Download
| Alert*
|
oval:org.secpod.oval:def:1800014
Alpine Linux 3.6 is installed oval:org.secpod.oval:def:1800146 Affected versions: PostfixAdmin 3.0 and 3.0.1 PostfixAdmin 2.91, 2.92 and 2.93 Older PostfixAdmin releases are not affected. PostfixAdmin 3.0.2 will fix this issue oval:org.secpod.oval:def:1800328 CVE-2017-8903, XSA-213: x86: 64bit PV guest breakout via pagetable use-after-mode-change Reference: CVE-2017-8904, XSA-214: grant transfer allows PV guest to elevate privileges oval:org.secpod.oval:def:1800169 CVE-2017-9078 - The server in Dropbear before 2017.75 might allow post-authenticationroot remote code execution because of a double free in cleanup of TCPlisteners when the -a option is enabled. CVE-2017-9079 - Dropbear before 2017.75 might allow local users to read certain files as root, if the fil ... oval:org.secpod.oval:def:1800158 CVE-2017-5209: The base64decode function in base64.c in libimobiledevice libplist through 1.12 allows attackers to obtain sensitive information from process memory or cause a denial of service via split encoded Apple Property List data. Reference: Patch: CVE-2017-5545: The main function in plistuti ... oval:org.secpod.oval:def:1800881 A number of security vulnerabilities in the Graphite 2 library including out-of-bounds reads, buffer overflow reads and writes, and the use of uninitialized memory. These issues were addressed in Graphite 2 version 1.3.10. oval:org.secpod.oval:def:1801558 A vulnerability was found in popd. It can be tricked to free a user supplied address in the following way: $ popd +-111111 This could be used to bypass restricted shells on some environments to cause use-after-free. oval:org.secpod.oval:def:1800736 Fixed in: gnutls 3.5.13 Reference: Patches: oval:org.secpod.oval:def:1800042 CVE-2015-9099: The lame_init_params function in lame.c in libmp3lame.a in LAME 3.99.5 allows remote attackers to cause a denial of service via a crafted audio file with a negative sample rate. oval:org.secpod.oval:def:1800058 CVE-2017-5846: The gst_asf_demux_process_ext_stream_props function in gst/asfdemux/gstasfdemux.c in gst-plugins-ugly in GStreamer before 1.10.3 allows remote attackers to cause a denial of service via vectors related to the number of languages in a video file. oval:org.secpod.oval:def:1800060 An incorrect "pair?" check in the Scheme "length" procedure results in an unsafe pointer dereference in all CHICKEN Scheme versions prior to 4.13, which allows an attacker to cause a denial of service by passing an improper list to an application that calls "length" on it. Fixed In Version: chicken ... oval:org.secpod.oval:def:1800118 CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs CVE-2017-7234: Open redirect vulnerability in django.views.static.serve Fixed in: py-django 1.10.7, 1.9.13, and 1.8.18 oval:org.secpod.oval:def:1800996 Memcached version 1.5.5 contains an Insufficient Control of Network Message Volume vulnerability in the UDP support of the memcached server that can result in denial of service via network flood . This attack appear to be exploitable via network connectivity to port 11211 UDP. Fixed In Version:&par ... oval:org.secpod.oval:def:1800105 A flaw in minion id validation was found which could allow certain minions to authenticate to a master despite not having the correct credentials. To exploit the vulnerability, an attacker must create a salt-minion with an ID containing characters that will cause a directory traversal. Fixed In Vers ... oval:org.secpod.oval:def:1800164 logger.c in the logger plugin in WeeChat before 1.9.1 allows a crash via strftime date/time specifiers, because a buffer is not initialized. Fixed in: weechat 1.9.1 oval:org.secpod.oval:def:1800243 CVE-2016-10128: smart_pkt: verify packet length exceeds PKT_LEN_SIZE; Fixed In Version: libgit2 0.25.1, libgit2 0.24.6 oval:org.secpod.oval:def:1800203 CVE-2018-5205: When using incomplete escape codes, Irssi may access data beyond the end of the string. Affected Versions: All Irssi versions. Fixed In: Irssi 1.0.6 oval:org.secpod.oval:def:1800267 musl 1.1.16 and previous are affected by CVE-2017-15650. The issue was resolved in 1.1.17 which is currently in the edge repository. The patch looks simple and is said to apply cleanly to "all recent versions". I suggest including the patch in all currently supported Alpine releases, assuming it doe ... oval:org.secpod.oval:def:1800275 The III_i_stereo function in libmpg123/layer3.c in mpg123 through 1.25.1 allows attackers to cause a denial of service via a crafted audio file that is mishandled in the code for the "block_type != 2" case, a similar issue to CVE-2017-9870. Fixed In Version: mpg123 1.25.2 oval:org.secpod.oval:def:1800762 Commit f86a374 The check opens the logfile with full root privileges. This allows us to truncate any file or create a root-owned file with any contents in any directory and can be easily exploited to full root access in several ways. Affects: screen 4.4.0 to and inclusive 4.5.0 oval:org.secpod.oval:def:1801015 An issue was discovered in FreeType 2 through 2.9. A NULL pointer dereference in the Ins_GETVARIATION function within ttinterp.c could lead to DoS via a crafted font file. oval:org.secpod.oval:def:1800943 CVE-2018-6758: The uwsgi_expand_path function in core/utils.c in Unbit uWSGI through 2.0.15 has a stack-based buffer overflow via a large directory length. oval:org.secpod.oval:def:1800987 In version 4.14.0-r0 of the following packages installed from all files installed have owner/group = 1000/1000 which is a huge security hole. xfsprogs xfsprogs-libs xfsprogs-extra xfsprogs-doc oval:org.secpod.oval:def:1801020 CVE-2018-11218: Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2 because of stack-based buffer overflows. oval:org.secpod.oval:def:1801082 CVE-2018-14349: Heap Overflow in imap/command.c¶ Fixed In Version:¶ mutt 1.10.1 oval:org.secpod.oval:def:1801166 A vulnerability was found in the implementation of DNSSEC in Dnsmasq up to and including 2.78. Wildcard synthesized NSEC records could be improperly interpreted to prove the non-existence of hostnames that actually exist. oval:org.secpod.oval:def:1801405 CVE-2019-11234: eap-pwd: fake authentication using reflection¶ A vulnerability was found in FreeRadius. An attacker can reflect the received scalar and element from the server in it"s own commit message, and subsequently reflect the confirm value as well. This causes the adversary to successful ... oval:org.secpod.oval:def:1800030 CVE-2017-7484: selectivity estimators bypass SELECT privilege checks; Fixed In Version: postgresql 9.4.12, postgresql 9.5.7, postgresql 9.6.3 oval:org.secpod.oval:def:1800286 CVE-2017-12172: Start scripts permit database administrator to modify root-owned files CVE-2017-15098: Memory disclosure in JSON functions CVE-2017-15099: INSERT ... ON CONFLICT DO UPDATE fails to enforce SELECT privileges Fixed In: postgresql 9.2.24, postgresql 9.3.20, postgresql 9.4.15, postgresql ... oval:org.secpod.oval:def:1800108 CVE-2017-5470: Memory safety bugs CVE-2017-5472: Use-after-free using destroyed node when regenerating trees CVE-2017-7749: Use-after-free during docshell reloading CVE-2017-7750: Use-after-free with