0.9.11 that allows remote servers to cause a denial of service or possibly execute arbitrary code via a crafted FramebufferUpdate message containing a su ... oval:org.secpod.oval:def:1800116 In libsamplerate before 0.1.9, a buffer over-read occurs in the calc_output_single function in src_sinc.c via a crafted audio file. oval:org.secpod.oval:def:1800173 The try_read_command function in memcached.c in memcached before 1.4.39 allows remote attackers to cause a denial of service via a request to add/set a key, which makes a comparison between signed and unsigned int and triggers a heap-based buffer over-read. NOTE: this vulnerability exists because o ... oval:org.secpod.oval:def:1800078 CVE-2016-8704: Server append/prepend remote code execution. An integer overflow in the process_bin_append_prepend function which is responsible for processing multiple commands of Memcached binary protocol can be abused to cause heap overflow and lead to remote code execution. Fixed In Version: memc ... oval:org.secpod.oval:def:1800709 OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnerable to a buffer overflow vulnerability when key-method 1 is used, possibly resulting in code execution. Fixed In Version: openvpn 2.3.18, openvpn 2.4.4 oval:org.secpod.oval:def:1800141 CVE-2017-7478: OpenVPN version 2.3.12 and newer is vulnerable to unauthenticated Denial of Service of server via received large control packet. Fixed In Version openvpn 2.3.15, openvpn 2.4.2 oval:org.secpod.oval:def:1800978 The jv_dump_term function in jq 1.5 allows remote attackers to cause a denial of service via a crafted JSON file. oval:org.secpod.oval:def:1800861 servers/slapd/back-mdb/search.c in OpenLDAP through 2.4.44 is prone to a double free vulnerability. A user with access to search the directory can crash slapd by issuing a search including the Paged Results control with a page size of 0. Reference Patch oval:org.secpod.oval:def:1800710 Heap-based buffer overflow in util/gif2rgb.c in gif2rgb in giflib 5.1.2 allows remote attackers to cause a denial of service via the background color index in a GIF file. oval:org.secpod.oval:def:1801555 In Kamailio before 5.0.7 and 5.1.x before 5.1.4, a crafted SIP message with a double "To" header and an empty "To" tag causes a segmentation fault and crash. The reason is missing input validation in the "build_res_buf_from_sip_req" core function. This could result in denial of service and potential ... oval:org.secpod.oval:def:1800917 libarchive 3.3.2 allows remote attackers to cause a denial of service via a crafted xar archive, related to the mishandling of empty strings in the atol8 function in archive_read_support_format_xar.c. oval:org.secpod.oval:def:1800904 In LibTIFF 4.0.9, there is a Null-Pointer Dereference in the tif_print.c TIFFPrintDirectory function, as demonstrated by a tiffinfo crash. oval:org.secpod.oval:def:1800289 CVE-2018-1000024: Incorrect pointer handling when processing ESI Responses can lead to denial of service. Due to incorrect pointer handling, Squid versions 3.x and 4.x are vulnerable to a denial of service attack when processing ESI responses. This problem allows a remote server delivering certain ... oval:org.secpod.oval:def:1801526 A Buffer Overflow issue was discovered in Kamailio before 4.4.7, 5.0.x before 5.0.6, and 5.1.x before 5.1.2. A specially crafted REGISTER message with a malformed branch or From tag triggers an off-by-one heap-based buffer overflow in the tmx_check_pretran function in modules/tmx/tmx_pretran.c. oval:org.secpod.oval:def:1801014 GnuPG before version 2.2.8 does not properly sanitize original filenames of signed or encrypted messages allowing for the insertion of line feeds and other control characters. An attacker could exploit this by injecting such characters to craft status messages and fake the validity of signatures. oval:org.secpod.oval:def:1801551 CVE-2017-3142: An error in TSIG authentication can permit unauthorized zone transfers Affected versions:¶ 9.4.0- oval:org.secpod.oval:def:1800745 CVE-2017-6419: heap-based buffer overflow in mspack/lzxd.c. mspack/lzxd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted CHM file. oval:org.secpod.oval:def:1800218 CVE-2017-6419: heap-based buffer overflow in mspack/lzxd.c mspack/lzxd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted CHM file. oval:org.secpod.oval:def:1800721 Augeas versions up to and including 1.8.0 are vulnerable to heap-based buffer overflow due to improper handling of escaped strings. Attacker could send crafted strings that would cause the application using augeas to copy past the end of a buffer, leading to a crash or possible code execution. Fixed ... oval:org.secpod.oval:def:1800211 CVE-2017-6886: Memory corruption in the parse_tiff_ifd An error within the "parse_tiff_ifd" function in LibRaw versions before 0.18.2 can be exploited to corrupt memory. Fixed In Version LibRaw 0.18.2 oval:org.secpod.oval:def:1800724 3.2.9 Fixes following vulnerabilities: CVE-2017-15186, Patch: 3.2.8 Fixes following vulnerabilities: CVE-2017-14054,CVE-2017-14055, CVE-2017-14056, CVE-2017-14057, CVE-2017-14058, CVE-2017-14059, CVE-2017-14169, CVE-2017-14170, CVE-2017-14171, CVE-2017-14222, CVE-2017-14223, CVE-2017-14225,CVE-2017- ... oval:org.secpod.oval:def:1800893 3.2.9 Fixes following vulnerabilities: CVE-2017-15186, Patch: 3.2.8 Fixes following vulnerabilities: CVE-2017-14054,CVE-2017-14055, CVE-2017-14056, CVE-2017-14057, CVE-2017-14058, CVE-2017-14059, CVE-2017-14169, CVE-2017-14170, CVE-2017-14171, CVE-2017-14222, CVE-2017-14223, CVE-2017-14225,CVE-2017- ... oval:org.secpod.oval:def:1800000 A number of security vulnerabilities in the Graphite 2 library including out-of-bounds reads, buffer overflow reads and writes, and the use of uninitialized memory. These issues were addressed in Graphite 2 version 1.3.10. Reference oval:org.secpod.oval:def:1800701 An exploitable heap overflow vulnerability exists in the gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf 2.36.6. A specially crafted jpeg file can cause a heap overflow resulting in remote code execution. An attacker can send a file or url to trigger this vulnerability. Fixed In: G ... oval:org.secpod.oval:def:1800870 CVE-2017-10965: When receiving messages with invalid time stamps, Irssi would try to dereference a NULL pointer. Fixed in Irssi 1.0.4 oval:org.secpod.oval:def:1800767 CVE-2017-14316, XSA-231: Missing NUMA node parameter verification oval:org.secpod.oval:def:1800021 CVE-2017-14316, XSA-231: Missing NUMA node parameter verification. oval:org.secpod.oval:def:1800759 It is possible to trigger heap overflows due to an integer overflow while parsing images and a signedness issue while parsing comments.The integer overflow occurs because the chosen limit 0x10000 for dimensions is too large for 32 bit systems, because each pixel takes4 bytes. Properly chosen values ... oval:org.secpod.oval:def:1800148 It is possible to trigger heap overflows due to an integer overflow while parsing images and a signedness issue while parsing comments.The integer overflow occurs because the chosen limit 0x10000 for dimensions is too large for 32 bit systems, because each pixel takes4 bytes. Properly chosen values ... oval:org.secpod.oval:def:1800907 CVE-2017-16671: Buffer overflow in CDR"s set user A Buffer Overflow issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 before 14.7.1, and 15 before 15.1.1 and Certified Asterisk 13.13 before 13.13-cert7. No size checking is done when setting the user field for Party B on a CDR. Thus, ... oval:org.secpod.oval:def:1800795 CVE-2017-16671: Buffer overflow in CDR"s set user. A Buffer Overflow issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 before 14.7.1, and 15 before 15.1.1 and Certified Asterisk 13.13 before 13.13-cert7. No size checking is done when setting the user field for Party B on a CDR. Thus ... oval:org.secpod.oval:def:1800766 All versions of Samba prior to 4.6.1, 4.5.7, 4.4.12 are vulnerable to a malicious client using a symlink race to allow access to areas ofthe server file system not exported under the share definition. Samba uses the realpath system call to ensure when a client requests access to a pathname that it i ... oval:org.secpod.oval:def:1800963 CVE-2018-1050: Denial of Service Attack on external print server. Affected Versions:¶ All versions of Samba from 4.0.0 onwards. Fixed In Version:¶ Samba 4.7.6, 4.6.14 and 4.5.16. oval:org.secpod.oval:def:1800848 An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that data with a pointer and the size to the deliver-data function. Affected versions libcurl 7.20.0 to and including 7.56.0 Not affected v ... oval:org.secpod.oval:def:1800931 CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write¶ Affected versions:¶ curl 7.12.3 to and including curl 7.58.0 Not affected versions:¶ curl = 7.59.0 oval:org.secpod.oval:def:1801175 The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On sy ... oval:org.secpod.oval:def:1800161 CVE-2018-1000005: HTTP/2 trailer out-of-bounds read. Affected versions: libcurl 7.49.0 to and including 7.57.0 Not affected versions: libcurl = 7.58.0 oval:org.secpod.oval:def:1800794 An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that data with a pointer and the size to the deliver-data function. Affected versions: libcurl 7.20.0 to and including 7.56.0 Not affected ... oval:org.secpod.oval:def:1800757 tcpdump 4.9.0 allows remote attackers to cause a denial of service via crafted packet data. The crash occurs in the EXTRACT_16BITS function, called from the stp_print function for the Spanning Tree Protocol. Fixed in Tcpdump 4.9.1 oval:org.secpod.oval:def:1800819 tcpdump 4.9.0 allows remote attackers to cause a denial of service via crafted packet data. The crash occurs in the EXTRACT_16BITS function, called from the stp_print function for the Spanning Tree Protocol. Fixed In: Tcpdump 4.9.1 oval:org.secpod.oval:def:1801092 A flaw was found in libvorbis 1.3.6. The mapping0_forward function in mapping0.c file in Xiph.Org does not validate the number of channels, which allows remote attackers to cause a denial of service via a crafted file. oval:org.secpod.oval:def:1800866 It was reported that File::Spec::canonpath routine returns untainted strings even if passed tainted input. This defect undermines the guarantee of taint propagation, which is sometimes used to ensure that unvalidated user input does not reach sensitive code. This issue affects versions of PathTools ... oval:org.secpod.oval:def:1800249 CVE-2016-1899: Reflected XSS and header injection in mimetype query string CVE-2016-1900: Stored Cross Site Scripting & Header Injection in Filename Parameter CVE-2016-1901: Integer Overflow resulting in Buffer Overflow Fixed In Version: cgit 0.12 oval:org.secpod.oval:def:1800754 During the SSHv2 handshake when libssh2 is to get a suitable value for "group order" in the Diffle Hellman negotiation, it would pass in number of bytes to a function that expected number of bits. This would result in the library generating numbers using only an 8th the number of random bits than wh ... oval:org.secpod.oval:def:1800640 libssh versions 0.1 and above have a bits/bytes confusion bug and generate an anormaly short ephemeral secret for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods.The resulting secret is 128 bits long, instead of the recommended sizes of 1024and 2048 bits respectively. There ... oval:org.secpod.oval:def:1800882 CVE-2011-5326 : divide by zero on 2x1 ellipse A vulnerability was found in imlib2. Attempting to draw a 2x1 radi ellipse with imlib_image_draw_ellipse will result in a floating point exception. oval:org.secpod.oval:def:1800400 An SQL injection vulnerability was found in cacti-0.8.8.g. Affected Version: 0.8.8.g oval:org.secpod.oval:def:1800217 A crafted zip file can provide an incorrect compressed size, which may allow an attacker to place arbitrary code on the heap and execute it in the context of the current user. The user must be coerced into unzipping the crafted zip file. Fixed In Version: libarchive 3.2.0 oval:org.secpod.oval:def:1800045 CVE-2015-8803, CVE-2015-8805: secp256 calculation bug Patch: CVE-2015-8804: miscalculations on secp384 curve Patch: They affect the NIST P-256 and P-384 curves. The P-256 bug is in the C code and affects multiple architectures. The P-384 bug is in the assembly code and only affects 64 bit x86. Fixed ... oval:org.secpod.oval:def:1800279 CVE-2016-5702: Cookie attribute injection attack Affected Versions All 4.6.x versions are affected Upgrade to phpMyAdmin 4.6.3 or newer Reference CVE-2016-5704: XSS on table structure page Affected Versions All 4.6.x versions are affected Upgrade to phpMyAdmin 4.6.3 or newer. Reference CVE-2016-57 ... oval:org.secpod.oval:def:1800771 CVE-2016-5701: BBCode injection vulnerability Affected Versions Version 4.6.x , 4.4.15.x , and 4.0.10.x are affected Upgrade to phpMyAdmin 4.6.3, 4.4.15.7 or newer Reference CVE-2016-5703: SQL injection attack Affected Versions Versions 4.6.x and 4.4.x are affected Upgrade to phpMyAdmin 4.6.3, 4. ... oval:org.secpod.oval:def:1800207 CVE-2016-5701: BBCode injection vulnerability. Affected Versions. Version 4.6.x , 4.4.15.x , and 4.0.10.x are affected Upgrade to phpMyAdmin 4.6.3, 4.4.15.7 or newer Reference: CVE-2016-5703: SQL injection attack. Affected Versions. Versions 4.6.x and 4.4.x are affected Upgrade to phpMyAdmin 4.6. ... oval:org.secpod.oval:def:1800096 libcli/smb/smbXcli_base.c in Samba 4.x before 4.2.14, 4.3.x before 4.3.11, and 4.4.x before 4.4.5 allows man-in-the-middle attackers to bypass a client-signing protection mechanism, and consequently spoof SMB2 and SMB3 servers, via the SMB2_SESSION_FLAG_IS_GUEST or SMB2_SESSION_FLAG_IS_NULL flag. ... oval:org.secpod.oval:def:1800264 CVE-2016-5423: CASE/WHEN with in lining can cause untrusted pointer dereference. Fixed In Version: postgresql 9.5.4, postgresql 9.4.9, postgresql 9.3.14, postgresql 9.2.18, postgresql 9.1.23 CVE-2016-5424: database and role names with embedded special characters can allow code injection during admi ... oval:org.secpod.oval:def:1800633 Jansson 2.7 and earlier allows context-dependent attackers to cause a denial of service via crafted JSON data. oval:org.secpod.oval:def:1800843 Jansson 2.7 and earlier allows context-dependent attackers to cause a denial of service via crafted JSON data. oval:org.secpod.oval:def:1801198 One heap-based out-of-bounds read vulnerabiltiy exists in libexif-0.6.21. When saving the data of an