Download
| Alert*
oval:org.secpod.oval:def:703834
ocaml: ML language implementation with a class-based object system OCaml applications could be made to crash, expose sensitive information, or run programs. oval:org.secpod.oval:def:110468 Quassel IRC is a modern, distributed IRC client, meaning that one client can attach to and detach from a central core -- much like the popular combination of screen and a text-based IRC client such as WeeChat, but graphical oval:org.secpod.oval:def:703341 curl: HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl. oval:org.secpod.oval:def:38514 The host is installed with Apple Mac OS X or Server 10.12.x through 10.12.1 and is prone to an information disclosure vulnerability. A flaw is present in the application, which fails to properly handle unknown vectors related to curl. Successful exploitation could allow attackers to leak sensitive u ... oval:org.secpod.oval:def:110538 OCaml is a high-level, strongly-typed, functional and object-oriented programming language from the ML family of languages. This package comprises two batch compilers , an interactive toplevel system, parsing tools , a replay debugger, a documentation generator, and a comprehensive library. oval:org.secpod.oval:def:110479 Quassel IRC is a modern, distributed IRC client, meaning that one client can attach to and detach from a central core -- much like the popular combination of screen and a text-based IRC client such as WeeChat, but graphical oval:org.secpod.oval:def:111369 GPG keys used by various Linux distributions to sign packages. oval:org.secpod.oval:def:111364 Mock takes an SRPM and builds it in a chroot. oval:org.secpod.oval:def:111330 GPG keys used by various Linux distributions to sign packages. oval:org.secpod.oval:def:111327 Mock takes an SRPM and builds it in a chroot. oval:org.secpod.oval:def:110445 Ansible is a radically simple model-driven configuration management, multi-node deployment, and remote task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to m ... oval:org.secpod.oval:def:110440 Ansible is a radically simple model-driven configuration management, multi-node deployment, and remote task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to m ... oval:org.secpod.oval:def:110437 Ansible is a radically simple model-driven configuration management, multi-node deployment, and remote task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to m ... oval:org.secpod.oval:def:110415 Ansible is a radically simple model-driven configuration management, multi-node deployment, and remote task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to m ... oval:org.secpod.oval:def:502003 The libguestfs packages contain a library, which is used for accessing and modifying virtual machine disk images. Security Fix: * An integer conversion flaw was found in the way OCaml"s String handled its length. Certain operations on an excessively long String could trigger a buffer overflow or re ... oval:org.secpod.oval:def:1501965 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:111565 Libass is a portable library for SSA/ASS subtitles rendering. oval:org.secpod.oval:def:111478 Libass is a portable library for SSA/ASS subtitles rendering. oval:org.secpod.oval:def:111412 Extending the art & spirit of PHP, Zend Framework is based on simplicity, object-oriented best practices, corporate friendly licensing, and a rigorously tested agile code base. Zend Framework is focused on building more secure, reliable, and modern Web 2.0 applications & web services, and co ... oval:org.secpod.oval:def:111418 Extending the art & spirit of PHP, Zend Framework is based on simplicity, object-oriented best practices, corporate friendly licensing, and a rigorously tested agile code base. Zend Framework is focused on building more secure, reliable, and modern Web 2.0 applications & web services, and co ... oval:org.secpod.oval:def:1800739 CVE-2016-8568:Read out-of-bounds in git_oid_nfmt. Reference: CVE-2016-8569: DoS using a null pointer dereference in git_commit_message. Reference: oval:org.secpod.oval:def:111602 WebP is an image format that does lossy compression of digital photographic images. WebP consists of a codec based on VP8, and a container based on RIFF. Webmasters, web developers and browser developers can use WebP to compress, archive and distribute digital images more efficiently. oval:org.secpod.oval:def:111456 libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language with bindings. oval:org.secpod.oval:def:111566 WebP is an image format that does lossy compression of digital photographic images. WebP consists of a codec based on VP8, and a container based on RIFF. Webmasters, web developers and browser developers can use WebP to compress, archive and distribute