track elements CVE-2017-7751: Use-after-free with content viewer listeners CVE-2017-7752: Use-after- ... oval:org.secpod.oval:def:1800230 The bark_noise_hybridmp function in psy.c in Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted mp4 file. oval:org.secpod.oval:def:1800714 CVE-2017-10970: Cross-site scripting vulnerability in link.php in Cacti 1.1.12 allows remote anonymous users to inject arbitrary web script or HTML via the id parameter, related to the die_html_input_error function in lib/html_validate.php. oval:org.secpod.oval:def:1800973 CVE-2018-0202: Out-of-bounds access in the PDF parser¶ Fixed In Version:¶ clamav 0.99.4 oval:org.secpod.oval:def:1800196 The bmp_read_info_header function in bin/jp2/convertbmp.c in OpenJPEG 2.2.0 does not reject headers with a zero biBitCount, which allows remote attackers to cause a denial of service in the opj_image_create function in lib/openjp2/image.c, related to the opj_aligned_alloc_n function in opj_malloc.c ... oval:org.secpod.oval:def:1800891 CVE-2017-7592: Left shift of unsigned char without a cast; The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted image. oval:org.secpod.oval:def:1801321 A flaw was found in the CUPS printing server. Insufficient randomness makes session cookies predictable, breaking CSRF protection. oval:org.secpod.oval:def:1801536 SQLite 3.20.1 has a NULL pointer dereference in tableColumnList in shell.c because it fails to consider certain cases where `sqlite3_step==SQLITE_ROW` is false and a data structure is never initialized. An attacker might use this for a denial of service. Fixed in:¶ 3.21.0 oval:org.secpod.oval:def:1800915 CVE-2017-14632: Invalid freeing of uninitialized memory in the function vorbis_analysis_headerout; Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon freeing uninitialized memory in the function vorbis_analysis_headerout in info.c when vi- oval:org.secpod.oval:def:1801178 CVE-2017-15232: libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in jdpostct.c and jquant1.c via a crafted JPEG file. oval:org.secpod.oval:def:1800855 CVE-2017-1000100: TFTP sends more than buffer size; When doing an TFTP upload and curl/libcurl is given a URL that contains a very long file name , the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too lar ... oval:org.secpod.oval:def:1801110 If the django.middleware.common.CommonMiddleware and the APPEND_SLASH setting are both enabled, and if the project has a URL pattern that accepts any path ending in a slash , then a request to a maliciously crafted URL of that site could lead to a redirect to another site, enabling phishing and othe ... oval:org.secpod.oval:def:1800056 CVE-2017-3136: An error handling synthesized records could cause an assertion failure when using DNS64 with "break-dnssec yes;"; Affected versions: 9.8.0 - oval:org.secpod.oval:def:1800277 The try_read_command function in memcached.c in memcached before 1.4.39 allows remote attackers to cause a denial of service via a request to add/set a key, which makes a comparison between signed and unsigned int and triggers a heap-based buffer over-read. NOTE: this vulnerability exists because o ... oval:org.secpod.oval:def:1800913 CVE-2016-10195: dns remote stack over read vulnerability; Fixed in libevent 2.1.6 oval:org.secpod.oval:def:1800977 The jv_dump_term function in jq 1.5 allows remote attackers to cause a denial of service via a crafted JSON file. oval:org.secpod.oval:def:1801286 GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service by modifying a file that is supposed to be archived by a different user"s process . oval:org.secpod.oval:def:1800183 servers/slapd/back-mdb/search.c in OpenLDAP through 2.4.44 is prone to a double free vulnerability. A user with access to search the directory can crash slapd by issuing a search including the Paged Results control with a page size of 0. Reference: Patch: oval:org.secpod.oval:def:1801281 set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file"s origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information by reading this attribute, as demonstrated by getfattr. This al ... oval:org.secpod.oval:def:1801254 Git before 2.19.2 on Linux and UNIX executes commands from the current working directory in certain cases involving the run_command API and run-command.c, because there was a dangerous change from execvp to execv during 2017. Fixed In Version:¶ git 2.19.2 oval:org.secpod.oval:def:1801421 CVE-2019-8320: Delete directory using symlink when decompressing tar CVE-2019-8321: Escape sequence injection vulnerability in verbose CVE-2019-8322: Escape sequence injection vulnerability in gem owner CVE-2019-8323: Escape sequence injection vulnerability in API response handling CVE-2019-8324: In ... oval:org.secpod.oval:def:1801310 A pointer overflow, with code execution, was discovered in ZeroMQ libzmq 4.2.x and 4.3.x before 4.3.1. A v2_decoder.cpp zmq::v2_decoder_t::size_ready integer overflow allows an authenticated attacker to overwrite an arbitrary amount of bytes beyond the bounds of a buffer, which can be leveraged to ... oval:org.secpod.oval:def:1801298 spice versions 0.5.2 through 0.14.1 are vulnerable to an out-of-bounds read due to an off-by-one error in memslot_get_virt. This may lead to a denial-of-service, or, in the worst case, code-execution by unauthenticated attackers. Fixed In Version:¶ spice 0.14.2 oval:org.secpod.oval:def:1801265 CVE-2018-12900: Heap-based buffer overflow in the cpSeparateBufToContigBuf function resulting in a denial of service¶ Heap-based buffer overflow in the cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service or possibly have unspecifi ... oval:org.secpod.oval:def:1800887 CVE-2017-15042: smtp.PlainAuth susceptible to man-in-the-middle password harvesting; It was found that smtp.PlainAuth scheme was vulnerable to man-in-the-middle attack. smtp.PlainAuth implementation would send the username and password to man-in-the-middle SMTP server that doesnt advertise STARTTLS ... oval:org.secpod.oval:def:1801170 In Kamailio before 5.0.7 and 5.1.x before 5.1.4, a crafted SIP message with a double "To" header and an empty "To" tag causes a segmentation fault and crash. The reason is missing input validation in the "build_res_buf_from_sip_req" core function. This could result in denial of service and potential ... oval:org.secpod.oval:def:1801253 CVE-2018-16843: Excessive memory consumption via flaw in HTTP/2 implementation¶ Affected Versions:¶ nginx 1.9.5 - 1.15.5. Fixed In Version:¶ nginx 1.15.6, nginx 1.14.1 oval:org.secpod.oval:def:1800133 libarchive 3.3.2 allows remote attackers to cause a denial of service via a crafted xar archive, related to the mishandling of empty strings in the atol8 function in archive_read_support_format_xar.c. oval:org.secpod.oval:def:1800712 In LibTIFF 4.0.9, there is a Null-Pointer Dereference in the tif_print.c TIFFPrintDirectory function, as demonstrated by a tiffinfo crash. oval:org.secpod.oval:def:1801530 A Buffer Overflow issue was discovered in Kamailio before 4.4.7, 5.0.x before 5.0.6, and 5.1.x before 5.1.2. A specially crafted REGISTER message with a malformed branch or From tag triggers an off-by-one heap-based buffer overflow