entry tagged with EXIF_TAG_MAKER_NOTE to a buffer and copying the data of the exif entry, there is a mismatch between the computed read size of the entry data and the size of the allocated entry data ... oval:org.secpod.oval:def:1801091 In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name. oval:org.secpod.oval:def:1800734 Parsing the Rich Text Format character style index was insufficiently checked for validity. Documents can be constructed which dereference an iterator to the first entry of an empty STL container. Fixed in libreoffice 5.1.4, libreoffice 5.2.0 oval:org.secpod.oval:def:1800918 CVE-2017-7870 Heap-buffer-overflow in WMF polygon processing Windows Metafiles can contain polygons which under certain circumstances when processed can result in output polygons which have too many points to be represented by LibreOffice"s internal polygon class. Fixed in LibreOffice 5.2.5/5.3.0 ... oval:org.secpod.oval:def:1800125 Parsing the Rich Text Format character style index was insufficiently checked for validity. Documents can be constructed which dereference an iterator to the first entry of an empty STL container. Fixed In: libreoffice 5.1.4, libreoffice 5.2.0 oval:org.secpod.oval:def:1800703 The vulnerability is caused due to an error in the"lha_read_file_header_1" function, which can be exploited to trigger an out-of-bounds read memory access via a specially crafted archive. Affected versions: libarchive version 3.2.2.Other versions may also be affected.. oval:org.secpod.oval:def:1800906 CVE-2017-3313: mariaDB 10.1.22 CVE-2017-3302: mariaDB 10.1.22 Reference: oval:org.secpod.oval:def:1800151 CVE-2017-3308: mariadb 10.1.23 CVE-2017-3309: mariadb 10.1.23 CVE-2017-3453: mariadb 10.1.23 CVE-2017-3456: mariadb 10.1.23 CVE-2017-3464: mariadb 10.1.23 CVE-2017-3636: mariadb 10.1.26 CVE-2017-3641: mariadb 10.1.26 CVE-2017-3653: mariadb 10.1.26 oval:org.secpod.oval:def:1800102 CVE-2017-3308: mariadb 10.1.23 CVE-2017-3309: mariadb 10.1.23 CVE-2017-3453: mariadb 10.1.23 CVE-2017-3456: mariadb 10.1.23 CVE-2017-3464: mariadb 10.1.23 CVE-2017-3636: mariadb 10.1.26 CVE-2017-3641: mariadb 10.1.26 CVE-2017-3653: mariadb 10.1.26 oval:org.secpod.oval:def:1800237 CVE-2016-7440: mariadb 5.5.53, mariadb 10.1.19 CVE-2016-5584: mariadb 5.5.53, mariadb 10.1.19 Reference oval:org.secpod.oval:def:1800758 CVE-2017-15873: Integer overflow in the get_next_block function. The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox 1.27.2 has an Integer Overflow that may lead to a write access violation. oval:org.secpod.oval:def:1800234 Heap-based Buffer Overflow in the psf_binheader_writef function in common.c in libsndfile through 1.0.28 allows remote attackers to cause a denial of service or possibly have unspecified other impact. oval:org.secpod.oval:def:1800850 The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files. oval:org.secpod.oval:def:1800790 When SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hardcoded in the SSHD source code. On this hard coded password structure the password hash is based on BLOWFISH algorithm.If real users passwords are hashed using SHA256/SHA512, then sending large passwor ... oval:org.secpod.oval:def:1800047 CVE-2016-6664:mariadb 10.1.21 CVE-2017-3238: mariadb 5.5.54, mariadb 10.1.21 CVE-2017-3243: mariadb 5.5.54, mariadb 10.1.21 CVE-2017-3244: mariadb 5.5.54, mariadb 10.1.21 CVE-2017-3257: mariadb 10.1.21 CVE-2017-3258: mariadb 5.5.54, mariadb 10.1.21 CVE-2017-3265: MariaDB 10.1.21 CVE-2017-3291: Maria ... oval:org.secpod.oval:def:1800718 CVE-2016-10169: global buffer overread in read_code / read_words.c Fixed In Version: wavpack 5.1.0 oval:org.secpod.oval:def:1800835 CVE-2016-10169: global buffer overread in read_code / read_words.c Fixed In Version wavpack 5.1.0 oval:org.secpod.oval:def:1800481 CVE-2017-7484: selectivity estimators bypass SELECT privilege checks Fixed In Version postgresql 9.4.12, postgresql 9.5.7, postgresql 9.6.3 oval:org.secpod.oval:def:1800905 CVE-2017-12150: SMB1/2/3 connections may not require signing where they should Affected versions: samba 3.0.25 to 4.6.7 Fixed In: samba 4.6.8, 4.5.14 and 4.4.16 oval:org.secpod.oval:def:1800220 CVE-2017-5884: Improper check of framebuffer boundaries when processing a tile gtk-vnc before 0.7.0 does not properly check boundaries of subrectangle-containing tiles, which allows remote servers to execute arbitrary code via the src x, y coordinates in a crafted rre, hextile, or copyrect tile. oval:org.secpod.oval:def:1800519 CVE-2016-7092, XSA-185: x86: Disallow L3 recursive pagetable for 32-bit PV guests Reference CVE-2016-7093, XSA-186: x86: Mishandling of instruction pointer truncation during emulation Reference CVE-2016-7094, XSA-187: x86 HVM: Overflow of sh_ctxt- oval:org.secpod.oval:def:1800727 GNU `tar" archiver attempts to avoid path traversal attacks by removing offending parts of the element name at extract. This sanitizing leads to a vulnerability where the attacker can bypass the path name specified on the command line. Affected versions tar 1.14 to 1.29 oval:org.secpod.oval:def:1800815 GNU `tar" archiver attempts to avoid path traversal attacks by removing offending parts of the element name at extract. This sanitizing leads to a vulnerability where the attacker can bypass the path name specified on the command line. Affected versions: tar 1.14 to 1.29 oval:org.secpod.oval:def:1800228 It was reported that offsets contained in cache files aren"t checked if they"re in legal ranges or are pointers at all. The lack of validation allows an attacker to trigger arbitrary free calls, which in turn allows double free attacks and therefore arbitrary code execution. When used with setuid bi ... oval:org.secpod.oval:def:1800281 It was found that setting VNC password to empty string doesn"t work in a way as it"s documented. The documented semantics of setting the password to an empty string are that it disables all access to the VNC server, however in fact it allows all users access with no authentication required instead. oval:org.secpod.oval:def:1800586 The properties PROP_ACTIVE_LAYER, PROP_FLOATING_SELECTION, PROP_ACTIVE_CHANNEL saves the current object pointer the @info structure. Others like PROP_SELECTION and PROP_GROUP_ITEM will delete the current object and create a new object, leaving the pointers in @info invalid . oval:org.secpod.oval:def:1800345 The properties PROP_ACTIVE_LAYER, PROP_FLOATING_SELECTION, PROP_ACTIVE_CHANNEL saves the current object pointer the @info structure. Others like PROP_SELECTION and PROP_GROUP_ITEM will delete the current object and create a new object, leaving the pointers in @info invalid . oval:org.secpod.oval:def:1801169 OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. oval:org.secpod.oval:def:1800334 convert.c in OpenJPEG before 2.1.2 allows remote attackers to cause a denial of service via vectors involving the variables. oval:org.secpod.oval:def:1800412 CVE-2016-9580: Integer overflow in tiftoimage causes heap buffer overflow. CVE-2016-9581: Infinite loop in tiftoimage resulting into heap buffer overflow in convert_32s_C1P1. oval:org.secpod.oval:def:1800679 CVE-2016-9580: Integer overflow in tiftoimage causes heap buffer overflow CVE-2016-9581: Infinite loop in tiftoimage resulting into heap buffer overflow in convert_32s_C1P1 oval:org.secpod.oval:def:1800453 CVE-2016-7068: Crafted queries can cause abnormal CPU usage Affects: PowerDNS Recursor up to and including 3.7.3, 4.0.3Not affected: PowerDNS Recursor 3.7.4, 4.0.4 Reference Patches CVE-2016-7073, CVE-2016-7074: Insufficient validation of TSIG signatures Affects: PowerDNS Recursor from 4.0.0 and up ... oval:org.secpod.oval:def:1800653 A vulnerability exists in Mosquitto versions 0.15 to 1.4.11. Pattern based ACLs can be bypassed by clients that set their username/client id to # or +. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third part ... oval:org.secpod.oval:def:1800490 CVE-2017-9462: Python debugger accessible to authorized users In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name. oval:org.secpod.oval:def:1800652 CVE-2017-9462: Python debugger accessible to authorized users In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name. oval:org.secpod.oval:def:1800500 A wrong if statement in the varnishd source code means that synthetic objects in stevedores which over-allocate, may leak up to page size of data from a malloc memory allocation.In a unpredictable percentage of the cases where this condition arises, a segmentation fault will happen instead. All the ... oval:org.secpod.oval:def:1800566 A wrong if statement in the varnishd source code means that synthetic objects in stevedores which over-allocate, may leak up to page size of data from a malloc memory allocation.In a unpredictable percentage of the cases where this condition arises, a segmentation fault will happen instead. All the ... oval:org.secpod.oval:def:1800735 CVE-2017-7546: Empty password accepted in some authentication methods CVE-2017-7547: The "pg_user_mappings" catalog view discloses passwords to users lacking server privileges CVE-2017-7548: lo_put function ignores ACLs Fixed In Version postgresql 9.2.22, postgresql 9.3.18, postgresql 9.4.13, postgr ... oval:org.secpod.oval:def:1800213 CVE-2017-7546: Empty password accepted in some authentication methods CVE-2017-7547: The "pg_user_mappings" catalog view discloses passwords to users lacking server privileges CVE-2017-7548: lo_put function ignores ACLs Fixed In Version: postgresql 9.2.22, postgresql 9.3.18, postgresql 9.4.13, postg ... oval:org.secpod.oval:def:1800551 The busybox NTP implementation doesn"t check the NTP mode of packets received on the server port and responds to any packet with the right size. This includes responses from another NTP server. An attacker can send a packet with a spoofed source address in order to create an infinite loop of respons ... oval:org.secpod.oval:def:1800901 Improper sequencing during cleanup operations of upstream recursion fetch contexts in BIND can lead to a use-after-free error, triggering an assertion failure and crash in named. Affected BIND versions acting as DNSSEC validating resolvers are currently known to crash with an assertion failure in ne ... oval:org.secpod.oval:def:1800418 CVE-2015-7560 Incorrect ACL get/set allowed on symlink path. All versions of Samba from 3.2.0 to 4.4.0rc3 inclusive are vulnerable toa malicious client overwriting the ownership of ACLs using symlinks. An authenticated malicious client can use SMB1 UNIX extensions to create a symlink to a file or di ... oval:org.secpod.oval:def:1800049 An out of boundary write has been found in libXpm exploited by an attacker through maliciously crafted XPM files. Fixed In Version: libxpm 3.5.12 Reference: Upstream patch: oval:org.secpod.oval:def:1801193 The gmp plugin in strongSwan before 5.7.1 has a Buffer Overflow via a crafted certificate, the vulnerability was introduced with the patch that fixes CVE-2018-16151/2. oval:org.secpod.oval:def:1801547 CVE-2018-16151: In verify_emsa_pkcs1_signature in gmp_rsa_public_key.c in the gmp plugin in strongSwan 4.x and 5.x before 5.7.0, the RSA implementation based on GMP does not reject excess data after the encoded algorithm OID during PKCS#1 v1.5 signature verification. Similar to the flaw in the same ... oval:org.secpod.oval:def:1801201 HylaFAX 6.0.6 and HylaFAX+ 5.6.0 allow remote attackers to execute arbitrary code via a dial-in session that provides a FAX page with the JPEG bit enabled, which is mishandled in FaxModem::writeECMData in the faxd/CopyQuality.c++ file. oval:org.secpod.oval:def:1801205 CVE-2018-14598: Crash on invalid reply in XListExtensions in ListExt.c¶ An issue was discovered in ListExt.c:XListExtensions and GetFPath.c:XGetFontPath in libX11 through version 1.6.5. A malicious server can send a reply in which the first string overflows, causing a variable to be set to NULL ... oval:org.secpod.oval:def:1800054 CVE-2016-8615: Cookie injection for other servers CVE-2016-8616: Case insensitive password comparison CVE-2016-8617: Out-of-bounds write via unchecked multiplication CVE-2016-8618: Double-free in curl_maprintf CVE-2016-8619: Double-free in krb5 code CVE-2016-8620: Glob parser write/read out of bound ... oval:org.secpod.oval:def:1800770 CVE-2016-9603, XSA-211: Cirrus VGA Heap overflow via display refresh oval:org.secpod.oval:def:1801100 In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is vulnerable to a restriction bypass when SELinux is active. This allows non-root users to mount a FUSE file system with the "allow_other" mount option regardless of whether "user_allow_other" is set in the fuse configuration. An attack ... oval:org.secpod.oval:def:1801112 DoS for HTTP/2 connections by crafted requests By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. Fixed In Version: Apache HTTP Server 2.4.34 oval:org.secpod.oval:def:1801021 Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. ... oval:org.secpod.oval:def:1800990 CVE-2018-10536: An issue was discovered in WavPack 5.1.0 and earlier. The WAV parser component contains a vulnerability that allows writing to memory because ParseRiffHeaderConfig in riff.c does not reject multiple format chunks. oval:org.secpod.oval:def:1800976 CVE-2018-9256: LWAPP dissector crash Affected versions: 2.4.0 to 2.4.5, 2.2.0 to 2.2.13 Fixed versions: 2.4.6, 2.2.14 oval:org.secpod.oval:def:1800972 CVE-2017-10268: mariaDB 10.1.29 CVE-2017-10378: mariaDB 10.1.29 CVE-2017-15365: mariaDB 10.1.30 CVE-2018-2562: mariaDB 10.1.31 CVE-2018-2622: mariaDB 10.1.31 CVE-2018-2640: mariaDB 10.1.31 CVE-2018-2665: mariaDB 10.1.31 CVE-2018-2668: mariaDB 10.1.31 CVE-2018-2612: mariaDB 10.1.31 oval:org.secpod.oval:def:1800715 An issue was discovered in the _asn1_decode_simple_ber function in decoding.c in GNU Libtasn1 before 4.13. Unlimited recursion in the BER decoder leads to stack exhaustion and DoS. oval:org.secpod.oval:def:1800927 A flaw was found in rsync verions before 3.1.3. The parse_argument function in options.c in rsyncd component does not prevent multiple --protect-args uses. Thus letting the user to specify the arg in the protected-arg list and shortcut some of the arg-sanitizing code. This vulnerability allows remot ... oval:org.secpod.oval:def:1800744 CVE-2017-15191: DMP dissector crash Affected versions: 2.4.0 to 2.4.1, 2.2.0 to 2.2.9, 2.0.0 to 2.0.15 Fixed versions: 2.4.2, 2.2.10, 2.0.16 oval:org.secpod.oval:def:1800897 CVE-2017-13765: IrCOMM dissector buffer overrun Affected versions: 2.4.0, 