digital images more efficiently. oval:org.secpod.oval:def:111463 libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language with bindings. oval:org.secpod.oval:def:111437 The GNU Bourne Again shell is a shell or command language interpreter that is compatible with the Bourne shell . Bash incorporates useful features from the Korn shell and the C shell . Most sh scripts can be run by bash without modification. oval:org.secpod.oval:def:1800197 Shells running as root inherited PS4 from the environment, allowing PS4 expansion performing command substitution. Local attacker could gain arbitrary code execution via bogus setuid binaries using system/popen by specially crafting SHELLOPTS+PS4 environment variables. Fixed In Version bash 4.4 oval:org.secpod.oval:def:111391 The GNU Bourne Again shell is a shell or command language interpreter that is compatible with the Bourne shell . Bash incorporates useful features from the Korn shell and the C shell . Most sh scripts can be run by bash without modification. oval:org.secpod.oval:def:111411 X.Org X11 libXtst runtime library oval:org.secpod.oval:def:111416 X.Org X11 libXvMC runtime library oval:org.secpod.oval:def:1800063 insufficient validation of data from the X server can cause a one byte buffer read underrun. Affected versions libxvmc Fixed In Version libxvmc 1.0.10 Reference Patch oval:org.secpod.oval:def:1800174 CVE-2016-7951: Insufficient validation of server responses result in Integer overflows CVE-2016-7952: Insufficient validation of server responses result in various data mishandlings Fixed In Version libXtst 1.2.3 Reference Patch oval:org.secpod.oval:def:111579 X.Org X11 libXtst runtime library oval:org.secpod.oval:def:111578 X.Org X11 libXvMC runtime library oval:org.secpod.oval:def:111410 X.Org X11 libXrender runtime library oval:org.secpod.oval:def:111409 X.Org X11 libXrandr runtime library oval:org.secpod.oval:def:111571 X.Org X11 libXrandr runtime library oval:org.secpod.oval:def:111569 X.Org X11 libXrender runtime library oval:org.secpod.oval:def:111407 X.Org X11 libXi runtime library oval:org.secpod.oval:def:1800874 CVE-2016-7945: Insufficient validation of server responses result in Integer overflows CVE-2016-7946: Insufficient validation of server responses result in various data mishandlings Affected versions libXi Fixed In Version libXi 1.7.7 oval:org.secpod.oval:def:111591 X.Org X11 libXi runtime library oval:org.secpod.oval:def:111415 X.Org X11 libXv runtime library oval:org.secpod.oval:def:1800807 Insufficient validation of data from the X server can cause out of boundary memory and memory corruption. Affected versions libXv Fixed In Version libXv 1.0.11 oval:org.secpod.oval:def:111572 X.Org X11 libXv runtime library oval:org.secpod.oval:def:111314 curl is a command line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+passwo ... oval:org.secpod.oval:def:111375 curl is a command line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+passwo ... oval:org.secpod.oval:def:111307 Chromium is an open-source web browser, powered by WebKit . oval:org.secpod.oval:def:111175 SSH is a program for logging into and executing commands on a remote machine. SSH is intended to replace rlogin and rsh, and to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the sec ... oval:org.secpod.oval:def:110885 Perl is a high-level programming language with roots in C, sed, awk and shell scripting. Perl is good at handling processes and files, and is especially good at handling text. Perl's hallmarks are practicality and efficiency. While it is used to do a lot of different things, Perl's most comm ... oval:org.secpod.oval:def:110874 Perl is a high-level programming language with roots in C, sed, awk and shell scripting. Perl is good at handling processes and files, and is especially good at handling text. Perl's hallmarks are practicality and efficiency. While it is used to do a lot of different things, Perl's most comm ... oval:org.secpod.oval:def:110869 Perl is a high-level programming language with roots in C, sed, awk and shell scripting. Perl is good at handling processes and files, and is especially good at handling text. Perl's hallmarks are practicality and efficiency. While it is used to do a lot of different things, Perl's most comm ... oval:org.secpod.oval:def:36890 The host is missing a high severity security update according to Google advisory. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:36879 The host is installed with Google Chrome before 53.0.2785.89 and is prone to a heap overflow vulnerability. A flaw is present in the application, which fails to handle unspecified vectors. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:36934 The host is installed with Google Chrome before 53.0.2785.92 and is prone to a heap overflow vulnerability. A flaw is present in the application, which fails to handle unspecified vectors. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:36933 The host is installed with Google Chrome before 53.0.2785.92 and is prone to a heap overflow vulnerability. A flaw is present in the application, which fails to handle unspecified vectors. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:602605 Several vulnerabilities have been discovered in the chromium web browser. CVE-2016-5147 A cross-site scripting issue was discovered. CVE-2016-5148 Another cross-site scripting issue was discovered. CVE-2016-5149 Max Justicz discovered a script injection issue in extension handling. CVE-2016-5150 A u ... oval:org.secpod.oval:def:36912 The host is missing a high severity security update according to Google advisory. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:36901 The host is installed with Google Chrome before 53.0.2785.89 and is prone to a heap overflow vulnerability. A flaw is present in the application, which fails to handle unspecified vectors. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:36956 The host is missing a high severity security update according to Google advisory. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:36955 The host is missing a high severity security update according to Google advisory. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:602707 It was discovered that Tor, a connection-based low-latency anonymous communication system, may read one byte past a buffer when parsing hidden service descriptors. This issue may enable a hostile hidden service to crash Tor clients depending on hardening options and malloc implementation. oval:org.secpod.oval:def:112987 The supervisor is a client/server system that allows its users to control a number of processes on UNIX-like operating systems. oval:org.secpod.oval:def:1800609 A vulnerability has been found where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this may be root. Affecte ... oval:org.secpod.oval:def:112974 The supervisor is a client/server system that allows its users to control a number of processes on UNIX-like operating systems. oval:org.secpod.oval:def:1800614 A vulnerability has been found where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this may be root. Affecte ... oval:org.secpod.oval:def:1800407 A vulnerability has been found where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this may be root. Affecte ... oval:org.secpod.oval:def:112994 The supervisor is a client/server system that allows its users to control a number of processes on UNIX-like operating systems. oval:org.secpod.oval:def:53109 Calum Hutton reported that the XML-RPC server in supervisor, a system for controlling process state, does not perform validation on requested XML-RPC methods, allowing an authenticated client to send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server as t ... oval:org.secpod.oval:def:603039 Calum Hutton reported that the XML-RPC server in supervisor, a system for controlling process state, does not perform validation on requested XML-RPC methods, allowing an authenticated client to send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server as t ... oval:org.secpod.oval:def:1800564 A vulnerability has been found where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this may be root. Affecte ... oval:org.secpod.oval:def:2000298 Multiple integer overflows in libwebp allows attackers to have unspecified impact via unknown vectors. oval:org.secpod.oval:def:1901042 Multiple integer overflows in webp allows attackers to have unspecified impact via unknown vectors. oval:org.secpod.oval:def:39596 The host is installed with Apple Mac OS X 10.8 before 10.13 and is prone to a http request redirection vulnerability. A flaw is present in the application, which fails to properly handle a malicious HTTP request. Successful exploitation could allow attackers to execute arbitrary code. oval:org.secpod.oval:def:602472 Multiple vulnerabilities have been discovered in the Xen hypervisor. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2016-3158, CVE-2016-3159 Jan Beulich from SUSE discovered that Xen does not properly handle writes to the hardware FSW.ES bit when running on ... oval:org.secpod.oval:def:1800268 CVE-2016-3157, XSA-171: I/O port access privilege escalation in x86-64 Linux IRET and POPF do not modify EFLAGS.IOPL when executed by code at a privilege level other than zero. Since PV Xen guests run at privilege level 3 , to compensate for this the context switching of EFLAGS.IOPL requires the gue ... oval:org.secpod.oval:def:111197 This module allows an application designed for the CGI environment to run in a PSGI environment, and thus on any of the back-ends that PSGI supports. oval:org.secpod.oval:def:1800280 When SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hardcoded in the SSHD source code. On this hard coded password structure the password hash is based on BLOWFISH algorithm.If real users passwords are hashed using SHA256/SHA512, then sending large passwor ... oval:org.secpod.oval:def:111192 This module allows an application designed for the CGI environment to run in a PSGI environment, and thus on any of the back-ends that PSGI supports. oval:org.secpod.oval:def:111125 The Apache HTTP Server is a powerful, efficient, and extensible web server. oval:org.secpod.oval:def:111035 The Apache HTTP Server is a powerful, efficient, and extensible web server. oval:org.secpod.oval:def:203967 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: * It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly use ... oval:org.secpod.oval:def:203966 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: * It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly use ... oval:org.secpod.oval:def:203965 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: * It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly use ... oval:org.secpod.oval:def:1900512 Buffer underflow in X.org libxvmc-dev before 1.0.10 allows remote X servers to have unspecified impact via an empty string. oval:org.secpod.oval:def:114159 libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language with bindings. oval:org.secpod.oval:def:1800651 insufficient validation of data from the X server can cause a one byte buffer read underrun. Affected versions: libxvmc Fixed In Version: libxvmc 1.0.10. oval:org.secpod.oval:def:1900584 The check_allocations function in libass-dev/ass_shaper.c in libass-dev before 0.13.4 allows remote attackers to cause a denial of service via unspecified vectors. oval:org.secpod.oval:def:1900568 The create_script function in the lxc_container module in Ansible before1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on /opt/.lxc-attach-script, the archived container in the archive_path directory, or the lxc-attach-script.lo ... oval:org.secpod.oval:def:1900573 X.org libxi-dev before 1.7.7 allows remote X servers to cause a denial of service via vectors involving length fields. oval:org.secpod.oval:def:1800373 CVE-2016-7951: Insufficient validation of server responses result in Integer overflows CVE-2016-7952: Insufficient validation of server responses result in various data mishandlings Fixed In Version: libXtst 1.2.3. oval:org.secpod.oval:def:1800602 Libass released a new 0.13.4 version which fixes multiple issues. CVE-2016-7969: Patch CVE-2016-7970 Patch CVE-2016-7972 Patch Reference oval:org.secpod.oval:def:1800576 Libass released a new 0.13.4 version which fixes multiple issues. CVE-2016-7969: Patch: CVE-2016-7970 Patch: CVE-2016-7972 Patch: Reference: oval:org.secpod.oval:def:1800335 Insufficient validation of data from the X server can cause out of boundary memory and memory corruption. Affected versions: libXv Fixed In Version: libXv 1.0.11 oval:org.secpod.oval:def:1900718 Multiple integer overflows in X.org libXtst before 1.2.3 allow remote X servers to trigger out-of-bounds memory access operations by leveraging the lack of range checks. oval:org.secpod.oval:def:1900549 The git_oid_nfmt function in commit.c in libgit2-dev before 0.24.3 allow sremote attackers to cause a denial of service via a cat-file command with a crafted object file. oval:org.secpod.oval:def:1900551 The wrap_lines_smart function in ass_render.c in libass-dev before 0.13.4allows remote attackers to cause a denial of service via unspecified vectors, related to "0/3 line wrapping equalization." oval:org.secpod.oval:def:1901043 The REPL server in GNU Guile 2.0.12 allows an attacker to execute arbitrary code via an HTTP inter-protocol attack. oval:org.secpod.oval:def:1800628 CVE-2016-7949: Insufficient validation of server responses results in overflow of previously reserved memory. Affected version: libXrender Fixed In Version: libXrender 0.9.10 CVE-2016-7950: Insufficient validation of server responses results out-of-bounds write in XRenderQueryFilters. Affected vers ... oval:org.secpod.oval:def:1901212 The order and group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation. oval:org.secpod.oval:def:1901270 The scm plug-in in mock might allow attackers to bypass the intended chroot protection mechanism and gain root privileges via a crafted spec file. oval:org.secpod.oval:def:1901070 The XRenderQueryFilters function in X.org libXrender before 0.9.10 allows remote X servers to trigger out-of-bounds write operations via vectors involving filter name lengths. oval:org.secpod.oval:def:1600477 The implementation of