in the tmx_check_pretran function in modules/tmx/tmx_pretran.c. oval:org.secpod.oval:def:1801011 GnuPG before version 2.2.8 does not properly sanitize original filenames of signed or encrypted messages allowing for the insertion of line feeds and other control characters. An attacker could exploit this by injecting such characters to craft status messages and fake the validity of signatures. oval:org.secpod.oval:def:1800052 Exim supports the use of multiple "-p" command line arguments which are malloc"ed and never free"ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note that at this time upstream has released a patch , but ... oval:org.secpod.oval:def:1800700 CVE-2017-9147: LibTIFF 4.0.7 has an invalid read in the _TIFFVGetField function in tif_dir.c, which might allow remote attackers to cause a denial of service via a crafted TIFF file. Reference: Patch: CVE-2017-9403: In LibTIFF 4.0.7, a memory leak vulnerability was found in the function TIFFReadDir ... oval:org.secpod.oval:def:1801550 CVE-2017-3142: An error in TSIG authentication can permit unauthorized zone transfers Affected versions:¶ 9.4.0- oval:org.secpod.oval:def:1800828 The comic book backend in evince 3.24.0 is vulnerable to a commandinjection bug that can be used to execute arbitrary commands when a cbtfile is opened. oval:org.secpod.oval:def:1800103 An exploitable stack based buffer overflow vulnerability exists in the GNOME libsoup 2.58. A specially crafted HTTP request can cause a stack overflow resulting in remote code execution. An attacker can send a special HTTP request to the vulnerable server to trigger this vulnerability. Fixed In Vers ... oval:org.secpod.oval:def:1800752 CVE-2017-6419: heap-based buffer overflow in mspack/lzxd.c; mspack/lzxd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted CHM file. oval:org.secpod.oval:def:1800134 Augeas versions up to and including 1.8.0 are vulnerable to heap-based buffer overflow due to improper handling of escaped strings. Attacker could send crafted strings that would cause the application using augeas to copy past the end of a buffer, leading to a crash or possible code execution. Fixed ... oval:org.secpod.oval:def:1800155 CVE-2017-14098: Remote Crash Vulnerability in res_pjsip Fixed In Version: asterisk 13.17.1, asterisk 14.6.1 oval:org.secpod.oval:def:1800129 File versions 5.29, 5.30 and 5.31 contain a stack based buffer overflow when parsing a specially crafted input file. The issue lets an attacker overwrite a fixed 20 bytes stack buffer with a specially crafted .notes section in an ELF binary file. Fixed In Version: file 5.32 oval:org.secpod.oval:def:1800193 All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests. oval:org.secpod.oval:def:1800827 GNU Emacs before 25.3 allows remote attackers to execute arbitrary code via email with crafted "Content-Type: text/enriched" data containing an x-display XML element that specifies execution of shell commands, related to an unsafe text/enriched extension in lisp/textmodes/enriched.el, and unsafe Gnu ... oval:org.secpod.oval:def:1800746 An exploitable heap overflow vulnerability exists in the gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf 2.36.6. A specially crafted jpeg file can cause a heap overflow resulting in remote code execution. An attacker can send a file or url to trigger this vulnerability. Fixed in: G ... oval:org.secpod.oval:def:1800248 The rend_service_intro_established function in or/rendservice.c in Tor before 0.2.8.15, 0.2.9.x before 0.2.9.12, 0.3.0.x before 0.3.0.11, 0.3.1.x before 0.3.1.7, and 0.3.2.x before 0.3.2.1-alpha, when SafeLogging is disabled, allows attackers to obtain sensitive information by leveraging access to t ... oval:org.secpod.oval:def:1800816 The aspath_put function in bgpd/bgp_aspath.c in Quagga before 1.2.2 allows remote attackers to cause a denial of service via BGP UPDATE messages, because AS_PATH size calculation for long paths counts certain bytes twice and consequently constructs an invalid message. oval:org.secpod.oval:def:1800168 CVE-2017-14316, XSA-231: Missing NUMA node parameter verification; oval:org.secpod.oval:def:1800114 In Heimdal through 7.4, remote unauthenticated attackers are able to crash the KDC by sending a crafted UDP packet containing empty data fields for client name or realm. The parser would unconditionally dereference NULL pointers in that case, leading to a segmentation fault. This is related to the _ ... oval:org.secpod.oval:def:1800121 CVE-2017-16671: Buffer overflow in CDR"s set user; A Buffer Overflow issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 before 14.7.1, and 15 before 15.1.1 and Certified Asterisk 13.13 before 13.13-cert7. No size checking is done when setting the user field for Party B on a CDR. Thus ... oval:org.secpod.oval:def:1800962 CVE-2018-1050: Denial of Service Attack on external print server. Affected Versions:¶ All versions of Samba from 4.0.0 onwards. Fixed In Version:¶ Samba 4.7.6, 4.6.14 and 4.5.16. oval:org.secpod.oval:def:1801159 The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On sy ... oval:org.secpod.oval:def:1800178 An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that data with a pointer and the size to the deliver-data function. Affected versions: libcurl 7.20.0 to and including 7.56.0 Not affected ... oval:org.secpod.oval:def:1800928 CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write¶ Affected versions:¶ curl 7.12.3 to and including curl 7.58.0 Not affected versions:¶ curl = 7.59.0 oval:org.secpod.oval:def:1800205 CVE-2017-12893: Buffer over-read in smbutil.c:name_len in SMB/CIFS parser CVE-2017-12894: Buffer over-read in addrtoname.c:lookup_bytestring CVE-2017-12895: Buffer over-read in print-icmp.c:icmp_print in ICMP parser CVE-2017-12896: Buffer over-read in print-isakmp.c:isakmp_rfc3948_print in ISAKMP pa ... oval:org.secpod.oval:def:1801095 A flaw was found in libvorbis 1.3.6. The mapping0_forward function in mapping0.c file in Xiph.Org does not validate the number of channels, which allows remote attackers to cause a denial of service via a crafted file. oval:org.secpod.oval:def:1801200 One heap-based out-of-bounds read vulnerabiltiy exists in libexif-0.6.21. When saving the data of an entry tagged with EXIF_TAG_MAKER_NOTE to a buffer and copying the data of the exif entry, there is a mismatch between the computed read size of the entry data and the size of the allocated entry data ... oval:org.secpod.oval:def:1801089 In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name. oval:org.secpod.oval:def:1801329 Python Paramiko through versions 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5 and 1.17.6 is vulnerable to an authentication bypass in paramiko/auth_handler.py. A remote attacker could exploit this vulnerability in paramiko SSH servers to execute arbitrary code. Fixed In Version:¶ python-paramiko 2 ... oval:org.secpod.oval:def:1801268 CVE-2018-14423: Division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl in lib/openjp3d/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service . oval:org.secpod.oval:def:1801341 In OpenJPEG 2.3.0, there is an integer overflow caused by an out-of-bounds left shift in the opj_j2k_setup_encoder function . Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file. oval:org.secpod.oval:def:1800753 Heap-based Buffer Overflow in the psf_binheader_writef function in common.c in libsndfile through 1.0.28 allows remote attackers to cause a denial of service or possibly have unspecified other impact. oval:org.secpod.oval:def:1800844 The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files. oval:org.secpod.oval:def:1800293 CVE-2016-6664:mariadb 10.1.21 CVE-2017-3238: mariadb 5.5.54, mariadb 10.1.21 CVE-2017-3243: mariadb 5.5.54, mariadb 10.1.21 CVE-2017-3244: mariadb 5.5.54, mariadb 10.1.21 CVE-2017-3257: mariadb 10.1.21 CVE-2017-3258: mariadb 5.5.54, mariadb 10.1.21 CVE-2017-3265: MariaDB 10.1.21 CVE-2017-3291: Maria ... oval:org.secpod.oval:def:1801552 CVE-2017-2887: An exploitable buffer overflow vulnerability exists in the XCF property handling functionality of SDL_image 2.0.1. oval:org.secpod.oval:def:1800862 CVE-2017-12150: SMB1/2/3 connections may not require signing where they should Affected versions: samba 3.0.25 to 4.6.7 Fixed in: samba 4.6.8, 4.5.14 and 4.4.16 oval:org.secpod.oval:def:1801160 OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. oval:org.secpod.oval:def:1801389 CVE-2019-1787: An out-of-bounds heap read condition may occur when scanning PDF documents. The defect is a failure to correctly keep track of the number of bytes remaining in a buffer when indexing file data. Fixed In Version:¶ ClamAV 0.100.3 oval:org.secpod.oval:def:1800329 CVE-2017-5884: Improper check of framebuffer boundaries when processing a tile; gtk-vnc before 0.7.0 does not properly check boundaries of subrectangle-containing tiles, which allows remote servers to execute arbitrary code via the src x, y coordinates in a crafted rre, hextile, or copyrect tile. oval:org.secpod.oval:def:1800419 Munin has a local file write vulnerability when CGI graphs are enabled. Setting multiple "upper_limit" GET parameters allows overwriting any file accessible to the www-data user. oval:org.secpod.oval:def:1800661 A vulnerability exists in Mosquitto versions 0.15 to 1.4.11. Pattern based ACLs can be bypassed by clients that set their username/client id to # or +. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third part ... oval:org.secpod.oval:def:1800415 If named is configured to use Response Policy Zones an error processing some rule types can lead to a condition where BIND will endlessly loop while handling a query. Impact: A server is potentially vulnerable to degradation of service if 1. the server is configured to use RPZ,2. the server uses NS ... oval:org.secpod.oval:def:1800424 phpLDAPadmin through 1.2.3 has XSS in htdocs/entry_chooser.php via the form, element, rdn, or container parameter. oval:org.secpod.oval:def:1800673 CVE-2017-1000115: Mercurial"s symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository. oval:org.secpod.oval:def:1800432 A wrong if statement in the varnishd source code means that synthetic objects in stevedores which over-allocate, may leak up to page size of data from a malloc memory allocation.In a unpredictable percentage of the cases where this condition arises, a segmentation fault will happen instead. All the ... oval:org.secpod.oval:def:1800534 CVE-2017-14107: Memory allocation failure in _zip_cdir_grow function; The _zip_read_eocd64 function in zip_open.c in libzip before 1.3.0 mishandles EOCD records, which allows attackers to cause a denial of service via a crafted ZIP archive. Fixed in: libzip 1.3.0 oval:org.secpod.oval:def:1800296 CVE-2017-7546: Empty password accepted in some authentication methods CVE-2017-7547: The "pg_user_mappings" catalog view discloses passwords to users lacking server privileges CVE-2017-7548: lo_put function ignores ACLs Fixed In Version: postgresql 9.2.22, postgresql 9.3.18, postgresql 9.4.13, postg ... oval:org.secpod.oval:def:1801423 Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a crash outcome might be achieved by an attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships. oval:org.secpod.oval:def:1800780 Improper sequencing during cleanup operations of upstream recursion fetch contexts in BIND can lead to a use-after-free error, triggering an assertion failure and crash in named. Affected BIND versions acting as DNSSEC validating resolvers are currently known to crash with an assertion failure in ne ... oval:org.secpod.oval:def:1800912 parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a "%" character in a DTD name. Fixed In Version: libxml2 2.9.5 oval:org.secpod.oval:def:1800107 An out of boundary write has been found in libXpm exploited by an attacker through maliciously crafted XPM files. Fixed In Version: libxpm 3.5.12 Reference: Upstream patch: oval:org.secpod.oval:def:1801409 By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value for most servers. Unfortunately, the code which was intended to limit the number of simul ... oval:org.secpod.oval:def:1801396 libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded. oval:org.secpod.oval:def:1801387 Samba contains an RPC endpoint emulating the Windows registry service API. One of the requests, "winreg_SaveKey", is susceptible to a path/symlink traversal vulnerability. Unprivileged users can use it to create a new registry hive file anywhere they have unix permissions to create a new file within ... oval:org.secpod.oval:def:1801344 CVE-2019-3855: Possible integer overflow in transport read allows out-of-bounds write Affected versions: all versions to and including 1.8.0 Not affected versions: libssh2 oval:org.secpod.oval:def:1801338 A vulnerability was found in Django before versions 2.2b1, 2.1.6, 2.0.11, 1.11.19. If django.utils.numberformat.format, used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters, received a Decimal with a large number of digits or a large exponent, it could ... oval:org.secpod.oval:def:1801337 CVE-2018-16890: NTLM type-2 out-of-bounds buffer read¶ The function handling incoming NTLM type-2 messages does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad l ... oval:org.secpod.oval:def:1801334 CVE-2018-20685: In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side. oval:org.secpod.oval:def:1801292 commands/rsync in Gitolite before 3.6.11, if .gitolite.rc enables rsync, mishandles the rsync command line, which allows attackers to have a "bad" impact by triggering use of an option other than -v, -n, -q, or -P. oval:org.secpod.oval:def:1801319 Django before versions 1.11.18, 2.0.10 and 2.1.5 is vulnerable to content spoofing via crafted URL in the default 404 page. An attacker could craft a malicious URL that could make spoofed content appear on the default page generated by the django.views.defaults.page_not_found view. Fixed In Version: ... oval:org.secpod.oval:def:1801275 A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type , the attacker can crash the KDC by making an S4U2Self request. oval:org.secpod.oval:def:1801273 SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements , aka Magellan. oval:org.secpod.oval:def:1801307 CVE-2018-19961, CVE-2018-19962, XSA-275: insufficient TLB flushing / improper large page mappings with AMD IOMMUs oval:org.secpod.oval:def:1801260 