2.2.0 to 2.2.8, 2.0.0 to 2.0.14 Fixed versions: 2.4.1, 2.2.9, 2.0.15 oval:org.secpod.oval:def:1800804 When libcurl connects to an FTP server and successfully logs in , it asks the server for the current directory with the PWD command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a fl ... oval:org.secpod.oval:def:1800779 Libgcrypt before 1.8.1 does not properly consider Curve25519 side-channel attacks, which makes it easier for attackers to discover a secret key, related to cipher/ecc.c and mpi/ec.c. oval:org.secpod.oval:def:1800195 CVE-2017-11112: In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data. Fixed In Version: ncurses 6.0-20170701 oval:org.secpod.oval:def:1800179 An attacker can craft an RSS item with shell code in the title and/or URL. When you bookmark such an item, your shell will execute that code. Newsbeuter versions 0.7 through 2.9 are affected. oval:org.secpod.oval:def:1800144 Improper Neutralization of Special Elements used in an OS Command in the podcast playback function of Podbeuter in Newsbeuter 0.3 through 2.9 allows remote attackers to perform user-assisted code execution by crafting an RSS item with a media enclosure that includes shell metacharacters in its file ... oval:org.secpod.oval:def:1800254 The gmp plugin in strongSwan before 5.6.0 allows remote attackers to cause a denial of service via a crafted RSA signature. Fixed In Version strongswan 5.6.0 oval:org.secpod.oval:def:1800772 The gmp plugin in strongSwan before 5.6.0 allows remote attackers to cause a denial of service via a crafted RSA signature. Fixed In Version: strongswan 5.6.0 oval:org.secpod.oval:def:1800180 A Subversion client sometimes connects to URLs provided by the repository.This happens in two primary cases: during "checkout", "export", "update", and"switch", when the tree being downloaded contains svn:externals properties;and when using "svnsync sync" with one URL argument. A maliciously constru ... oval:org.secpod.oval:def:1800051 A Subversion client sometimes connects to URLs provided by the repository.This happens in two primary cases: during "checkout", "export", "update", and"switch", when the tree being downloaded contains svn:externals properties; and when using "svnsync sync" with one URL argument. A maliciously constr ... oval:org.secpod.oval:def:1800760 CVE-2016-0736: Padding Oracle in Apache mod_session_crypto. Affects: 2.4.1 to 2.4.23 Fixed in: 2.4.25 oval:org.secpod.oval:def:1800098 CVE-2017-9611: The Ins_MIRP function in base/ttinterp.c in Artifex Ghostscript GhostXPS 9.21 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document. oval:org.secpod.oval:def:1800273 CVE-2017-11406: DOCSIS infinite loop Affected versions: 2.2.0 to 2.2.7, 2.0.0 to 2.0.13 Fixed versions: 2.2.8, 2.0.14 oval:org.secpod.oval:def:1800873 JasPer 2.0.12 is vulnerable to a NULL pointer exception in the function jp2_encode which failed to check to see if the image contained at least one component resulting in a denial-of-service. oval:org.secpod.oval:def:1800743 The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure. It may lead to a remote denial of service attack. oval:org.secpod.oval:def:1800023 CVE-2017-10684, CVE-2017-10685: In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack. oval:org.secpod.oval:def:1800127 CVE-2017-10684, CVE-2017-10685: In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack. oval:org.secpod.oval:def:1800128 The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure. It may lead to a remote denial of service attack. oval:org.secpod.oval:def:1800920 - Mitigate a flush+reload side-channel attack on RSA secret keys dubbed "Sliding right into disaster". For details see < [CVE-2017-7526] Looks like libgcrypt needs to be fixed in stable branches. oval:org.secpod.oval:def:1800802 - Mitigate a flush+reload side-channel attack on RSA secret keys dubbed "Sliding right into disaster". For details see < [CVE-2017-7526] Looks like libgcrypt needs to be fixed in stable branches. oval:org.secpod.oval:def:1800749 CVE-2017-9022: Insufficient validation of RSA public keys passed to the gmp plugin. RSA public keys passed to the gmp plugin aren"t validated sufficiently before attempting signature verification, so that invalid input might lead to a floating point exception and crash of the process. A certificate ... oval:org.secpod.oval:def:1800852 CVE-2017-9343: MSNIP dissector crash Affected versions: 2.2.0 to 2.2.6, 2.0.0 to 2.0.12 Fixed versions: 2.2.7, 2.0.13 Reference CVE-2017-9344: BT L2CAP dissector divide by zero Affected versions: 2.2.0 to 2.2.6, 2.0.0 to 2.0.12 Fixed versions: 2.2.7, 2.0.13 Reference CVE-2017-9345: DNS dissector inf ... oval:org.secpod.oval:def:1800138 CVE-2017-9343: MSNIP dissector crash. Affected versions: 2.2.0 to 2.2.6, 2.0.0 to 2.0.12 Fixed versions: 2.2.7, 2.0.13 Reference: CVE-2017-9344: BT L2CAP dissector divide by zero. Affected versions: 2.2.0 to 2.2.6, 2.0.0 to 2.0.12 Fixed versions: 2.2.7, 2.0.13 Reference: CVE-2017-9345: DNS dissector ... oval:org.secpod.oval:def:1800732 Two errors in the "asn1_find_node" function within GnuTLS libtasn1 version 4.10 can be exploited to cause a stacked-based buffer overflow by tricking a user into processing a specially crafted assignments file via the e.g. asn1Coding utility. oval:org.secpod.oval:def:1800067 The issue can be exploited to trigger an out of bounds write on 64-bit systems. oval:org.secpod.oval:def:1800019 The issue can be exploited to trigger an out of bounds write on 64-bit systems. oval:org.secpod.oval:def:1800756 WeeChat before 1.7.1 allows a remote crash by sending a filename via DCC to the IRC plugin. This occurs in the irc_ctcp_dcc_filename_without_quotes function during quote removal, with a buffer overflow. oval:org.secpod.oval:def:1800261 Fixed a bug where HKDF would return an emptybyte-string if used with a length less than algorithm.digest_size. Fixed In Version py-cryptography 1.5.3 Reference Patch oval:org.secpod.oval:def:1800791 In PuTTY before 0.68, if SSH agent forwarding is enabled, local attackers that are also able to connect to the UNIX domain socket could have overwritten heap data Fixed in version putty 0.68 oval:org.secpod.oval:def:1800849 CVE-2017-6311: NULL dereference on gdk-pixbuf thumbnailer. oval:org.secpod.oval:def:1800909 CVE-2017-6311: NULL dereference on gdk-pixbuf thumbnailer oval:org.secpod.oval:def:1800187 CVE-2017-5024 A heap overflow flaw was found in FFmpeg Fixed in 3.0.7 CVE-2017-5025 A heap overflow flaw was found in FFmpeg Fixed in 3.0.7 3.0.5 Fixes following vulnerabilities: CVE-2016-10190, CVE-2016-10191, CVE-2016-10192, 3.0.4 Fixes following vulnerabilities: CVE-2016-5199, CVE-2016-7450, CV ... oval:org.secpod.oval:def:1800739 CVE-2016-8568:Read out-of-bounds in git_oid_nfmt. Reference: CVE-2016-8569: DoS using a null pointer dereference in git_commit_message. Reference: oval:org.secpod.oval:def:1800156 CVE-2016-7922 . The AH parser in tcpdump before 4.9.0 has a buffer overflow in print-ah.c:ah_print. CVE-2016-7923 . The ARP parser in tcpdump before 4.9.0 has a buffer overflow in print-arp.c:arp_print. CVE-2016-7924 . The ATM parser in tcpdump before 4.9.0 has a buffer overflow in print-atm.c:oam_p ... oval:org.secpod.oval:def:1800899 CVE-2016-7922 The AH parser in tcpdump before 4.9.0 has a buffer overflow in print-ah.c:ah_print. CVE-2016-7923 The ARP parser in tcpdump before 4.9.0 has a buffer overflow in print-arp.c:arp_print. CVE-2016-7924 The ATM parser in tcpdump before 4.9.0 has a buffer overflow in print-atm.c:oam_prin ... oval:org.secpod.oval:def:1800197 Shells running as root inherited PS4 from the environment, allowing PS4 expansion performing command substitution. Local attacker could gain arbitrary code execution via bogus setuid binaries using system/popen by specially crafting SHELLOPTS+PS4 environment variables. Fixed In Version bash 4.4 oval:org.secpod.oval:def:1800911 CVE-2016-9811: The windows_icon_typefind function in gst-plugins-base in GStreamer before 1.10.2, when G_SLICE is set to always-malloc, allows remote attackers to cause a denial of service via a crafted ico file. oval:org.secpod.oval:def:1800063 insufficient validation of data from the X server can cause a one byte buffer read underrun. Affected versions libxvmc Fixed In Version libxvmc 1.0.10 Reference Patch oval:org.secpod.oval:def:1800174 CVE-2016-7951: Insufficient validation of server responses result in Integer overflows CVE-2016-7952: Insufficient validation of server responses result in various data mishandlings Fixed In Version libXtst 1.2.3 Reference Patch oval:org.secpod.oval:def:1800740 When receiving a response from the server protocol data is not validated sufficiently. The 32 bit field "rep.length" is not checked for validity, which allows an integer overflow on 32 bit systems. A malicious server could send INT_MAX as length, which gets multiplied by the size of XRectangle. In t ... oval:org.secpod.oval:def:1800874 CVE-2016-7945: Insufficient validation of server responses result in Integer overflows CVE-2016-7946: Insufficient validation of server responses result in various data mishandlings Affected versions libXi Fixed In Version libXi 1.7.7 oval:org.secpod.oval:def:1800878 CVE-2016-7942: Insufficient validation of server responses in XGetImage CVE-2016-7943: Insufficient validation of server responses in FontNames Fixed In Version: libX11 1.6.4 Affected versions: libX11 oval:org.secpod.oval:def:1800825 When receiving a response from the server protocol data is not validated sufficiently. The 32 bit field "rep.length" is not checked for validity, which allows an integer overflow on 32 bit systems. A malicious server could send INT_MAX as length, which gets multiplied by the size of XRectangle. In t ... oval:org.secpod.oval:def:1800748 A design flaw was found in the libgcrypt PRNG . An attacker who can obtain the first 580 bytes of the PRNG output, can trivially predict the following 20 bytes. Fixed In Version: libgcrypt 1.7.3, libgcrypt 1.6.6, libgcrypt 1.5.6, gnupg 1.4.21 oval:org.secpod.oval:def:1800807 Insufficient validation of data from the X server can cause out of boundary memory and memory corruption. Affected versions libXv Fixed In Version libXv 1.0.11 oval:org.secpod.oval:def:1800851 CVE-2016-5010: Out-of-bounds read when processing crafted tiff file. Fixed In Version: ImageMagick 6.9.5-3 oval:org.secpod.oval:def:1800798 CVE-2016-9013: User with hardcoded password created when running tests on Oracle When running tests with an Oracle database, Django creates a temporary database user. In older versions, if a password isn"t manually specified in the database settings TEST dictionary, a hardcoded password is used. Thi ... oval:org.secpod.oval:def:1800119 CVE-2016-9374: AllJoyn crash. Affected versions: 2.2.0 to 2.2.1, 2.0.0 to 2.0.7 Fixed versions: 2.2.2, 2.0.8 Reference: CVE-2016-9376: OpenFlow crash. Affected versions: 2.2.0 to 2.2.1, 2.0.0 to 2.0.7 Fixed versions: 2.2.2, 2.0.8 Reference: CVE-2016-9373: DCERPC crash. Affected versions: 2.2.0 to 2. ... oval:org.secpod.oval:def:1800793 When a string is passed in to ares_create_query or ares_mkquery and uses an escaped trailing dot, like "hello\.", c-ares calculates the string length wrong and subsequently writes outside of the allocated buffer with one byte. The wrongly written byte is the least significant byte of the "dnsclass" ... oval:org.secpod.oval:def:1800716 CVE-2016-7175: QNX6 QNET dissector crash. Affected versions: 2.0.0 to 2.0.5 Fixed versions: 2.0.6 Reference: CVE-2016-7176: H.225 dissector crash. Affected versions: 2.0.0 to 2.0.5 Fixed versions: 2.0.6 Reference: CVE-2016-7177: Catapult DCT2000 dissector crash. Affected versions: 2.0.0 to 2.0.5 Fix ... oval:org.secpod.oval:def:1800787 CVE-2016-6263: Crash when given invalid UTF-8 data on input CVE-2015-8948: Out-of-bounds read due to use of fgets with fixed-size buffer CVE-2016-6262: Out-of-bounds read when reading zero byte as input CVE-2016-6261: Out of bounds stack read in idna_to_ascii_4i Fixed In Version libidn 1.33 oval:org.secpod.oval:def:1800159 A heap overflow in collectd"s network plugin which can be triggered remotely and is potentially exploitable. Fixed In Version collectd 5.5.2, collectd 5.4.3 oval:org.secpod.oval:def:1800801 libcurl built on top of NSS incorrectly re-used client certificates if a certificate from file was used for one TLS connection but no certificate set for a subsequent TLS connection. While the symptoms are similar to CVE-2016-5420 , this vulnerability was caused by an implementation detail of the N ... oval:org.secpod.oval:def:1800139 libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate . libcurl s ... oval:org.secpod.oval:def:1800177 CVE-2016-6512: MMSE, WAP, WBXML, and WSP infinite loop. Affected versions: 2.0.0 to 2.0.4 Fixed versions: 2.0.5 oval:org.secpod.oval:def:1800140 CVE-2016-6505: PacketBB crash. Affected versions: 2.0.0 to 2.0.4, 1.12.0 to 1.12.12. Fixed versions: 2.0.5, 1.12.13. Reference: CVE-2016-6506: WSP infinite loop. Affected versions: 2.0.0 to 2.0.4, 1.12.0 to 1.12.12. Fixed versions: 2.0.5, 1.12.13. Reference: CVE-2016-6508:RLC long loop. Affected ver ... oval:org.secpod.oval:def:1800838 Unsafe usage of JavaScript"s Element.innerHTML could result in XSS in the admin"s add/change related popup. Element.textContent is now used to prevent execution of the data. The debug view also used innerHTML. Although a security issue wasn"t identified there, out of an abundance of caution it"s als ... oval:org.secpod.oval:def:1800065 Unsafe usage of JavaScript"s Element.innerHTML could result in XSS in the admin"s add/change related popup. Element.textContent is now used to prevent execution of the data. The debug view also used innerHTML. Although a security issue wasn"t identified there, out of an abundance of caution it"s als ... oval:org.secpod.oval:def:1800630 The process_db_args function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the LDAP KDB module in kadmind in MITKerberos 5 through 1.13.4 and 1.14.x through 1.14.1 mishandles the DB argument, which allows remote authenticated users to cause a denial of service via a crafted request to modif ... oval:org.secpod.oval:def:1800717 The validate_as_request function in kdc_util.c in the Key Distribution Center in MIT Kerberos 5 before 1.13.6 and 1.4.x before 1.14.3, when restrict_anonymous_to_tgt is enabled, uses an incorrect client data structure, which allows remote authenticated users to cause a denial of service via an S4 ... oval:org.secpod.oval:def:1800209 The validate_as_request function in kdc_util.c in the Key Distribution Center in MIT Kerberos 5 before 1.13.6 and 1.4.x before 1.14.3, when restrict_anonymous_to_tgt is enabled, uses an incorrect client data structure, which allows remote authenticated users to cause a denial of service via an S4 ... oval:org.secpod.oval:def:1800085 The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Components for Unicode through 57.1 for C/C++ does not ensure that there is a "\0" character at the end of a certain temporary array, which allows remote attackers to cause a denial of service or possibly have unspecified ... oval:org.secpod.oval:def:1800150 The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Components for Unicode through 57.1 for C/C++ does not ensure that there is a "\0" character at the end of a certain temporary array, which allows remote attackers to cause a denial of service or possibly have unspecified ... oval:org.secpod.oval:def:1800074 The Apache HTTPD web server did not validate a X509 client certificate correctly when experimental module for the HTTP/2 protocol is used to access a resource. The net result is that a resource that should require a valid client certificate in order to get access can be accessed without that creden ... oval:org.secpod.oval:def:1800082 This issue was introduced in version 1.6.0 of HAProxy. Reference patch oval:org.secpod.oval:def:1800222 This issue was introduced in version 1.6.0 of HAProxy.. oval:org.secpod.oval:def:1800875 CVE-2016-1660: Out-of-bounds write in Blink. CVE-2016-1661: Memory corruption in cross-process frames. CVE-2016-1662: Use-after-free in extensions. CVE-2016-1663: Use-after-free in Blinks V8 bindings. CVE-2016-1664: Address bar spoofing. CVE-2016-1665: Information leak in V8. CVE-2016-1666: Various ... oval:org.secpod.oval:def:1800814 CVE-2016-1651: out-of-bounds read in Pdfium JPEG2000 decoding CVE-2016-1652: Universal XSS in extension bindings. CVE-2016-1653: Out-of-bounds write in V8. CVE-2016-1654: Uninitialized memory read in media. CVE-2016-1655: Use-after-free related to extensions. CVE-2016-1656: Android downloaded file p ... oval:org.secpod.oval:def:1800025 CVE-2016-2167: svnserve/sasl may authenticate users using the wrong realm. svnserve, the svn:// protocol server, can optionally use the Cyrus SASL library for authentication, integrity protection, and encryption.Due to a programming oversight, authentication against Cyrus SASL would permit the remot ... oval:org.secpod.oval:def:1800112 CVE-2015-3223: libldb: Remote DoS in Samba LDAP server. All versions of Samba from 4.0.0 to 4.3.2 inclusive are vulnerable to a denial of service attack in the samba daemon LDAP server. Fixed In Version: ldb 1.1.24 CVE-2015-5252: Insufficient symlink verification in smbd. All versions of Samba from ... oval:org.secpod.oval:def:1800429 The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn.c in the VPNv4 NLRI parser in bgpd in Quagga before 1.0.20160309, when a certain VPNv4 configuration is used, relies on a Labeled-VPN SAFI routes-data length field during a data copy, which allows remote attackers to execute arbitrary code or cause a ... oval:org.secpod.oval:def:1800441 CVE-2017-17083: NetBIOS dissector crash Affected versions: 2.4.0 to 2.4.2, 2.2.0 to 2.2.10 Fixed versions: 2.4.3, 2.2.11 oval:org.secpod.oval:def:1800521 CVE-2017-15191: DMP dissector crash. Affected versions: 2.4.0 to 2.4.1, 2.2.0 to 2.2.9, 2.0.0 to 2.0.15 Fixed versions: 2.4.2, 2.2.10, 2.0.16 oval:org.secpod.oval:def:1800592 CVE-2017-13765: IrCOMM dissector buffer overrun. Affected versions: 2.4.0, 2.2.0 to 2.2.8, 2.0.0 to 2.0.14 Fixed versions: 2.4.1, 2.2.9, 2.0.15 oval:org.secpod.oval:def:1800539 Libgcrypt before 1.8.1 does not properly consider Curve25519 side-channel attacks, which makes it easier for attackers to discover a secret key, related to cipher/ecc.c and mpi/ec.c. oval:org.secpod.oval:def:1800614 A vulnerability has been found where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this may be root. Affecte ... oval:org.secpod.oval:def:1800407 A vulnerability has been found where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this may be root. Affecte ... oval:org.secpod.oval:def:1800403 CVE-2017-11406: DOCSIS infinite loop Affected versions: 2.2.0 to 2.2.7, 2.0.0 to 2.0.13 Fixed versions: 2.2.8, 2.0.14 oval:org.secpod.oval:def:1800340 CVE-2017-7700: NetScaler file parser infinite loop. Affected versions: 2.2.0 to 2.2.5, 2.0.0 to 2.0.11 Fixed versions: 2.2.6, 2.0.12 oval:org.secpod.oval:def:1800307 CVE-2017-7700: NetScaler file parser infinite loop Affected versions: 2.2.0 to 2.2.5, 2.0.0 to 2.0.11 Fixed versions: 2.2.6, 2.0.12 oval:org.secpod.oval:def:1800386 CVE-2016-7957: Bluetooth L2CAP dissector crash Affected versions: 2.2.0 Fixed versions: 2.2.1 Reference CVE-2016-7958: NCP dissector crash Affected versions: 2.2.0 Fixed versions: 2.2.1 Reference CVE-2016-9372: Profinet I/O long loop Affected versions: 2.2.0 to 2.2.1 Fixed versions: 2.2.2 Reference ... oval:org.secpod.oval:def:1800644 In PuTTY before 0.68, if SSH agent forwarding is enabled, local attackers that are also able to connect to the UNIX domain socket could have overwritten heap data Fixed In Version: putty 0.68 oval:org.secpod.oval:def:1800638 CVE-2017-5596: ASTERIX infinite loop. Affected versions: 2.2.0 to 2.2.3, 2.0.0 to 2.0.9 Fixed versions: 2.2.4, 2.0.10 Reference: CVE-2017-5597: DHCPv6 large loop. Affected versions: 2.2.0 to 2.2.3, 2.0.0 to 2.0.9 Fixed versions: 2.2.4, 2.0.10 Reference: oval:org.secpod.oval:def:1800563 CVE-2017-5596: ASTERIX infinite loop Affected versions: 2.2.0 to 2.2.3, 2.0.0 to 2.0.9 Fixed versions: 2.2.4, 2.0.10 Reference CVE-2017-5597: DHCPv6 large loop Affected versions: 2.2.0 to 2.2.3, 2.0.0 to 2.0.9 Fixed versions: 2.2.4, 2.0.10 Reference oval:org.secpod.oval:def:1800548 libbsd 0.8.1 and earlier contains a buffer overflow in the function fgetwln. An if checks if it is necessary to reallocate memory in the target buffer. However this check is off by one, therefore an out of bounds write happens. Fixed In Version: libbsd 0.8.2 oval:org.secpod.oval:def:1800504 CVE-2016-6505: PacketBB crash Affected versions: 2.0.0 to 2.0.4, 1.12.0 to 1.12.12 Fixed versions: 2.0.5, 1.12.13 Reference CVE-2016-6506: WSP infinite loop Affected versions: 2.0.0 to 2.0.4, 1.12.0 to 1.12.12 Fixed versions: 2.0.5, 1.12.13 Reference CVE-2016-6508:RLC long loop Affected versions: 2. ... oval:org.secpod.oval:def:1800315 CVE-2017-17997: MRDISC dissector crash Affected versions: 2.2.0 to 2.2.11Fixed versions: 2.2.12 oval:org.secpod.oval:def:1800582 parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a "%" character in a DTD name. Fixed In Version: libxml2 2.9.5 oval:org.secpod.oval:def:1800669 parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a "%" character in a DTD name. Fixed In Version libxml2 2.9.5 oval:org.secpod.oval:def:1800858 CVE-2016-1285: An error parsing input received by the rndc control channel can cause an assertion failure in sexpr.c or alist.c. Versions affected: 9.2.0 - oval:org.secpod.oval:def:1800751 CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP CVE-2017-5401: Memory Corruption when handling ErrorResult CVE-2017-5402: Use-after-free working with events in FontFace objects CVE-2017-5404: Use-after-free working with ranges in selections CVE-2017-5407: Pixel and history stealing via floati ... oval:org.secpod.oval:def:1800704 CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7 CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP CVE-2017-5376: Use-after-free in XSL CVE-2017-5378: Pointer and frame data leakage of Javascript objects CVE-2017-5380: Potential use-after-free durin ... oval:org.secpod.oval:def:1800800 CVE-2016-2179 The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service by maintaining many crafted DTLS sessions simultaneously, related to d1_lib ... oval:org.secpod.oval:def:1800922 CVE-2016-9131: A malformed response to an ANY query can cause an assertion failure during recursion. A malformed query response received by a recursive server in response to a query of RTYPE ANY could trigger an assertion failure while named is attempting to add the RRs in the query response to the ... oval:org.secpod.oval:def:1800093 CVE-2016-2179: The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service by maintaining many crafted DTLS sessions simultaneously, related to d1_li ... oval:org.secpod.oval:def:1800295 During processing of a recursive response that contains a DNAME record in the answer section, BIND can stop execution after encountering an assertion error in resolver.c failed"(error message: "REQUIRE0(0 oval:org.secpod.oval:def:1800084 CVE: none assigned, XSA-207: memory leak when destroying guest without PT devices Reference: CVE-2017-2615, XSA-208: oob access in cirrus bitblt copy Reference: CVE-2017-2620, XSA-209: cirrus_bitblt_cputovideo does not check if memory region is safe Reference: oval:org.secpod.oval:def:1800190 CVE-2016-4962, XSA-175: Unsanitised guest input in libxl device handling code. CVE-2016-4480, XSA-176: x86 software guest page walk PS bit handling flaw. CVE-2016-4963, XSA-178: Unsanitised driver domain input in libxl device handling. CVE-2016-3710 CVE-2016-3712, XSA-179: QEMU: Banked access to VGA ... oval:org.secpod.oval:def:1800268 CVE-2016-3157, XSA-171: I/O port access privilege escalation in x86-64 Linux IRET and POPF do not modify EFLAGS.IOPL when executed by code at a privilege level other than zero. Since PV Xen guests run at privilege level 3 , to compensate for this the context switching of EFLAGS.IOPL requires the gue ... oval:org.secpod.oval:def:1800257 Mozilla Network Security Services before 3.21.4, 3.22.x through 3.28.x before 3.28.4, 3.29.x before 3.29.5, and 3.30.x before 3.30.1 allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging incorrect base64 operations. oval:org.secpod.oval:def:1800280 When SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hardcoded in the SSHD source code. On this hard coded password structure the password hash is based on BLOWFISH algorithm.If real users passwords are hashed using SHA256/SHA512, then sending large passwor ... oval:org.secpod.oval:def:1800285 CVE-2016-3477: MariaDB 5.5.50, MariaDB 10.1.16 CVE-2016-3521: MariaDB 5.5.50, MariaDB 10.1.16 CVE-2016-3615: MariaDB 5.5.50, MariaDB 10.1.16 CVE-2016-5440: MariaDB 5.5.50, MariaDB 10.1.16 Reference: CVE-2016-6662: MariaDB 5.5.51, MariaDB 10.1.17. Reference: v3.4 should upgrade to 10.1.17 oval:org.secpod.oval:def:1800696 CVE-2016-9386, XSA-191: x86 null segments not always treated as unusable Reference CVE-2016-9382, XSA-192: x86 task switch to VM86 mode mis-handled Reference CVE-2016-9385, XSA-193: x86 segment base write emulation lacking canonical address checks Reference CVE-2016-9384, XSA-194: guest 32-bit ELF s ... oval:org.secpod.oval:def:1800470 The Apache HTTPD web server did not validate a X509 client certificate correctly when experimental module for the HTTP/2 protocol is used to access a resource. The net result is that a resource that should require a valid client certificate in order to get access can be accessed without that creden ... oval:org.secpod.oval:def:1800477 CVE-2016-9932, XSA-200 : x86 CMPXCHG8B emulation fails to ignore operand size override Reference: oval:org.secpod.oval:def:1800783 A defect in the rendering of messages into packets can cause named to exit with an assertion failure in buffer.c while constructing a response to a query that meets certain criteria. This assertion can be triggered even if the apparent source address isn"t allowed to make queries . Affected versions ... oval:org.secpod.oval:def:1800664 Xen 4.7.x and earlier does not properly honor CR0.TS and CR0.EM, which allows local x86 HVM guest OS users to read or modify FPU, MMX, or XMM register state information belonging to arbitrary tasks on the guest by modifying an instruction while the hypervisor is preparing to emulate it. Reference: oval:org.secpod.oval:def:1800306 CVE-2016-9386, XSA-191: x86 null segments not always treated as unusable. Reference: CVE-2016-9382, XSA-192: x86 task switch to VM86 mode mis-handled. Reference: CVE-2016-9385, XSA-193: x86 segment base write emulation lacking canonical address checks. Reference: CVE-2016-9383, XSA-195: x86 64-bit b ... oval:org.secpod.oval:def:1800560 flex incorrectly resized the num_to_read variable in yy_get_next_buffer. The buffer is resized if this value is less or equal to zero. With special crafted input it is possible, that the buffer is not resized if the input is larger than the default buffer size of 16k. This allows a heap buffer overf ... oval:org.secpod.oval:def:1800937 CVE-2018-7536: Denial-of-service possibility in urlize and urlizetrunc template filters¶ The django.utils.html.urlize function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions . The urlize function is used to implement the ... oval:org.secpod.oval:def:1800604 The bark_noise_hybridmp function in psy.c in Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted mp4 file. oval:org.secpod.oval:def:1800304 CVE-2017-5846: The gst_asf_demux_process_ext_stream_props function in gst/asfdemux/gstasfdemux.c in gst-plugins-ugly in GStreamer before 1.10.3 allows remote attackers to cause a denial of service via vectors related to the number of languages in a video file. oval:org.secpod.oval:def:1800556 CVE-2017-11112: In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data. Fixed In Version ncurses 6.0-20170701 oval:org.secpod.oval:def:1800622 CVE-2017-9078 - The server in Dropbear before 2017.75 might allow post-authentication root remote code execution because of a double free in cleanup of TCPlisteners when the -a option is enabled. CVE-2017-9079 - Dropbear before 2017.75 might allow local users to read certain files as root, if the fi ... oval:org.secpod.oval:def:1800518 Incorrect SASL authentication in the CharybdisIRC server may lead to users impersonating other users. Fixed in version 3.5.3 Reference Patch oval:org.secpod.oval:def:1800374 Incorrect SASL authentication in the CharybdisIRC server may lead to users impersonating other users. Fixed In Version: 3.5.3. oval:org.secpod.oval:def:1800540 CVE-2017-7401: Incorrect interaction of the parse_packet and parse_part_sign_sha256 functions in network.c in collectd 5.7.1 and earlier allows remote attackers to cause a denial of service of a collectd instance via a crafted UDP packet. oval:org.secpod.oval:def:1800651 insufficient