ORDER BY and GROUP BY in Zend_Db_Select was discovered to be vulnerable to SQL injection. oval:org.secpod.oval:def:1800317 CVE-2016-7949: Insufficient validation of server responses results in overflow of previously reserved memory Affected version libXrender Fixed In Version libXrender 0.9.10 Reference Patch CVE-2016-7950: Insufficient validation of server responses results out-of-bounds write in XRenderQueryFilters Af ... oval:org.secpod.oval:def:1800462 CVE-2016-7945: Insufficient validation of server responses result in Integer overflows CVE-2016-7946: Insufficient validation of server responses result in various data mishandlings Affected versions: libXi Fixed In Version: libXi 1.7.7 oval:org.secpod.oval:def:1800456 CVE-2016-7947: Insufficient validation of server responses result in Integer overflows CVE-2016-7948: Insufficient validation of server responses result in various data mishandlings Affected versions libXrandr Fixed In Version libXrandr 1.5.1 Reference oval:org.secpod.oval:def:1901297 The onReadyRead function in core/coreauthhandler.cpp in Quassel before 0.12.4 allows remote attackers to cause a denial of service via invalid handshake data. oval:org.secpod.oval:def:1800447 CVE-2016-7947: Insufficient validation of server responses result in Integer overflows CVE-2016-7948: Insufficient validation of server responses result in various data mishandlings Affected versions: libXrandr Fixed In Version: libXrandr 1.5.1 Reference: oval:org.secpod.oval:def:602570 Multiple vulnerabilities were discovered in the implementation of the Perl programming language. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2016-1238 John Lightsey and Todd Rinaldo reported that the opportunistic loading of optional modules can make many ... oval:org.secpod.oval:def:1501978 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:37885 curl: HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl. oval:org.secpod.oval:def:704051 perl: Practical Extraction and Report Language Several security issues were fixed in Perl. oval:org.secpod.oval:def:1600454 After testing original CVE-2016-5420 patch, it was discovered that libcurl built on top of NSS still incorrectly re-uses client certificates if a certificate from file is used for one TLS connection but no certificate is set for a subsequent TLS connection. oval:org.secpod.oval:def:1800350 The four libcurl functions curl_escape, curl_easy_escape, curl_unescape and curl_easy_unescape perform string URL percent escaping and unescaping. They accept custom string length inputs in signed integer arguments. Affected versions: libcurl 7.11.1 to and including 7.50.2 Not affected versions: li ... oval:org.secpod.oval:def:703069 libtasn1-6: Library to manage ASN.1 structures Details: USN-2957-1 fixed a vulnerability in Libtasn1. This update provides the corresponding update for Ubuntu 16.04 LTS. Original advisory Libtasn1 could be made to hang if it processed specially crafted data. oval:org.secpod.oval:def:1800506 CVE-2016-9013: User with hardcoded password created when running tests on Oracle. When running tests with an Oracle database, Django creates a temporary database user. In older versions, if a password isn"t manually specified in the database settings TEST dictionary, a hardcoded password is used. Th ... oval:org.secpod.oval:def:602561 Scott Geary of VendHQ discovered that the Apache HTTPD server used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP re ... oval:org.secpod.oval:def:703241 fontconfig: generic font configuration library Fontconfig be made to crash or run programs if it opened a specially crafted file. oval:org.secpod.oval:def:602586 Tobias Stoeckmann discovered that cache files are insufficiently validated in fontconfig, a generic font configuration library. An attacker can trigger arbitrary free calls, which in turn allows double free attacks and therefore arbitrary code execution. In combination with setuid binaries using cra ... oval:org.secpod.oval:def:51603 apache2: Apache HTTP server A security issue was fixed in the Apache HTTP Server. oval:org.secpod.oval:def:703369 python-cryptography: Cryptography Python library python-cryptography could generate incorrect keys. oval:org.secpod.oval:def:703235 openssh: secure shell for secure access to remote machines Several security issues were fixed in OpenSSH. oval:org.secpod.oval:def:1800380 The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application"s outbound HTTP traffic to an arbitrary p ... oval:org.secpod.oval:def:501848 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: * It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly use ... oval:org.secpod.oval:def:501849 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es): * It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectl ... oval:org.secpod.oval:def:703210 apache2: Apache HTTP server A security issue was fixed in the Apache HTTP Server. oval:org.secpod.oval:def:703337 python-django: High-level Python web development framework Several security issues were fixed in Django. oval:org.secpod.oval:def:1501514 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es): * It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly ... oval:org.secpod.oval:def:1501515 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es): * It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly ... oval:org.secpod.oval:def:1501516 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es): * It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly ... oval:org.secpod.oval:def:37886 The host is missing a patch containing security fixes, which affects the following package(s):openssh.base.server and openssh.base.client oval:org.secpod.oval:def:602859 Several vulnerabilities were discovered in Django, a high-level Python web development framework. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2016-9013 Marti Raudsepp reported that a user with a hardcoded password is created when running tests with an Orac ... oval:org.secpod.oval:def:1600429 It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could p ... oval:org.secpod.oval:def:1501952 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1800351 A denial of service vulnerability was found in openssh. The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackersto cause a denial of service via a long string.. oval:org.secpod.oval:def:1800300 The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application"s outbound HTTP traffic to an arbitrary p ... oval:org.secpod.oval:def:36709 The host is installed with OpenSSH before 7.3 and is prone to denial of service vulnerability. A flaw is present in auth_password function in auth-passwd.c in sshd, which does not limit password lengths for password authentication. Successful exploitation could allow remote attackers to cause a deni ... oval:org.secpod.oval:def:1800618 Shells running as root inherited PS4 from the environment, allowing PS4 expansion performing command substitution. Local attacker could gain arbitrary code execution via bogus setuid binaries using system/popen by specially crafting SHELLOPTS+PS4 environment variables. Fixed In Version: bash 4.4 oval:org.secpod.oval:def:1600711 Escape out of git-shellA flaw was found in the way git-shell handled command-line options for the restricted set of git-shell commands. A remote authenticated attacker could use this flaw to bypass git-shell restrictions, to view and manipulate files, by abusing the instance of the less command laun ... oval:org.secpod.oval:def:1600759 popd controlled free:A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session.Arbitrary code execution via malicious hostname:An arbitrary command inject ... oval:org.secpod.oval:def:703599 git: fast, scalable, distributed revision control system Git could be made to expose sensitive information over the network. oval:org.secpod.oval:def:1501804 The bash packages provide Bash , which is the default shell for Red Hat Enterprise Linux. Security Fix: * An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines ... oval:org.secpod.oval:def:602873 Timo Schmid of ERNW GmbH discovered that the Git git-shell, a restricted login shell for Git-only SSH access, allows a user to run an interactive pager by causing it to spawn "git upload-pack --help". oval:org.secpod.oval:def:112363 Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. The git rpm installs common set of tools which are usually using with small amount of dependencies. To install all git packages, incl ... oval:org.secpod.oval:def:502007 The bash packages provide Bash , which is the default shell for Red Hat Enterprise Linux. Security Fix: * An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines ... oval:org.secpod.oval:def:1501960 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:112423 Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. The git rpm installs common set of tools which are usually using with small amount of dependencies. To install all git packages, incl ... oval:org.secpod.oval:def:703612 bash: GNU Bourne Again SHell Several security issues were fixed in Bash. oval:org.secpod.oval:def:1600714 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. Aspecially crafted file could cause an application using JasPer to crash or,possibly, execute arbitrary code. Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. Aspecially crafted file could cause an a ... oval:org.secpod.oval:def:1501855 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1501853 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:111370 This package contains an implementation of the image compression standard JPEG-2000, Part 1. It consists of tools for conversion to and from the JP2 and JPC formats. oval:org.secpod.oval:def:111217 This package contains an implementation of the image compression standard JPEG-2000, Part 1. It consists of tools for conversion to and from the JP2 and JPC formats. oval:org.secpod.oval:def:111320 This package contains an implementation of the image compression standard JPEG-2000, Part 1. It consists of tools for conversion to and from the JP2 and JPC formats. oval:org.secpod.oval:def:111593 This package contains an implementation of the image compression standard JPEG-2000, Part 1. It consists of tools for conversion to and from the JP2 and JPC formats. oval:org.secpod.oval:def:111590 This package contains an implementation of the image compression standard JPEG-2000, Part 1. It consists of tools for conversion to and from the JP2 and JPC formats. oval:org.secpod.oval:def:704136 jasper: Library for manipulating JPEG-2000 files Several security issues were fixed in JasPer. oval:org.secpod.oval:def:603147 Multiple vulnerabilities in OpenJPEG, a JPEG 2000 image compression / decompression library, may result in denial of service or the execution of arbitrary code if a malformed JPEG 2000 file is processed. oval:org.secpod.oval:def:53167 Multiple vulnerabilities in OpenJPEG, a JPEG 2000 image compression / decompression library, may result in denial of service or the execution of arbitrary code if a malformed JPEG 2000 file is processed. oval:org.secpod.oval:def:1800026 CVE-2016-8605: Thread-unsafe umask modification. The mkdir procedure of GNU Guile, an implementation of the Scheme programming language, temporarily changed the process" umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure pe ... oval:org.secpod.oval:def:1800805 CVE-2016-8605: Thread-unsafe umask modification The mkdir procedure of GNU Guile, an implementation of the Scheme programming language, temporarily changed the process" umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure per ... oval:org.secpod.oval:def:111454 GUILE is a library implementation of the Scheme programming language, written in C. GUILE provides a machine-independent execution platform that can be linked in as a library during the building of extensible programs. Install the guile package if you'd like to add extensibility to programs tha ... oval:org.secpod.oval:def:111466 GUILE is a library implementation of the Scheme programming language, written in C. GUILE provides a machine-independent execution platform that can be linked in as a library during the building of extensible programs. Install the guile package if you'd like to add extensibility to programs tha ... oval:org.secpod.oval:def:45092 perl: Practical Extraction and Report Language Several security issues were fixed in Perl. oval:org.secpod.oval:def:54501 The host is installed with Apple Mac OS 10.8 through 10.13 and is prone to multiple vulnerabilities. The flaws are present in the application, which fails to properly handle the authentication API. Successful exploitation allows remote attackers to bypass required authentication if the API was used ... oval:org.secpod.oval:def:42910 The host is missing a security update according to Apple advisory, APPLE-SA-2017-10-31-2. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to properly handle crafted data. Successful exploitation could allow attackers to execute arbitrary ... oval:org.secpod.oval:def:111429 Chromium is an open-source web browser, powered by WebKit . oval:org.secpod.oval:def:39718 The host is missing a security update according to Apple advisory, APPLE-SA-2017-03-27-3. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to properly handle crafted data. Successful exploitation could allow attackers to execute arbitrary ... oval:org.secpod.oval:def:1501987 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1600784 A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. It was found that OpenSSH did not limit password lengths f ... oval:org.secpod.oval:def:36105 libgd2: GD Graphics Library The GD library could be made to crash or run programs if it processed a specially crafted image file. oval:org.secpod.oval:def:36104 libgd2: GD Graphics Library The GD library could be made to crash or run programs if it processed a specially crafted image file. oval:org.secpod.oval:def:602557 Several vulnerabilities were discovered in libgd2, a library for programmatic graphics creation and manipulation. A remote attacker can take advantage of these flaws to cause a denial-of-service against an application using the libgd2 library , or potentially to execute arbitrary code with the privi ... |