CVE-2018-18311: Integer overflow leading to buffer overflow¶ A flaw was found in Perl versions 5.8.0 through 5.28. An Integer overflow leading to buffer overflow in Perl_my_setenv function in util.c Fixed In Version:¶ perl 5.29.1, perl 5.26.3 oval:org.secpod.oval:def:1801308 CVE-2018-19840: The function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service via a crafted wav audio file because WavpackSetConfiguration64 mishandles a sample rate of zero. oval:org.secpod.oval:def:1801261 CVE-2018-19409: An issue was discovered in Artifex Ghostscript before 9.26. LockSafetyParams is not checked correctly if another device is used. Fixed In Version:¶ ghostscript 9.26 oval:org.secpod.oval:def:1801322 CVE-2018-16737: tinc 1.0.29 and earlier allow an oracle attack that could allow a remote attacker to establish one-way communication with a tinc node, allowing it to send fake control messages and inject packets into the VPN. The attack takes only a few seconds to complete. Tinc 1.1pre14 and earlier ... oval:org.secpod.oval:def:1801189 The gmp plugin in strongSwan before 5.7.1 has a Buffer Overflow via a crafted certificate, the vulnerability was introduced with the patch that fixes CVE-2018-16151/2. oval:org.secpod.oval:def:1801531 CVE-2018-16151: In verify_emsa_pkcs1_signature in gmp_rsa_public_key.c in the gmp plugin in strongSwan 4.x and 5.x before 5.7.0, the RSA implementation based on GMP does not reject excess data after the encoded algorithm OID during PKCS#1 v1.5 signature verification. Similar to the flaw in the same ... oval:org.secpod.oval:def:1801190 HylaFAX 6.0.6 and HylaFAX+ 5.6.0 allow remote attackers to execute arbitrary code via a dial-in session that provides a FAX page with the JPEG bit enabled, which is mishandled in FaxModem::writeECMData in the faxd/CopyQuality.c++ file. oval:org.secpod.oval:def:1801206 CVE-2018-14598: Crash on invalid reply in XListExtensions in ListExt.c¶ An issue was discovered in ListExt.c:XListExtensions and GetFPath.c:XGetFontPath in libX11 through version 1.6.5. A malicious server can send a reply in which the first string overflows, causing a variable to be set to NULL ... oval:org.secpod.oval:def:1800171 - Mitigate a flush+reload side-channel attack on RSA secret keys dubbed "Sliding right into disaster". For details see < [CVE-2017-7526] Looks like libgcrypt needs to be fixed in stable branches. oval:org.secpod.oval:def:1801101 In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is vulnerable to a restriction bypass when SELinux is active. This allows non-root users to mount a FUSE file system with the "allow_other" mount option regardless of whether "user_allow_other" is set in the fuse configuration. An attack ... oval:org.secpod.oval:def:1801115 DoS for HTTP/2 connections by crafted requests By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. Fixed In Version: Apache HTTP Server 2.4.34 oval:org.secpod.oval:def:1801019 Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. ... oval:org.secpod.oval:def:1801006 CVE-2018-10536: An issue was discovered in WavPack 5.1.0 and earlier. The WAV parser component contains a vulnerability that allows writing to memory because ParseRiffHeaderConfig in riff.c does not reject multiple format chunks. oval:org.secpod.oval:def:1800966 CVE-2017-10268: mariaDB 10.1.29 CVE-2017-10378: mariaDB 10.1.29 CVE-2017-15365: mariaDB 10.1.30 CVE-2018-2562: mariaDB 10.1.31 CVE-2018-2622: mariaDB 10.1.31 CVE-2018-2640: mariaDB 10.1.31 CVE-2018-2665: mariaDB 10.1.31 CVE-2018-2668: mariaDB 10.1.31 CVE-2018-2612: mariaDB 10.1.31 oval:org.secpod.oval:def:1800013 An issue was discovered in the _asn1_decode_simple_ber function in decoding.c in GNU Libtasn1 before 4.13. Unlimited recursion in the BER decoder leads to stack exhaustion and DoS. oval:org.secpod.oval:def:1800925 A flaw was found in rsync verions before 3.1.3. The parse_argument function in options.c in rsyncd component does not prevent multiple --protect-args uses. Thus letting the user to specify the arg in the protected-arg list and shortcut some of the arg-sanitizing code. This vulnerability allows remot ... oval:org.secpod.oval:def:1800162 CVE-2017-16548: The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing "\0" character in an xattr name, which allows remote attackers to cause a denial of service or possibly have unspecified other impact by sending crafted data to the daemon. oval:org.secpod.oval:def:1800726 Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic. Fixed In Version: 6.0-20171125 oval:org.secpod.oval:def:1800786 CVE-2017-15191: DMP dissector crash; Affected versions: 2.4.0 to 2.4.1, 2.2.0 to 2.2.9, 2.0.0 to 2.0.15 Fixed versions: 2.4.2, 2.2.10, 2.0.16 oval:org.secpod.oval:def:1800256 When libcurl connects to an FTP server and successfully logs in , it asks the server for the current directory with the PWD command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a fl ... oval:org.secpod.oval:def:1800245 CVE-2017-13065: GraphicsMagick 1.3.26 has a NULL pointer dereference vulnerability in the function SVGStartElement in coders/svg.c. oval:org.secpod.oval:def:1800297 CVE-2017-13775: GraphicsMagick 1.3.26 has a denial of service issue in ReadJNXImage in coders/jnx.c whereby large amounts of CPU and memory resources may be consumed although the file itself does not support the requests. oval:org.secpod.oval:def:1800284 CVE-2017-11112: In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data. Fixed In Version: ncurses 6.0-20170701 oval:org.secpod.oval:def:1800719 An attacker can craft an RSS item with shell code in the title and/or URL. When you bookmark such an item, your shell will execute that code. Newsbeuter versions 0.7 through 2.9 are affected. oval:org.secpod.oval:def:1800834 Improper Neutralization of Special Elements used in an OS Command in the podcast playback function of Podbeuter in Newsbeuter 0.3 through 2.9 allows remote attackers to perform user-assisted code execution by crafting an RSS item with a media enclosure that includes shell metacharacters in its file ... oval:org.secpod.oval:def:1800244 A Subversion client sometimes connects to URLs provided by the repository.This happens in two primary cases: during "checkout", "export", "update", and"switch", when the tree being downloaded contains svn:externals properties;and when using "svnsync sync" with one URL argument. A maliciously constru ... oval:org.secpod.oval:def:1800854 CVE-2017-10684, CVE-2017-10685: In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack. oval:org.secpod.oval:def:1800839 The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure. It may lead to a remote denial of service attack. oval:org.secpod.oval:def:1800890 CVE-2017-9022: Insufficient validation of RSA public keys passed to the gmp plugin; RSA public keys passed to the gmp plugin aren"t validated sufficiently before attempting signature verification, so that invalid input might lead to a floating point exception and crash of the process. A certificate ... oval:org.secpod.oval:def:1800176 CVE-2017-5006: Universal XSS in Blink.CVE-2017-5007: Universal XSS in Blink. CVE-2017-5008: Universal XSS in Blink.CVE-2017-5009: Out of bounds memory access