validation of data from the X server can cause a one byte buffer read underrun. Affected versions: libxvmc Fixed In Version: libxvmc 1.0.10. oval:org.secpod.oval:def:1800435 CVE-2017-9078 - The server in Dropbear before 2017.75 might allow post-authenticationroot remote code execution because of a double free in cleanup of TCPlisteners when the -a option is enabled. CVE-2017-9079 - Dropbear before 2017.75 might allow local users to read certain files as root, if the fil ... oval:org.secpod.oval:def:1800525 CVE-2016-9809: Off-by-one read in gst_h264_parse_set_caps Off-by-one error in the gst_h264_parse_set_caps function in GStreamer before 1.10.2 allows remote attackers to have unspecified impact via a crafted file, which triggers an out-of-bounds read. oval:org.secpod.oval:def:1800602 Libass released a new 0.13.4 version which fixes multiple issues. CVE-2016-7969: Patch CVE-2016-7970 Patch CVE-2016-7972 Patch Reference oval:org.secpod.oval:def:1800373 CVE-2016-7951: Insufficient validation of server responses result in Integer overflows CVE-2016-7952: Insufficient validation of server responses result in various data mishandlings Fixed In Version: libXtst 1.2.3. oval:org.secpod.oval:def:1800395 CVE-2016-9809: Off-by-one read in gst_h264_parse_set_caps Off-by-one error in the gst_h264_parse_set_caps function in GStreamer before 1.10.2 allows remote attackers to have unspecified impact via a crafted file, which triggers an out-of-bounds read. oval:org.secpod.oval:def:1800576 Libass released a new 0.13.4 version which fixes multiple issues. CVE-2016-7969: Patch: CVE-2016-7970 Patch: CVE-2016-7972 Patch: Reference: oval:org.secpod.oval:def:1800335 Insufficient validation of data from the X server can cause out of boundary memory and memory corruption. Affected versions: libXv Fixed In Version: libXv 1.0.11 oval:org.secpod.oval:def:1800443 OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnerable to a buffer overflow vulnerability when key-method 1 is used, possibly resulting in code execution. Fixed In Version openvpn 2.3.18, openvpn 2.4.4 oval:org.secpod.oval:def:1800438 CVE-2017-5192: local_batch client external authentication not respected The `LocalClient.cmd_batch` method client does not accept `external_auth` credentials and so access to it from salt-api has been removed for now. This vulnerability allows code execution for already- authenticated users and is o ... oval:org.secpod.oval:def:1800516 Many software projects and vendors have implemented support for the Proxy request header in their respective CGI implementations and languages by creating the HTTP_PROXY environmental variable based on the header value. When this variable is used any outgoing requests generated in turn from the att ... oval:org.secpod.oval:def:1800332 Many software projects and vendors have implemented support for the Proxy request header in their respective CGI implementations and languages by creating the HTTP_PROXY environmental variable based on the header value. When this variable is used any outgoing requests generated in turn from the att ... oval:org.secpod.oval:def:1800611 CVE-2016-10128: smart_pkt: verify packet length exceeds PKT_LEN_SIZE. Fixed In Version: libgit2 0.25.1, libgit2 0.24.6 oval:org.secpod.oval:def:1800628 CVE-2016-7949: Insufficient validation of server responses results in overflow of previously reserved memory. Affected version: libXrender Fixed In Version: libXrender 0.9.10 CVE-2016-7950: Insufficient validation of server responses results out-of-bounds write in XRenderQueryFilters. Affected vers ... oval:org.secpod.oval:def:1800327 The III_i_stereo function in libmpg123/layer3.c in mpg123 through 1.25.1 allows attackers to cause a denial of service via a crafted audio file that is mishandled in the code for the "block_type != 2" case, a similar issue to CVE-2017-9870. Fixed In Version mpg123 1.25.2 oval:org.secpod.oval:def:1800317 CVE-2016-7949: Insufficient validation of server responses results in overflow of previously reserved memory Affected version libXrender Fixed In Version libXrender 0.9.10 Reference Patch CVE-2016-7950: Insufficient validation of server responses results out-of-bounds write in XRenderQueryFilters Af ... oval:org.secpod.oval:def:1800625 An error within the "tar_directory_for_file" function in GNOME Structured File Library before 1.14.41 can be exploited to trigger a Null pointer dereference and subsequently cause a crash via a crafted TAR file. Fixed In Version: libgsf 1.14.41. oval:org.secpod.oval:def:1800392 If the lightweight resolver is asked to resolve a query name which, when combined with a search list entry, exceeds the maximum allowable length, the server can terminate due to an error. Fixed In Version: bind 9.9.9-P2, bind 9.10.4-P2, bind 9.11.0b2, bind 9.9.9-S3 oval:org.secpod.oval:def:1800462 CVE-2016-7945: Insufficient validation of server responses result in Integer overflows CVE-2016-7946: Insufficient validation of server responses result in various data mishandlings Affected versions: libXi Fixed In Version: libXi 1.7.7 oval:org.secpod.oval:def:1800464 A heap overflow in collectd"s network plugin which can be triggered remotely and is potentially exploitable. Fixed In Version: collectd 5.5.2, collectd 5.4.3 oval:org.secpod.oval:def:1800456 CVE-2016-7947: Insufficient validation of server responses result in Integer overflows CVE-2016-7948: Insufficient validation of server responses result in various data mishandlings Affected versions libXrandr Fixed In Version libXrandr 1.5.1 Reference oval:org.secpod.oval:def:1800578 If the lightweight resolver is asked to resolve a query name which, when combined with a search list entry, exceeds the maximum allowable length, the server can terminate due to an error. Fixed In Version bind 9.9.9-P2, bind 9.10.4-P2, bind 9.11.0b2, bind 9.9.9-S3 oval:org.secpod.oval:def:1800591 CVE-2016-6606: Weakness with cookie encryption. All 4.6.x versions , 4.4.x versions , and 4.0.x versions are affected. Upgrade to phpMyAdmin 4.6.4, 4.4.15.8, 4.0.10.17, or newer or apply patch. CVE-2016-6607: Multiple XSS vulnerabilities. All 4.6.x versions , 4.4.x versions , and 4.0.x versions ar ... oval:org.secpod.oval:def:1800598 CVE-2016-5702: Cookie attribute injection attack. Affected Versions. All 4.6.x versions are affected Upgrade to phpMyAdmin 4.6.3 or newer Reference: CVE-2016-5704: XSS on table structure page. Affected Versions. All 4.6.x versions are affected Upgrade to phpMyAdmin 4.6.3 or newer. Reference: CVE-2 ... oval:org.secpod.oval:def:1800357 CVE-2016-9847: Unsafe generation of blowfish secret All 4.6.x versions , 4.4.x versions , and 4.0.x versions are affected Upgrade to phpMyAdmin* 4.6.5, 4.4.15.9*, 4.0.10.18, or newer or apply patch. Reference CVE-2016-9848: phpinfo information leak value of sensitive cookies All 4.6.x versions , 4 ... oval:org.secpod.oval:def:1800425 musl 1.1.16 and previous are affected by CVE-2017-15650. The issue was resolved in 1.1.17 which is currently in the edge repository. The patch looks simple and is said to apply cleanly to "all recent versions". I suggest including the patch in all currently supported Alpine releases, assuming it doe ... oval:org.secpod.oval:def:1800532 CVE-2016-9847: Unsafe generation of blowfish secret. All 4.6.x versions , 4.4.x versions , and 4.0.x versions are affected Upgrade to phpMyAdmin* 4.6.5, 4.4.15.9*, 4.0.10.18, or newer or apply patch. Reference: CVE-2016-9848: phpinfo information leak value of sensitive cookies. All 4.6.x versions ... oval:org.secpod.oval:def:1800325 CVE-2017-9831: An integer overflow vulnerability in the ptp_unpack_EOS_CustomFuncEx function of the ptp-pack.c file of libmtp allows attackers to cause a denial of service or maybe remote code execution by inserting a mobile device into a personal computer through a USB cable. Fixed In Version lib ... oval:org.secpod.oval:def:1800447 CVE-2016-7947: Insufficient validation of server responses result in Integer overflows CVE-2016-7948: Insufficient validation of server responses result in various data mishandlings Affected versions: libXrandr Fixed In Version: libXrandr 1.5.1 Reference: oval:org.secpod.oval:def:1800528 Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic. Fixed In Version 6.0-20171125 oval:org.secpod.oval:def:1800569 Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic. Fixed In Version: 6.0-20171125 oval:org.secpod.oval:def:1800405 The aspath_put function in bgpd/bgp_aspath.c in Quagga before 1.2.2 allows remote attackers to cause a denial of service via BGP UPDATE messages, because AS_PATH size calculation for long paths counts certain bytes twice and consequently constructs an invalid message. oval:org.secpod.oval:def:1800692 CVE-2017-5193: A NULL pointer dereference in the nickcmp function. CVE-2017-5194: Use after free when receiving invalid nick message. CVE-2017-5356: Out of bounds read when Printing the value. CVE-2017-5195: Out of bounds read in certain incomplete control codes. CVE-2017-5196: Out of bounds read in ... oval:org.secpod.oval:def:1800369 The aspath_put function in bgpd/bgp_aspath.c in Quagga before 1.2.2 allows remote attackers to cause a denial of service via BGP UPDATE messages, because AS_PATH size calculation for long paths counts certain bytes twice and consequently constructs an invalid message. oval:org.secpod.oval:def:1800350 The four libcurl functions curl_escape, curl_easy_escape, curl_unescape and curl_easy_unescape perform string URL percent escaping and unescaping. They accept custom string length inputs in signed integer arguments. Affected versions: libcurl 7.11.1 to and including 7.50.2 Not affected versions: li ... oval:org.secpod.oval:def:1800593 CVE-2016-6263: Crash when given invalid UTF-8 data on input CVE-2015-8948: Out-of-bounds read due to use of fgets with fixed-size buffer CVE-2016-6262: Out-of-bounds read when reading zero byte as input CVE-2016-6261: Out of bounds stack read in idna_to_ascii_4i Fixed In Version: libidn 1.33 oval:org.secpod.oval:def:1800542 An attacker who learns the EdDSA session key from side-channel observation during the signing process, can easily recover the long-term secret key. Storing the session key in secure memory ensures that constant time point operations are used in the MPI library. Fixed In Version: libgcrypt 1.7.7 Refe ... oval:org.secpod.oval:def:1800667 CVE-2018-1000024: Incorrect pointer handling when processing ESI Responses can lead to denial of service Due to incorrect pointer handling, Squid versions 3.x and 4.x are vulnerable to a denial of service attack when processing ESI responses. This problem allows a remote server delivering certain ... oval:org.secpod.oval:def:1800305 The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol implementation in OpenSSL through 1.0.2h allows remote attackers to cause a denial of service via a crafted time-stamp file that is mishandled by the "openssl ts" command.. oval:org.secpod.oval:def:1800410 RunC allowed additional container processes via `runc exec` to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these newprocesses during the initialization and can lead to container escapes or modifi ... oval:org.secpod.oval:def:1800416 CVE-2016-9131: A malformed response to an ANY query can cause an assertion failure during recursion A malformed query response received by a recursive server in response to a query of RTYPE ANY could trigger an assertion failure while named is attempting to add the RRs in the query response to the c ... oval:org.secpod.oval:def:1800562 An attacker who learns the EdDSA session key from side-channel observation during the signing process, can easily recover the long-term secret key. Storing the session key in secure memory ensures that constant time point operations are used in the MPI library. Fixed In Version libgcrypt 1.7.7 Refer ... oval:org.secpod.oval:def:1800687 CVE-2016-2569, CVE-2016-2570: some code paths fail to check bounds in string object CVE-2016-2571, CVE-2016-2572: wrong error handling for malformed HTTP responses. Affected versions: Squid 3.x - oval:org.secpod.oval:def:1800555 CVE-2017-5193: A NULL pointer dereference in the nickcmp function. CVE-2017-5194: Use after free when receiving invalid nick message. CVE-2017-5356: Out of bounds read when Printing the value. CVE-2017-5195: Out of bounds read in certain incomplete control codes. CVE-2017-5196: Out of bounds read in ... oval:org.secpod.oval:def:1800695 The libtasn1 library, in its 4.7 version, can loop for a long time or indefinitely when it is used to parse DER representations of X509 certificates, leading to a denial of service. Some of these loops may in addition increase heap or stack usage, leading to more issues. libtasn1 before version 4.8 ... oval:org.secpod.oval:def:1800482 CVE-2017-15873: Integer overflow in the get_next_block function The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox 1.27.2 has an Integer Overflow that may lead to a write access violation. oval:org.secpod.oval:def:1800620 CVE: none assigned, XSA-207: memory leak when destroying guest without PT devices Reference CVE-2017-2615, XSA-208: oob access in cirrus bitblt copy Reference CVE-2017-2620, XSA-209: cirrus_bitblt_cputovideo does not check if memory region is safe Reference oval:org.secpod.oval:def:1800505 CVE-2016-5419: TLS session resumption client cert bypass. Fixed In Version: curl 7.50.1 CVE-2016-5420: Re-using connection with wrong client cert. Fixed In Version: curl 7.50.1 CVE-2016-5421: Use of connection struct after free. Fixed In Version: curl 7.50.1 oval:org.secpod.oval:def:1800506 CVE-2016-9013: User with hardcoded password created when running tests on Oracle. When running tests with an Oracle database, Django creates a temporary database user. In older versions, if a password isn"t manually specified in the database settings TEST dictionary, a hardcoded password is used. Th ... oval:org.secpod.oval:def:1800606 CVE-2016-5419: TLS session resumption client cert bypass Fixed In Version curl 7.50.1 Reference Patch CVE-2016-5420: Re-using connection with wrong client cert Fixed In Version curl 7.50.1 Reference Patch CVE-2016-5421: Use of connection struct after free Fixed In Version curl 7.50.1 oval:org.secpod.oval:def:1800610 CVE-2017-3313: mariaDB 10.1.22 CVE-2017-3302: mariaDB 10.1.22 Reference oval:org.secpod.oval:def:1800639 GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource. oval:org.secpod.oval:def:1800402 A defect in the rendering of messages into