in WebRTC. CVE-2017-5010: Universal XSS in Blink. CVE-2017-5011: Unauthorised file access in Devtools.CVE-2017-5012: Heap overflow in V8. CVE- ... oval:org.secpod.oval:def:1800658 3.2.9 Fixes following vulnerabilities: CVE-2017-15186, Patch: 3.2.8 Fixes following vulnerabilities: CVE-2017-14054,CVE-2017-14055, CVE-2017-14056, CVE-2017-14057, CVE-2017-14058, CVE-2017-14059, CVE-2017-14169, CVE-2017-14170, CVE-2017-14171, CVE-2017-14222, CVE-2017-14223, CVE-2017-14225,CVE-2017- ... oval:org.secpod.oval:def:1800087 CVE-2017-12837: Heap-based buffer overflow in the regular expression compiler in PERL before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service via a crafted regular expression with the case-insensitive modifier. oval:org.secpod.oval:def:1800615 CVE-2017-13765: IrCOMM dissector buffer overrun; Affected versions: 2.4.0, 2.2.0 to 2.2.8, 2.0.0 to 2.0.14 Fixed versions: 2.4.1, 2.2.9, 2.0.15 oval:org.secpod.oval:def:1800489 Libgcrypt before 1.8.1 does not properly consider Curve25519 side-channel attacks, which makes it easier for attackers to discover a secret key, related to cipher/ecc.c and mpi/ec.c. oval:org.secpod.oval:def:1800609 A vulnerability has been found where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this may be root. Affecte ... oval:org.secpod.oval:def:1800323 CVE-2017-11406: DOCSIS infinite loop Affected versions: 2.2.0 to 2.2.7, 2.0.0 to 2.0.13 Fixed versions: 2.2.8, 2.0.14 oval:org.secpod.oval:def:1800649 CVE-2017-9343: MSNIP dissector crash; Affected versions: 2.2.0 to 2.2.6, 2.0.0 to 2.0.12 Fixed versions: 2.2.7, 2.0.13 Reference: CVE-2017-9344: BT L2CAP dissector divide by zero; Affected versions: 2.2.0 to 2.2.6, 2.0.0 to 2.0.12 Fixed versions: 2.2.7, 2.0.13 Reference: CVE-2017-9345: DNS dissector ... oval:org.secpod.oval:def:1801282 CVE-2018-1000807: Use-after-free in X509 object handling¶ Python Cryptographic Authority pyopenssl version before 17.5.0 has a use-after-free vulnerability in X509 object handling. This can result in a denial of service or potentially even code execution. oval:org.secpod.oval:def:1800252 All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it. Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as security releases to corr ... oval:org.secpod.oval:def:1800216 CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7 CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP CVE-2017-5376: Use-after-free in XSL CVE-2017-5378: Pointer and frame data leakage of Javascript objects CVE-2017-5380: Potential use-after-free durin ... oval:org.secpod.oval:def:1800952 CVE-2018-7536: Denial-of-service possibility in urlize and urlizetrunc template filters¶ The django.utils.html.urlize function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions . The urlize function is used to implement the ... oval:org.secpod.oval:def:1800524 Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerabi ... oval:org.secpod.oval:def:1800475 CVE-2017-7401: Incorrect interaction of the parse_packet and parse_part_sign_sha256 functions in network.c in collectd 5.7.1 and earlier allows remote attackers to cause a denial of service of a collectd instance via a crafted UDP packet. oval:org.secpod.oval:def:1800320 A buffer overflow can cause an open unsecured server to crash after 2GB oval:org.secpod.oval:def:1800349 OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnerable to a buffer overflow vulnerability when key-method 1 is used, possibly resulting in code execution. Fixed In Version: openvpn 2.3.18, openvpn 2.4.4 oval:org.secpod.oval:def:1800617 CVE-2016-9847: Unsafe generation of blowfish secret; All 4.6.x versions , 4.4.x versions , and 4.0.x versions are affected Upgrade to phpMyAdmin* 4.6.5, 4.4.15.9*, 4.0.10.18, or newer or apply patch. Reference: CVE-2016-9848: phpinfo information leak value of sensitive cookies; All 4.6.x versions ... oval:org.secpod.oval:def:1800509 CVE-2016-9131: A malformed response to an ANY query can cause an assertion failure during recursion; A malformed query response received by a recursive server in response to a query of RTYPE ANY could trigger an assertion failure while named is attempting to add the RRs in the query response to the ... oval:org.secpod.oval:def:1800399 CVE-2018-1000024: Incorrect pointer handling when processing ESI Responses can lead to denial of service; Due to incorrect pointer handling, Squid versions 3.x and 4.x are vulnerable to a denial of service attack when processing ESI responses. This problem allows a remote server delivering certain ... oval:org.secpod.oval:def:1800599 An attacker who learns the EdDSA session key from side-channel observation during the signing process, can easily recover the long-term secret key. Storing the session key in secure memory ensures that constant time point operations are used in the MPI library. Fixed In Version: libgcrypt 1.7.7 Refe ... oval:org.secpod.oval:def:1800311 CVE-2017-15873: Integer overflow in the get_next_block function; The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox 1.27.2 has an Integer Overflow that may lead to a write access violation. oval:org.secpod.oval:def:1800523 Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer. Affected versions: 9.9.3-S1 - oval:org.secpod.oval:def:1800514 CVE-2017-3313: mariaDB 10.1.22 CVE-2017-3302: mariaDB 10.1.22 oval:org.secpod.oval:def:1800515 The issue can be exploited to trigger an out of bounds write on 64-bit systems. oval:org.secpod.oval:def:1800337 All versions of Samba prior to 4.6.1, 4.5.7, 4.4.12 are vulnerable to a malicious client using a symlink race to allow access to areas ofthe server file system not exported under the share definition. Samba uses the realpath system call to ensure when a client requests access to a pathname that it i ... oval:org.secpod.oval:def:1800650 CVE: none assigned, XSA-207: memory leak when destroying guest without PT devices Reference: CVE-2017-2615, XSA-208: oob access in cirrus bitblt copy Reference: CVE-2017-2620, XSA-209: cirrus_bitblt_cputovideo does not check if memory region is safe oval:org.secpod.oval:def:1800442 The vulnerability is caused due to an error in the"lha_read_file_header_1" function, which can be exploited to trigger an out-of-bounds read memory access via a specially crafted archive. Affected versions: libarchive version 3.2.2.Other versions may also be affected. Reference: Patch: oval:org.secpod.oval:def:1800449 CVE-2017-5024 A heap overflow flaw was found in FFmpeg CVE-2017-5025 A heap overflow flaw was found in FFmpeg oval:org.secpod.oval:def:1800431 CVE-2017-3308: mariadb 10.1.23 CVE-2017-3309: mariadb 10.1.23 CVE-2017-3453: mariadb 10.1.23 CVE-2017-3456: mariadb 10.1.23 CVE-2017-3464: mariadb 10.1.23 CVE-2017-3636: mariadb 10.1.26 CVE-2017-3641: mariadb 10.1.26 CVE-2017-3653: mariadb 10.1.26 oval:org.secpod.oval:def:1800612 CVE-2017-9611: The Ins_MIRP function in base/ttinterp.c in Artifex Ghostscript GhostXPS 9.21 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document. oval:org.secpod.oval:def:1800522 tcpdump 4.9.0 allows remote attackers to cause a denial of service via crafted packet data. The crash occurs in the EXTRACT_16BITS function, called from the stp_print function for the Spanning Tree Protocol. Fixed in: Tcpdump 4.9.1 oval:org.secpod.oval:def:1800512 An integer overflow vulnerability in nginx range filter module in ngx_ function was found, potentially resulting in memory disclosure when used with 3rd party modules. Issue can be triggered by specially crafted http range request resulting into leaking the content of the cache file header. Affected ... oval:org.secpod.oval:def:1800635 CVE-2017-6886: Memory corruption in the parse_tiff_ifd An error within the "parse_tiff_ifd" function in LibRaw versions before 0.18.2 can be exploited to corrupt memory. Fixed In Version: LibRaw 0.18.2 oval:org.secpod.oval:def:1800385 There were two bugs in curl"s parser for the command line option --write-out that would skip the end of string zero byte if the string ended in a % or \ , and it would read beyond that buffer in the heap memory and it could then potentially output pieces of that memory to the terminal or the targe ... oval:org.secpod.oval:def:1800466 CVE-2017-14746: Use-after-free vulnerability. Affected Versions: All versions of Samba from 4.0.0 onwards. Fixed In: Samba 4.7.3, 4.6.11 and 4.5.15 oval:org.secpod.oval:def:1800457 The gmp plugin in strongSwan before 5.6.0 allows remote attackers to cause a denial of service via a crafted RSA signature. Fixed In Version: strongswan 5.6.0 oval:org.secpod.oval:def:1800458 A non-privileged X client can instruct X server running under root to open any file by creating own directory with "fonts.dir","fonts.alias" or any font file being a symbolic link to any other file in the system. X server will then open it. This can be issue with special files such as /dev/watchdog. ... oval:org.secpod.oval:def:1800367 Integer signedness error in MiniUPnP MiniUPnPc v1.4.20101221 throughv2.0 allows remote attackers to cause a denial of service or possiblyhave unspecified other impact. oval:org.secpod.oval:def:1800355 CVE-2017-9468: When receiving a DCC message without source nick/host, Irssi would attempt to dereference a NULL pointer. Fixed in: Irssi 1.0.3 Reference: Patch; CVE-2017-9469: When receiving certain incorrectly quoted DCC files, Irssi would try to find the terminating quote one byte before the alloc ... oval:org.secpod.oval:def:1800541 CVE-2017-7753: Out-of-bounds read with cached style data and pseudo-elements CVE-2017-7779: Memory safety bugs CVE-2017-7784: Use-after-free with image observers CVE-2017-7785: Buffer overflow manipulating ARIA attributes in DOM CVE-2017-7786: Buffer overflow while painting non-displayable SVG CVE-2 ... oval:org.secpod.oval:def:1800533 CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in the host subcomponent of a URL. oval:org.secpod.oval:def:1800537 CVE-2017-7793: Use-after-free with Fetch API CVE-2017-7818: Use-after-free during ARIA array manipulation CVE-2017-7819: Use-after-free while resizing images in design mode CVE-2017-7824: Buffer overflow when drawing and validating elements with ANGLE CVE-2017-7805: Use-after-free in TLS 1.2 generat ... oval:org.secpod.oval:def:1800550 Two errors in the "asn1_find_node" function within GnuTLS libtasn1 version 4.10 can be exploited to cause a stacked-based buffer overflow by tricking a user into processing a specially crafted assignments file via the e.g. asn1Coding utility. oval:org.secpod.oval:def:1800552 CVE-2017-8361: The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted audio file. Reference: Patch: CVE-2017-8362: The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows r ... oval:org.secpod.oval:def:1800313 Two path traversal flaws in awstats in awstats 7.6 and earlier, that could be leveraged for unauthenticated remote code execution. oval:org.secpod.oval:def:1800558 CVE-2017-7867: Heap-buffer overflow in utext_setNativeIndex function oval:org.secpod.oval:def:1800626 CVE-2017-7607: Heap-buffer overflow in the handle_gnu_hash function; The handle_gnu_hash function in readelf.c in elfutils 0.168 allows remote attackers to cause a denial of service via a crafted ELF file. oval:org.secpod.oval:def:1800498 An error within the "LibRaw::xtrans_interpolate" function can be exploited to cause an invalid read memory access and subsequently cause a crash via a specially crafted TIFF image. Fixed In Version: LibRaw 0.18.6 oval:org.secpod.oval:def:1800465 It is possible to trigger heap overflows due to an integer overflow while parsing images and a signedness issue while parsing comments.The integer overflow occurs because the chosen limit 0x10000 for dimensions is too large for 32 bit systems, because each pixel takes4 bytes. Properly chosen values ... oval:org.secpod.oval:def:1800697 CVE-2018-1000005: HTTP/2 trailer out-of-bounds read; Affected versions: libcurl 7.49.0 to and including 7.57.0 Not affected versions: libcurl = 7.58.0 oval:org.secpod.oval:def:1800480 JasPer 2.0.12 is vulnerable to a NULL pointer exception in the function jp2_encode which failed to check to see if the image contained at least one component resulting in a denial-of-service. oval:org.secpod.oval:def:1800510 CVE-2016-10169: global buffer over read in read_code / read_words.c Fixed In Version: wavpack 5.1.0 oval:org.secpod.oval:def:1800352 CVE-2017-6311: NULL dereference on gdk-pixbuf thumbnailer; oval:org.secpod.oval:def:1800450 The ReadMNGImage function in coders/png.c in GraphicsMagick 1.3.26 has an out-of-order CloseBlob call, resulting in a use-after-free via a crafted file. oval:org.secpod.oval:def:1800694 CVE-2017-14314: Off-by-one error in the DrawImage function in magick/render.c in GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service via a crafted file. oval:org.secpod.oval:def:1800428 CVE-2016-9941: Heap-based buffer overflow in rfbproto.c; Heap-based buffer overflow in rfbproto.c was found in LibVNCClient in LibVNCServer before 0.9.11 that allows remote servers to cause a denial of service or possibly execute arbitrary code via a crafted FramebufferUpdate message containing a s ... oval:org.secpod.oval:def:1800682 LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value. oval:org.secpod.oval:def:1800095 CVE-2017-10911, XSA-216: blkif responses leak backend stack data Reference: CVE-2017-10912, XSA-217: page transfer may allow PV guest to elevate privilege Reference: CVE-2017-10913, CVE-2017-10914, XSA-218: Races in the grant table unmap code Reference: CVE-2017-10915, XSA-219: x86: insufficient ref ... oval:org.secpod.oval:def:1801529 CVE-2018-18088: NULL pointer dereference in the imagetopnm function of jp2/convert.c¶ A flaw was found in OpenJPEG 2.3.0. A NULL pointer dereference for "red" in the imagetopnm function of jp2/convert.c oval:org.secpod.oval:def:1800226 An out-of-bounds read in cmstypes.c in Type_MLU_Read function was found, leading to heap memory leak triggered by crafted ICC profile. Patch: oval:org.secpod.oval:def:1800946 CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values¶ Affected Versions:¶ 2.4.1 to 2.4.29 Fixed in:¶ Apache 2.4.30 oval:org.secpod.oval:def:1800960 Ruby has multiple vulnerabilities: CVE-2017-17742: HTTP response splitting in WEBrick CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir CVE-2018-8777: DoS by large request in WEBrick CVE-2018-8778: Buffer under-read in