packets can cause named to exit with an assertion failure in buffer.c while constructing a response to a query that meets certain criteria. This assertion can be triggered even if the apparent source address isn"t allowed to make queries . Affected versions ... oval:org.secpod.oval:def:1800637 All versions of Samba prior to 4.6.1, 4.5.7, 4.4.12 are vulnerable to a malicious client using a symlink race to allow access to areas of the server file system not exported under the share definition. Samba uses the real path system call to ensure when a client requests access to a pathname that it ... oval:org.secpod.oval:def:1800380 The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application"s outbound HTTP traffic to an arbitrary p ... oval:org.secpod.oval:def:1800382 CVE-2016-9893: Memory safety bugs CVE-2016-9895: CSP bypass using marquee tag CVE-2016-9897: Memory corruption in libGLES CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements CVE-2016-9900: Restricted e ... oval:org.secpod.oval:def:1800371 An out of boundary write has been found in libXpm exploited by an attacker through maliciously crafted XPM files. Fixed In Version libxpm 3.5.12 Reference Upstream patch oval:org.secpod.oval:def:1800397 CVE-2016-7440: mariadb 5.5.53, mariadb 10.1.19 CVE-2016-5584: mariadb 5.5.53, mariadb 10.1.19 Reference: oval:org.secpod.oval:def:1800580 Integer overflow in the gdImageWebpCtx function in gd_webp.c in the GD Graphics Library through 2.2.3, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted imagewebp and imagedestroy calls. oval:org.secpod.oval:def:1800341 Stack-based buffer overflow in the Locale class in common/locid.cpp in International Components for Unicode through 57.1 for C/C++ allows remote attackers to cause a denial of service or possibly have unspecified other impact via a long locale string. Fixed In Version icu 58.1 oval:org.secpod.oval:def:1800342 CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs CVE-2017-7234: Open redirect vulnerability in django.views.static.serve Fixed in py-django 1.10.7, 1.9.13, and 1.8.18 oval:org.secpod.oval:def:1800347 CVE-2016-6906: The read_image_tga function in gd_tga.c in the GD Graphics Library before 2.2.4 allows remote attackers to cause a denial of service via a crafted TGA file, related to the decompression buffer. oval:org.secpod.oval:def:1800348 The vulnerability is caused due to an error in the"lha_read_file_header_1" function, which can be exploited to trigger an out-of-bounds read memory access via a specially crafted archive. Affected versions libarchive version 3.2.2.Other versions may also be affected. Reference Patch oval:org.secpod.oval:def:1800699 CVE-2017-5006: Universal XSS in Blink.CVE-2017-5007: Universal XSS in Blink. CVE-2017-5008: Universal XSS in Blink.CVE-2017-5009: Out of bounds memory access in WebRTC. CVE-2017-5010: Universal XSS in Blink. CVE-2017-5011: Unauthorised file access in Devtools.CVE-2017-5012: Heap overflow in V8. CVE- ... oval:org.secpod.oval:def:1800484 CVE-2016-9811: The windows_icon_typefind function in gst-plugins-base in GStreamer before 1.10.2, when G_SLICE is set to always-malloc, allows remote attackers to cause a denial of service via a crafted ico file. oval:org.secpod.oval:def:1800486 libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate . libcurl s ... oval:org.secpod.oval:def:1800351 A denial of service vulnerability was found in openssh. The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackersto cause a denial of service via a long string.. oval:org.secpod.oval:def:1800472 It was reported that offsets contained in cache files aren"t checked if they"re in legal ranges or are pointers at all. The lack of validation allows an attacker to trigger arbitrary free calls, which in turn allows double free attacks and therefore arbitrary code execution. When used with setuid bi ... oval:org.secpod.oval:def:1800300 The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application"s outbound HTTP traffic to an arbitrary p ... oval:org.secpod.oval:def:1800426 CVE-2016-10217: The pdf14_open function in base/gdevp14.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service via a crafted file that is mishandled in the color management module. oval:org.secpod.oval:def:1800427 The try_read_command function in memcached.c in memcached before 1.4.39 allows remote attackers to cause a denial of service via a request to add/set a key, which makes a comparison between signed and unsigned int and triggers a heap-based buffer over-read. NOTE: this vulnerability exists because o ... oval:org.secpod.oval:def:1800529 The SCardReleaseContext function normally releases resources associated with the given handle and clients should cease using this handle. A malicious client can however make the daemon invoke SCardReleaseContext and continue issuing other commands that use "cardsList", resulting in a use-after-free ... oval:org.secpod.oval:def:1800409 CVE-2017-5024 A heap overflow flaw was found in FFmpeg. Fixed in 3.2.4, 3.1.7 CVE-2017-5025 A heap overflow flaw was found in FFmpeg. Fixed in 3.2.4, 3.1.7 oval:org.secpod.oval:def:1800414 CVE-2016-8704: Server append/prepend remote code execution An integer overflow in the process_bin_append_prepend function which is responsible for processing multiple commands of Memcached binary protocol can be abused to cause heap overflow and lead to remote code execution. Fixed In Version memcac ... oval:org.secpod.oval:def:1800657 Fixed in: Firefox ESR 45.4 CVE-2016-5270 - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString. An out-of-bounds write of a boolean value during text conversion with some unicode characters. [1291016] CVE-2016-5272 - Bad cast in nsImageGeometryMixin. A bad cast when processing lay ... oval:org.secpod.oval:def:1800674 CVE-2016-7799: Mogrify buffer over-read in profile.c CVE-2016-7906: Mogrify heap-use-after-free in attribute.c. oval:org.secpod.oval:def:1800319 Stack-based buffer overflow in the Locale class in common/locid.cpp in International Components for Unicode through 57.1 for C/C++ allows remote attackers to cause a denial of service or possibly have unspecified other impact via a long locale string. Fixed In Version: icu 58.1 oval:org.secpod.oval:def:1800618 Shells running as root inherited PS4 from the environment, allowing PS4 expansion performing command substitution. Local attacker could gain arbitrary code execution via bogus setuid binaries using system/popen by specially crafting SHELLOPTS+PS4 environment variables. Fixed In Version: bash 4.4 oval:org.secpod.oval:def:1800502 A vulnerability was found in popd. It can be tricked to free a user supplied address in the following way: $ popd +-111111 This could be used to bypass restricted shells on some environments to cause use-after-free. Reference Patch oval:org.secpod.oval:def:1800503 CVE-2017-9022: Insufficient validation of RSA public keys passed to the gmp plugin RSA public keys passed to the gmp plugin aren"t validated sufficiently before attempting signature verification, so that invalid input might lead to a floating point exception and crash of the process. A certificate w ... oval:org.secpod.oval:def:1800613 There were two bugs in curl"s parser for the command line option --write-out that would skip the end of string zero byte if the string ended in a % or \ , and it would read beyond that buffer in the heap memory and it could then potentially output pieces of that memory to the terminal or the targe ... oval:org.secpod.oval:def:1800616 Improper sequencing during cleanup operations of upstream recursion fetch contexts in BIND can lead to a use-after-free error, triggering an assertion failure and crash in named. Affected BIND versions acting as DNSSEC validating resolvers are currently known to crash with an assertion failure in ne ... oval:org.secpod.oval:def:1800643 All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests. oval:org.secpod.oval:def:1800404 An integer overflow vulnerability in nginx range filter module in ngx_ function was found, potentially resulting in memory disclosure when used with 3rd party modules. Issue can be triggered by specially crafted http range request resulting into leaking the content of the cache file header. Affected ... oval:org.secpod.oval:def:1800406 An exploitable stack based buffer overflow vulnerability exists in the GNOME libsoup 2.58. A specially crafted HTTP request can cause a stack overflow resulting in remote code execution. An attacker can send a special HTTP request to the vulnerable server to trigger this vulnerability. Fixed In Vers ... oval:org.secpod.oval:def:1800527 CVE-2017-12893: Buffer over-read in smbutil.c:name_len in SMB/CIFS parser CVE-2017-12894: Buffer over-read in addrtoname.c:lookup_bytestring CVE-2017-12895: Buffer over-read in print-icmp.c:icmp_print in ICMP parser CVE-2017-12896: Buffer over-read in print-isakmp.c:isakmp_rfc3948_print in ISAKMP pa ... oval:org.secpod.oval:def:1800508 An exploitable heap overflow vulnerability exists in the gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf 2.36.6. A specially crafted jpeg file can cause a heap overflow resulting in remote code execution. An attacker can send a file or url to trigger this vulnerability. Fixed in Gd ... oval:org.secpod.oval:def:1800631 spice versions though 0.13 are vulnerable to out-of-bounds memory access when processing specially crafted messages from authenticated attacker to the spice server resulting into crash and/or server memory leak. oval:org.secpod.oval:def:1800632 CVE-2017-8361: The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted audio file. CVE-2017-8362: The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers t ... oval:org.secpod.oval:def:1800605 All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it. Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as security releases to corr ... oval:org.secpod.oval:def:1800381 A number of security vulnerabilities in the Graphite 2 library including out-of-bounds reads, buffer overflow reads and writes, and the use of uninitialized memory. These issues were addressed in Graphite 2 version 1.3.10. Reference: oval:org.secpod.oval:def:1800494 CVE-2017-6886: Memory corruption in the parse_tiff_ifd An error within the "parse_tiff_ifd" function in LibRaw versions before 0.18.2 can be exploited to corrupt memory. Fixed In Version: LibRaw 0.18.2 oval:org.secpod.oval:def:1800495 When libcurl connects to an FTP server and successfully logs in , it asks the server for the current directory with the PWD command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a fl ... oval:org.secpod.oval:def:1800499 CVE-2016-10195: dns remote stack overread vulnerability Fixed in libevent 2.1.6 oval:org.secpod.oval:def:1800460 CVE-2017-14746: Use-after-free vulnerability. Affected Versions All versions of Samba from 4.0.0 onwards. Fixed In Samba 4.7.3, 4.6.11 and 4.5.15 oval:org.secpod.oval:def:1800581 CVE-2017-14746: Use-after-free vulnerability. Affected Versions: All versions of Samba from 4.0.0 onwards. Fixed In: Samba 4.7.3, 4.6.11 and 4.5.15 oval:org.secpod.oval:def:1800461 CVE-2017-9611: The Ins_MIRP function in base/ttinterp.c in Artifex Ghostscript GhostXPS 9.21 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document. oval:org.secpod.oval:def:1800583 CVE-2017-12893: Buffer over-read in smbutil.c:name_len in SMB/CIFS parser CVE-2017-12894: Buffer over-read in addrtoname.c:lookup_bytestring CVE-2017-12895: Buffer over-read in print-icmp.c:icmp_print in ICMP parser CVE-2017-12896: Buffer over-read in print-isakmp.c:isakmp_rfc3948_print in ISAKMP pa ... oval:org.secpod.oval:def:1800587 A coding mistake was found in TLS Certificate Status Request extension feature that asks for a fresh proof of the server"s certificate"s validity in the code that checks for a test success or failure. It ends up always thinking there"s valid proof, even when there is none or if the server does not s ... oval:org.secpod.oval:def:1800451 CVE-2016-6252: Integer overflow in shadow 4.2.1 allows local users to gain privileges via crafted input to newuidmap. oval:org.secpod.oval:def:1800572 CVE-2016-4476 : denial of service via crafted WPA/WPA2 passphrase parameter. wpa_supplicant 0.6.7 through 2.5 do not reject \n and \r characters in passphrase parameters, which allows remote attackers to cause a denial of service via a crafted WPS operation. oval:org.secpod.oval:def:1800693 All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload ashared library to a writable share, and then cause the server to load and execute it. Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as security releases to corre ... oval:org.secpod.oval:def:1800575 Augeas versions up to and including 1.8.0 are vulnerable to heap-based buffer overflow due to improper handling of escaped strings. Attacker could send crafted strings that would cause the application using augeas to copy past the end of a buffer, leading to a crashor possible code execution. Fixed ... oval:org.secpod.oval:def:1800455 Mozilla Network Security Services before 3.21.4, 3.22.x through 3.28.x before 3.28.4, 3.29.x before 3.29.5, and 3.30.x before 3.30.1 allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging incorrect base64 operations. oval:org.secpod.oval:def:1800698 An integer overflow vulnerability in nginx range filter module in ngx_ function was found, potentially resulting in memory disclosure when used with 3rd party modules. Issue can be triggered by specially crafted http range request resulting into leaking the content of the cache file header. Affected ... oval:org.secpod.oval:def:1800360 CVE-2016-0736: Padding Oracle in Apache mod_session_crypto Affects: 2.4.1 to 2.4.23 Fixed in: 2.4.25 oval:org.secpod.oval:def:1800361 CVE-2016-10195: dns remote stack overread vulnerability. Fixed in libevent 2.1.6 oval:org.secpod.oval:def:1800487 There were two bugs in curl"s parser for the command line option --write-out that would skip the end of string zero byte if the string ended in a % or \ , and it would read beyond that buffer in the heap memory and it could then potentially output pieces of that memory to the terminal or the targe ... oval:org.secpod.oval:def:1800590 CVE-2017-10965: When receiving messages with invalid time stamps, Irssi would try to dereference a NULL pointer. Fixed In: Irssi 1.0.4 oval:org.secpod.oval:def:1800478 hostapd 0.6.7 through 2.5 do not reject \n and \r characters in passphrase parameters, which allows remote attackers to cause a denial of service via a crafted WPS operation. oval:org.secpod.oval:def:1800358 spice versions though 0.13 are vulnerable to out-of-bounds memory access when processing specially crafted messages from authenticated attacker to the spice server resulting into crash and/or server memory leak. oval:org.secpod.oval:def:1800662 All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests. oval:org.secpod.oval:def:1800422 Subversion"s mod_dontdothat module and clients using are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack, otherwise known as the "billion laughs attack", targets XML parsers and can cause the targeted process to consume an excessive amount of CPU resou ... oval:org.secpod.oval:def:1800543 A vulnerability was found in popd. It can be tricked to free a user supplied address in the following way: $ popd +-111111 This could be used to bypass restricted shells on some environments to cause use-after-free.. oval:org.secpod.oval:def:1800303 CVE-2017-12150: SMB1/2/3 connections may not require signing where they should Affected versions samba 3.0.25 to 4.6.7 Fixed in samba 4.6.8, 4.5.14 and 4.4.16 oval:org.secpod.oval:def:1800666 CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in the host subcomponent of a URL. oval:org.secpod.oval:def:1800565 servers/slapd/back-mdb/search.c in OpenLDAP through 2.4.44 is prone to a double free vulnerability. A user with access to search the directory can crash slapd by issuing a search including the Paged Results control with a page size of 0.. oval:org.secpod.oval:def:1800568 Two errors in the "asn1_find_node" function within GnuTLS libtasn1 version 4.10 can be exploited to cause a stacked-based buffer overflow by tricking a user into processing a specially crafted assignments file via the e.g. asn1Coding utility. oval:org.secpod.oval:def:1800689 CVE-2017-9468: When receiving a DCC message without source nick/host, Irssi would attempt to dereference a NULL pointer. Fixed In: Irssi 1.0.3 Reference: Patch. CVE-2017-9469: When receiving certain incorrectly quoted DCC files, Irssi would try to find the terminating quote one byte before the alloc ... oval:org.secpod.oval:def:1800310 CVE-2017-9468: When receiving a DCC message without source nick/host, Irssi would attempt to dereference a NULL pointer. Fixed in Irssi 1.0.3 Reference Patch CVE-2017-9469: When receiving certain incorrectly quoted DCC files, Irssi would try to find the terminating quote one byte before the allocate ... oval:org.secpod.oval:def:1800434 An exploitable stack based buffer overflow vulnerability exists in the GNOME libsoup 2.58. A specially crafted HTTP request can cause a stack overflow resulting in remote code execution. An attacker can send a special HTTP request to the vulnerable server to trigger this vulnerability. Fixed In Vers ... oval:org.secpod.oval:def:1800559 The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files. oval:org.secpod.oval:def:1800517 CVE-2017-9147: LibTIFF 4.0.7 has an invalid read in the _TIFFVGetField function in tif_dir.c, which might allow remote attackers to cause a denial of service via a crafted TIFF file. Reference Patch CVE-2017-9403: In LibTIFF 4.0.7, a memory leak vulnerability was found in the function TIFFReadDirEn ... oval:org.secpod.oval:def:1800388 JasPer 2.0.12 is vulnerable to a NULL pointer exception in the function jp2_encode which failed to check to see if the image contained at least one component resulting in a denial-of-service. oval:org.secpod.oval:def:1800496 It was found that setting VNC password to empty string doesn"t work in a way as it"s documented. The documented semantics of setting the password to an empty string are that it disables all access to the VNC server, however in fact it allows all users access with no authentication required instead. oval:org.secpod.oval:def:1800379 CVE-2017-7592: Left shift of unsigned char without a cast The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted image. oval:org.secpod.oval:def:1800467 A localhost.localdomain whitelist entry in valid_host in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server ... oval:org.secpod.oval:def:1800570 In LibTIFF 4.0.9, there is a Null-Pointer Dereference in the tif_print.c TIFFPrintDirectory function, as demonstrated by a tiffinfo crash. oval:org.secpod.oval:def:1800354 CVE-2017-16548: The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing "\0" character in an xattr name, which allows remote attackers to cause a denial of service or possibly have unspecified other impact by sending crafted data to the daemon. oval:org.secpod.oval:def:1800665 CVE-2017-16548: The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing "\0" character in an xattr name, which allows remote attackers to cause a denial of service or possibly have unspecified other impact by sending crafted data to the daemon. oval:org.secpod.oval:def:1800670 CVE-2017-9147: LibTIFF 4.0.7 has an invalid read in the _TIFFVGetField function in tif_dir.c, which might allow remote attackers to cause a denial of service via a crafted TIFF file. CVE-2017-9403: In LibTIFF 4.0.7, a memory leak vulnerability was found in the function TIFFReadDirEntryLong8Array i ... oval:org.secpod.oval:def:1800316 CVE-2018-1000005: HTTP/2 trailer out-of-bounds read Affected versions libcurl 7.49.0 to and including 7.57.0 Not affected versions libcurl = 7.58.0 oval:org.secpod.oval:def:1800471 CVE-2017-12837: Heap-based buffer overflow in the regular expression compiler in PERL before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service via a crafted regular expression with the case-insensitive modifier. oval:org.secpod.oval:def:1800302 CVE-2016-1238: loading of modules from current directory Fixed In Version: perl 5.22.3, perl 5.24.1 oval:org.secpod.oval:def:1800680 libarchive 3.3.2 allows remote attackers to cause a denial of service via a crafted xar archive, related to the mishandling of empty strings in the atol8 function in archive_read_support_format_xar.c. oval:org.secpod.oval:def:1800440 An issue was discovered in the _asn1_decode_simple_ber function in decoding.c in GNU Libtasn1 before 4.13. Unlimited recursion in the BER decoder leads to stack exhaustion and DoS. oval:org.secpod.oval:def:1800676 CVE-2016-7942: Insufficient validation of server responses in XGetImage CVE-2016-7943: Insufficient validation of server responses in FontNames Fixed In Version libX11 1.6.4 Affected versions libX11 oval:org.secpod.oval:def:1800390 An attacker can craft an RSS item with shell code in the title and/or URL. When you bookmark such an item, your shell will execute that code. Newsbeuter versions 0.7 through 2.9 are affected. oval:org.secpod.oval:def:1800469 Improper Neutralization of Special Elements used in an OS Command in the podcast playback function of Podbeuter in Newsbeuter 0.3 through 2.9 allows remote attackers to perform user-assisted code execution by crafting an RSS item with a media enclosure that includes shell metacharacters in its file ... oval:org.secpod.oval:def:1800301 CVE-2017-3136: An error handling synthesized records could cause an assertion failure when using DNS64 with "break-dnssec yes;". Affected versions: 9.8.0 - oval:org.secpod.oval:def:1800322 CVE-2017-3136: An error handling synthesized records could cause an assertion failure when using DNS64 with "break-dnssec yes;" Affected versions 9.8.0 - oval:org.secpod.oval:def:1800553 Heap-based Buffer Overflow in the psf_binheader_writef function in common.c in libsndfile through 1.0.28 allows remote attackers to cause a denial of service or possibly have unspecified other impact. oval:org.secpod.oval:def:1800892 libcurl"s implementation of the printf functions triggers a buffer overflow when doing a large floating point output. The bug occurs when the conversion outputs more than 255 bytes. Affected versions: libcurl 7.1 to and including 7.51.0 Fixed In: libcurl 7.52.0 oval:org.secpod.oval:def:1800765 CVE-2015-8665: Out-of-bounds read in tif_getimage.c tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service via the SamplesPerPixel tag in a TIFF image. Reference Patch CVE-2015-8683: out-of-bounds read in CIE Lab image format The putcontig8bitCIELab function in tif_get ... oval:org.secpod.oval:def:1800629 LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value. oval:org.secpod.oval:def:1800840 CVE-2016-1283: heap buffer overflow in handling of duplicate named groups The pcre_compile2 function in pcre_compile.c in PCRE 8.38 mishandles the / oval:org.secpod.oval:def:1800603 LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value. oval:org.secpod.oval:def:1800668 CVE-2016-2047: MariaDB 10.1.10 CVE-2016-0616: MariaDB 10.1.10 CVE-2016-0610: MariaDB 10.1.9 CVE-2016-0609: MariaDB 10.1.10 CVE-2016-0608: MariaDB 10.1.10 CVE-2016-0606: MariaDB 10.1.10 CVE-2016-0600: MariaDB 10.1.10 CVE-2016-0598: MariaDB 10.1.10 CVE-2016-0597: MariaDB 10.1.10 CVE-2016-0596: MariaDB ... oval:org.secpod.oval:def:1800206 CVE-2015-8665: Out-of-bounds read in tif_getimage.c. tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service via the SamplesPerPixel tag in a TIFF image. CVE-2015-8683: out-of-bounds read in CIE Lab image format. The putcontig8bitCIELab function in tif_getimage.c in Li ... oval:org.secpod.oval:def:1800894 CVE-2016-1577: A double free vulnerability in jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allowing remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted ICC color profile in a JPEG 2000 image file was found. CVE-2016-2089: The jas_matrix_cl ... oval:org.secpod.oval:def:1800876 CVE-2017-10911, XSA-216: blkif responses leak backend stack data Reference CVE-2017-10912, XSA-217: page transfer may allow PV guest to elevate privilege Reference CVE-2017-10913, CVE-2017-10914, XSA-218: Races in the grant table unmap code Reference CVE-2017-10915, XSA-219: x86: insufficient refere ... oval:org.secpod.oval:def:1800143 CVE-2017-10911, XSA-216: blkif responses leak backend stack data Reference: CVE-2017-10912, XSA-217: page transfer may allow PV guest to elevate privilege Reference: CVE-2017-10913, CVE-2017-10914, XSA-218: Races in the grant table unmap code Reference: CVE-2017-10915, XSA-219: x86: insufficient ref ... oval:org.secpod.oval:def:1800805 CVE-2016-8605: Thread-unsafe umask modification The mkdir procedure of GNU Guile, an implementation of the Scheme programming language, temporarily changed the process" umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure per ... oval:org.secpod.oval:def:1800026 CVE-2016-8605: Thread-unsafe umask modification. The mkdir procedure of GNU Guile, an implementation of the Scheme programming language, temporarily changed the process" umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure pe ... oval:org.secpod.oval:def:1800877 An out-of-bounds read in cmstypes.c in Type_MLU_Read function was found, leading to heap memory leak triggered by crafted ICC profile. Patch: Reference: oval:org.secpod.oval:def:1800773 An out-of-bounds read in cmstypes.c in Type_MLU_Read function was found, leading to heap memory leak triggered by crafted ICC profile. Patch Reference oval:org.secpod.oval:def:1800939 CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values¶ Affected Versions:¶ 2.4.1 to 2.4.29 Fixed in:¶ Apache 2.4.30 oval:org.secpod.oval:def:1800958 Ruby has multiple vulnerabilities: CVE-2017-17742: HTTP response splitting in WEBrick CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir CVE-2018-8777: DoS by large request in WEBrick CVE-2018-8778: Buffer under-read in String#unpack CVE-2018-877 ... oval:org.secpod.oval:def:1800822 Upgrade to Firefox ESR 45.2. Memory safety bugs fixed in Firefox ESR 45.2 and Firefox 47 HTML5 parser heap-buffer-overflow Heap-use-after-free mozilla::dom::Element Firefox Navigation from a page with an active dropdown menu can be used for spoofing Crash in TSymbolTableLevel::~TSymbolTableLevel ... oval:org.secpod.oval:def:1800137 OpenSSH clients between versions 5.4 and 7.1 are vulnerable to information disclosure that may allow a malicious server to retrieve information including under some circumstances, user"s private keys. This may be mitigated by adding the undocumented config option UseRoaming no to ssh_config. This bu ... oval:org.secpod.oval:def:1800686 Upgrade to Firefox ESR 45.2 Memory safety bugs fixed in Firefox ESR 45.2 and Firefox 47 HTML5 parser heap-buffer-overflow Heap-use-after-free mozilla::dom::Element Firefox Navigation from a page with an active dropdown menu can be used for spoofing Crash in TSymbolTableLevel::~TSymbolTableLevel ... oval:org.secpod.oval:def:1800742 CVE-2016-9840: inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. oval:org.secpod.oval:def:1800731 Heimdal before 7.4 allows remote attackers to impersonate services with Orpheus" Lyre attacks because it obtains service-principal names in a way that violates the Kerberos 5 protocol specification. In _krb5_extract_ticket the KDC-REP service name must be obtained from the encrypted version stored i ... oval:org.secpod.oval:def:1800507 Heimdal before 7.4 allows remote attackers to impersonate services with Orpheus" Lyre attacks because it obtains service-principal names in a way that violates the Kerberos 5 protocol specification. In _krb5_extract_ticket the KDC-REP service name must be obtained from the encrypted version stored i ... oval:org.secpod.oval:def:1800189 A MITM attacker may impersonate a trusted server and thus gain elevated access to the domain by returning malicious replication or authorization data. Affected versions: All versions between Samba 4.0.0 and 4.6.6/4.5.12/4.4.15 oval:org.secpod.oval:def:1800343 CVE-2016-9840: inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. oval:org.secpod.oval:def:1800531 A MITM attacker may impersonate a trusted server and thus gain elevated access to the domain by returning malicious replication or authorization data. Affected versions All versions between Samba 4.0.0 and 4.6.6/4.5.12/4.4.15 oval:org.secpod.oval:def:1801534 The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact. oval:org.secpod.oval:def:1800813 CVE-2017-8816: NTLM buffer overflow via integer overflow Affected versions: libcurl 7.36.0 to and including 7.56.1 Not affected versions: libcurl = 7.57.0 oval:org.secpod.oval:def:1800725 libvirt version 2.3.0 and later is vulnerable to a bad default configuration of "verify-peer=no" passed to QEMU by libvirt resulting in a failure to validate SSL/TLS certificates by default. oval:org.secpod.oval:def:1800948 CVE-2018-7540, XSA-252: DoS via non-preemptable L3/L4 pagetable freeing All Xen versions are vulnerable. oval:org.secpod.oval:def:1800921 CVE-2017-17044, XSA-246: x86: infinite loop due to missing PoD error checking Xen versions from 3.4.x onwards are affected. oval:org.secpod.oval:def:1800251 CVE-2017-17044, XSA-246: x86: infinite loop due to missing PoD error checking Xen versions from 3.4.x onwards are affected. oval:org.secpod.oval:def:1800372 CVE-2017-2350 Versions affected: WebKitGTK+ before 2.14.4.Impact: Processing maliciously crafted web content may exfiltrate data cross-origin. Description: A prototype access issue was addressed through improved exception handling. CVE-2017-2354 Versions affected: WebKitGTK+ before 2.14.4.Impact: Pr ... oval:org.secpod.oval:def:1801219 In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. Fixed in Ve ... oval:org.secpod.oval:def:1800208 CVE-2017-8816: NTLM buffer overflow via integer overflow Affected versions libcurl 7.36.0 to and including 7.56.1 Not affected versions libcurl = 7.57.0 oval:org.secpod.oval:def:1800241 An input validation vulnerability was found in Ansible"s handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server usin ... oval:org.secpod.oval:def:1800678 An input validation vulnerability was found in Ansible"s handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server usin ... oval:org.secpod.oval:def:1800846 CVE-2017-3731: Truncated packet could crash via OOB read If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the cra ... oval:org.secpod.oval:def:1800417 CVE-2017-3731: Truncated packet could crash via OOB read. If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the cr ... oval:org.secpod.oval:def:1800445 It was found an issue in certificate validation using OCSP responses caused by not verifying the serial length, which can falsely report a certificate as valid.. oval:org.secpod.oval:def:1800574 CVE-2016-10002: Information disclosure in HTTP Request processing.. Due to incorrect HTTP conditional request handling Squid can deliver responses containing private data to clients it should not have reached. Affected versions: Squid 3.1 - oval:org.secpod.oval:def:1800437 CVE-2016-2123: NDR Parsing ndr_pull_dnsp_name Heap-based Buffer Overflow Remote Code Execution Vulnerability. Affected versions: Samba 4.0.0 to 4.5.2 Fixed in: Samba 4.5.3, 4.4.8 and 4.3.13 oval:org.secpod.oval:def:1800900 vim before patch 8.0.0322 does not properly validate values for tree length when handling a spell file, which may result in an integer overflow at a memory allocation site and a resultant buffer overflow. Reference Patch oval:org.secpod.oval:def:1800916 A vulnerability was found in Vim which would allow arbitrary shell commands to be run if a user opened a file with a malicious modeline. This is due to lack of validation of values for a few options. Those options" values are then used in Vim"s scripts to build a command string that"s evaluated by : ... oval:org.secpod.oval:def:1800191 vim before patch 8.0.0322 does not properly validate values for tree length when handling a spell file, which may result in an integer overflow at a memory allocation site and a resultant buffer overflow.. oval:org.secpod.oval:def:1800995 CVE-2018-11233:¶ In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory. oval:org.secpod.oval:def:1800847 CVE-2016-10033: The mailSend function in the isMail transport in PHPMailer before 5.2.18, when the Sender property is not set, might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" in a crafted From address. Fixed In Version: phpm ... oval:org.secpod.oval:def:1800831 CVE-2016-10033 The mailSend function in the isMail transport in PHPMailer before 5.2.18, when the Sender property is not set, might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" in a crafted From address. Fixed In Version phpmai ... oval:org.secpod.oval:def:1800824 CVE-2016-1667: Same origin bypass in DOM. CVE-2016-1668: Same origin bypass in Blink V8 bindings. CVE-2016-1669: Buffer overflow in V8. CVE-2016-1670: Race condition in loader. CVE-2016-1671: Directory traversal using the file scheme on Android. Fixed In Version: 50.0.2661.102 oval:org.secpod.oval:def:1800123 CVE-2016-1667: Same origin bypass in DOM. CVE-2016-1668: Same origin bypass in Blink V8 bindings. CVE-2016-1669: Buffer overflow in V8. CVE-2016-1670: Race condition in loader. CVE-2016-1671: Directory traversal using the file scheme on Android. Fixed In Version: 50.0.2661.102 oval:org.secpod.oval:def:1800722 CVE-2016-7411: A memory corruption error may occur during deserialized object destruction Reference Patch CVE-2016-7412: A heap overflow may occur in the processing of BIT fields in mysqlnd Reference Patch CVE-2016-7413: A use-after-free memory error may occur in wddx_deserialize Reference Patch CVE ... oval:org.secpod.oval:def:1800536 CVE-2016-7411: A memory corruption error may occur during deserialized object destruction. CVE-2016-7412: A heap overflow may occur in the processing of BIT fields in mysqlnd. CVE-2016-7413: A use-after-free memory error may occur in wddx_deserialize. CVE-2016-7414: An out-of-bounds memory error ... oval:org.secpod.oval:def:1800778 CVE-2017-6362: Double-free in gdImagePngPtr. Double free vulnerability in the gdImagePngPtr function in libgd2 before 2.2.5 allows remote attackers to cause a denial of service via vectors related to a palette with no colors. Fixed In Version libgd 2.2.5 oval:org.secpod.oval:def:1800681 CVE-2017-6362: Double-free in gdImagePngPtr. Double free vulnerability in the gdImagePngPtr function in libgd2 before 2.2.5 allows remote attackers to cause a denial of service via vectors related to a palette with no colors. Fixed In Version: libgd 2.2.5 oval:org.secpod.oval:def:1800497 CVE-2017-3167: In Apache 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. oval:org.secpod.oval:def:1800597 CVE-2017-3167: In Apache 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. oval:org.secpod.oval:def:1800646 CVE-2012-6702: Using XML_Parse before rand results into non-random output. Reference: CVE-2016-5300: Little entropy used for hash initialization. The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service vi ... oval:org.secpod.oval:def:1800270 CVE-2017-17566, XSA-248: x86 PV guests may gain access to internally used pages Reference CVE-2017-17563, XSA-249: broken x86 shadow mode refcount overflow check Reference CVE-2017-17564, XSA-250: improper x86 shadow mode refcount error handling Reference CVE-2017-17565, XSA-251: improper bug check ... oval:org.secpod.oval:def:1800444 CVE-2017-17566, XSA-248: x86 PV guests may gain access to internally used pages Reference: CVE-2017-17563, XSA-249: broken x86 shadow mode refcount overflow check Reference: CVE-2017-17564, XSA-250: improper x86 shadow mode refcount error handling Reference: CVE-2017-17565, XSA-251: improper bug che ... oval:org.secpod.oval:def:1800768 LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service , as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c oval:org.secpod.oval:def:1800872 LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service , as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c oval:org.secpod.oval:def:1801557 In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match in pcre_exec.c because of a self-recursive call. oval:org.secpod.oval:def:1800910 CVE-2017-9224: An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in match_at during regular expression searching. A logical error involving order of validation and access in match_at could r ... oval:org.secpod.oval:def:1801184 Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability in gdImageBmpPtr Function that can result in Remote Code Execution . This attack appear to be exploitable via Specially Crafted Jpeg Image can trigger double free. This vulnerability appears to have been fixed in after commit ac1 ... oval:org.secpod.oval:def:1801168 CVE-2018-10194: The set_text_distance function in devices/vector/gdevpdts.c in the pdfwrite component in Artifex Ghostscript through 9.22 does not prevent overflows in text-positioning calculation, which allows remote attackers to cause a denial of service or possibly have unspecified other impact ... oval:org.secpod.oval:def:1801000 CVE-2018-10472,XSA-258: Information leak via crafted user-supplied CDROM oval:org.secpod.oval:def:1800398 CVE-2017-12135, XSA-226: multiple problems with transitive grants All versions of Xen are vulnerable. oval:org.secpod.oval:def:1800660 CVE-2017-12135, XSA-226: multiple problems with transitive grants All versions of Xen are vulnerable. oval:org.secpod.oval:def:1800624 CVE-2017-3737: Read/write after SSL object in error state. OpenSSL 1.0.2 introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This w ... oval:org.secpod.oval:def:1800648 CPython up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow oval:org.secpod.oval:def:1800750 CVE-2016-0772: smtplib StartTLS stripping attack. CVE-2016-5636: Heap overflow in zipimporter module . CVE-2016-5699: HTTP header injection in urrlib2/urllib/ oval:org.secpod.oval:def:1800292 CVE-2017-3735: Malformed X.509 IPAdressFamily could cause OOB read If an X.509 certificate has a malformed IPAddressFamily extension,OpenSSL could do a one-byte buffer overread. The most likely result would be an erroneous display of the certificate in text format. Fixed In Version openssl 1.0.2m, o ... oval:org.secpod.oval:def:1800384 The c-ares function ares_parse_naptr_reply, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way. Affected versions: c-ares 1.8.0 to and including 1.12.0 Not affected versio ... oval:org.secpod.oval:def:1800028 Fixed In Version: 4.6.0 oval:org.secpod.oval:def:1800214 A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0but was omitted from OpenSSL 1.0.2i. As a result any attempt to useCRLs in OpenSSL 1.0.2i will crash with a null pointer exception. OpenSSL 1.0.2i users should upgrade to 1.0.2j Reference: oval:org.secpod.oval:def:1800365 The c-ares function ares_parse_naptr_reply, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way. Affected versions c-ares 1.8.0 to and including 1.12.0 Not affected version ... oval:org.secpod.oval:def:1800596 CVE-2017-3737: Read/write after SSL object in error state OpenSSL 1.0.2 introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This wo ... oval:org.secpod.oval:def:1800239 CVE-2016-0772: smtplib StartTLS stripping attack. CVE-2016-5636: Heap overflow in zipimporter module . CVE-2016-5699: HTTP header injection in urrlib2/urllib/ oval:org.secpod.oval:def:1800544 CVE-2016-2183: SWEET32 Mitigation. SWEET32 oval:org.secpod.oval:def:1800659 CVE-2016-2177 CVE-2016-2178 oval:org.secpod.oval:def:1800671 CPython up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow oval:org.secpod.oval:def:1800554 CVE-2017-3735: Malformed X.509 IPAdressFamily could cause OOB read. If an X.509 certificate has a malformed IPAddressFamily extension,OpenSSL could do a one-byte buffer overread. The most likely result would be an erroneous display of the certificate in text format. Fixed In Version: openssl 1.0.2m, ... oval:org.secpod.oval:def:1800621 CVE-2015-7554: invalid write. The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows attackers to cause a denial of service or possibly have unspecified other impact via crafted field data in an extension tag in a TIFF image. oval:org.secpod.oval:def:1800957 In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against ... oval:org.secpod.oval:def:1801107 CVE-2017-9935: In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_fre ... oval:org.secpod.oval:def:1800339 CVE-2015-7554: invalid write The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows attackers to cause a denial of service or possibly have unspecified other impact via crafted field data in an extension tag in a TIFF image. oval:org.secpod.oval:def:1800122 CVE-2016-9273: heap-buffer-overflow in cpStrips. Reference: CVE-2016-9297: segfault in _TIFFPrintField. Reference: CVE-2016-9448: Invalid read of size 1 in TIFFFetchNormalTag. Fix for CVE-2016-9297 introduced this issue. oval:org.secpod.oval:def:1800821 CVE-2017-5969: Null pointer dereference parsing xml file using libxml Upstream bug report Reference oval:org.secpod.oval:def:1800588 CVE-2017-5969: Null pointer derefence parsing xml file using libxml Upstream bug report: Reference: oval:org.secpod.oval:def:1800782 libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity attacks via a crafted docu ... oval:org.secpod.oval:def:1800895 libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity attacks via a crafted docu ... oval:org.secpod.oval:def:1800880 CVE-2016-10009: loading of untrusted PKCS#11 modules in ssh-agent. Ssh-agent could load PKCS#11 modules from paths outside of a trusted whitelist. An attacker able to load a crafted PKCS#11 module across a forwarded agent channel could potentially use this flaw to execute arbitrary code on the syste ... oval:org.secpod.oval:def:1800520 CVE-2015-8874: Stack overflow with gdImageFillToBorder CVE-2016-5766: Integer Overflow in _gd2GetHeader CVE-2016-5767: Integer Overflow in gdImagePaletteToTrueColor resulting in heap overflow CVE-2016-6128: Invalid color index not handled, can lead to crash CVE-2016-6132: A read out-of-bands was fou ... oval:org.secpod.oval:def:1800871 PHP 7.0.8, 5.6.23 and 5.5.37 does not perform adequate error handling inits `bzread" function. Reference oval:org.secpod.oval:def:1800076 CVE-2016-2073: out-of-bounds read in htmlParseNameComplex libxml2 is vulnerable to a heap-based buffer overflow, caused by an out-of-bounds read in the htmlParseNameComplex function. By persuading a victim to open a specially crafted XML file, a remote attacker could overflow a buffer and execute ar ... oval:org.secpod.oval:def:1800153 PHP 7.0.8, 5.6.23 and 5.5.37 does not perform adequate error handling in its `bzread" function. Reference: oval:org.secpod.oval:def:1800781 Integer signedness error in GD Graphics Library 2.1.1 allows remote attackers to cause a denial of service or potentially execute arbitrary code via crafted compressed gd2 data, which triggers a heap-based buffer overflow. oval:org.secpod.oval:def:1800383 x86: inconsistent cachability flags on guest mappings. Multiple mappings of the same physical page with different cachability setting can cause problems. While one category affects only guests themselves , the other category being Machine Check exceptions can be fatal to entire hosts. |