String#unpack CVE-2018-877 ... oval:org.secpod.oval:def:1801365 CVE-2019-0196: mod_ read-after-free on a string compare¶ Using fuzzed network input, the request handling could be made to access freed memory in string comparision when determining the method of a request and thus process the request incorrectly. Versions Affected:¶ 2.4.17 to 2.4.38 Fixed ... oval:org.secpod.oval:def:1800288 Heimdal before 7.4 allows remote attackers to impersonate services with Orpheus" Lyre attacks because it obtains service-principal names in a way that violates the Kerberos 5 protocol specification. In _krb5_extract_ticket the KDC-REP service name must be obtained from the encrypted version stored i ... oval:org.secpod.oval:def:1800842 A MITM attacker may impersonate a trusted server and thus gain elevated access to the domain by returning malicious replication or authorization data. Affected versions: All versions between Samba 4.0.0 and 4.6.6/4.5.12/4.4.15 oval:org.secpod.oval:def:1801544 CVE-2018-2755: mariaDB 10.1.33 CVE-2018-2761: mariaDB 10.1.33 CVE-2018-2766: mariaDB 10.1.33 CVE-2018-2767: mariaDB 10.1.33 CVE-2018-2771: mariaDB 10.1.33 CVE-2018-2781: mariaDB 10.1.33 CVE-2018-2782: mariaDB 10.1.33 CVE-2018-2784: mariaDB 10.1.33 CVE-2018-2787: mariaDB 10.1.33 CVE-2018-2813: mariaD ... oval:org.secpod.oval:def:1800655 The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact. oval:org.secpod.oval:def:1800089 CVE-2016-9643:The regex code in WebKit allows remote attackers to cause a denial of service as demonstrated in a large number of . Versions affected: WebKitGTK+ before 2.14.6 CVE-2017-2367: This issue allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a c ... oval:org.secpod.oval:def:1800513 It allows remote attackers to execute arbitrary code or cause a denial of service via a crafted web site. Versions affected: WebKitGTK+ before 2.16.4. oval:org.secpod.oval:def:1800929 CVE-2018-7540, XSA-252: DoS via non-preemptable L3/L4 pagetable freeing All Xen versions are vulnerable. oval:org.secpod.oval:def:1801221 In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. Fixed in Ve ... oval:org.secpod.oval:def:1800810 CVE-2017-2350; Versions affected: WebKitGTK+ before 2.14.4.Impact: Processing maliciously crafted web content may exfiltrate data cross-origin. Description: A prototype access issue was addressed through improved exception handling. CVE-2017-2354; Versions affected: WebKitGTK+ before 2.14.4.Impact: ... oval:org.secpod.oval:def:1800459 CVE-2017-17044, XSA-246: x86: infinite loop due to missing PoD error checking Xen versions from 3.4.x onwards are affected. oval:org.secpod.oval:def:1800914 CVE-2017-8816: NTLM buffer overflow via integer overflow Affected versions: libcurl 7.36.0 to and including 7.56.1 Not affected versions: libcurl = 7.57.0 oval:org.secpod.oval:def:1800663 libvirt version 2.3.0 and later is vulnerable to a bad default configuration of "verify-peer=no" passed to QEMU by libvirt resulting in a failure to validate SSL/TLS certificates by default. oval:org.secpod.oval:def:1800309 vim before patch 8.0.0322 does not properly validate values for tree length when handling a spell file, which may result in an integer overflow at a memory allocation site and a resultant buffer overflow. Reference: Patch: oval:org.secpod.oval:def:1800993 CVE-2018-11233:¶ In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory. oval:org.secpod.oval:def:1800488 CVE-2017-6362: Double-free in gdImagePngPtr. Double free vulnerability in the gdImagePngPtr function in libgd2 before 2.2.5 allows remote attackers to cause a denial of service via vectors related to a palette with no colors. Fixed In Version: libgd 2.2.5 oval:org.secpod.oval:def:1800683 CVE-2017-3167: In Apache 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. oval:org.secpod.oval:def:1801296 CVE-2018-17189: DoS for HTTP/2 connections via slow request bodies¶ By sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 connections. A possible mitigation ... oval:org.secpod.oval:def:1800236 CVE-2017-17566, XSA-248: x86 PV guests may gain access to internally used pages Reference: CVE-2017-17563, XSA-249: broken x86 shadow mode refcount overflow check Reference: CVE-2017-17564, XSA-250: improper x86 shadow mode refcount error handling Reference: CVE-2017-17565, XSA-251: improper bug che ... oval:org.secpod.oval:def:1800184 LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service , as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c oval:org.secpod.oval:def:1800817 CVE-2017-9224: An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in match_at during regular expression searching. A logical error involving order of validation and access in match_at could r ... oval:org.secpod.oval:def:1800377 CVE-2017-9224: An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in match_at during regular expression searching. A logical error involving order of validation and access in match_at could r ... oval:org.secpod.oval:def:1801186 Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability in gdImageBmpPtr Function that can result in Remote Code Execution . This attack appear to be exploitable via Specially Crafted Jpeg Image can trigger double free. This vulnerability appears to have been fixed in after commit ac1 ... oval:org.secpod.oval:def:1801414 A vulnerability was found in libpng 1.6.36. The function png_image_free in png.c has a use-after-free because png_image_free_function is called under png_safe_execute. This flaw is in the PNG Simplified API, which was introduced upstream in libpng-1.6.0. Previous versions of libpng are not affected. oval:org.secpod.oval:def:1801162 CVE-2018-10194: The set_text_distance function in devices/vector/gdevpdts.c in the pdfwrite component in Artifex Ghostscript through 9.22 does not prevent overflows in text-positioning calculation, which allows remote attackers to cause a denial of service or possibly have unspecified other impact ... oval:org.secpod.oval:def:1801533 An issue was discovered in Artifex Ghostscript before 9.25. Incorrect "restoration of privilege" checking when running out of stack during exception handling could be used by attackers able to supply crafted PostScript to execute code using the "pipe" instruction. This is due to an incomplete fix fo ... oval:org.secpod.oval:def:1801004 CVE-2018-10472,XSA-258: Information leak via crafted user-supplied CDROM oval:org.secpod.oval:def:1800331 CVE-2017-12135, XSA-226: multiple problems with transitive grants All versions of Xen are vulnerable. oval:org.secpod.oval:def:1800166 CPython up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow oval:org.secpod.oval:def:1800720 CVE-2017-3735: Malformed X.509 IPAdressFamily could cause OOB read; If an X.509 certificate has a malformed IPAddressFamily extension,OpenSSL could do a one-byte buffer over read. The most likely result would be an erroneous display of the certificate in text format. Fixed In Version: openssl 1.0.2m ... oval:org.secpod.oval:def:1800423 The c-ares function ares_parse_naptr_reply, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way. Affected versions: c-ares 1.8.0 to and including 1.12.0 Not affected versio ... oval:org.secpod.oval:def:1800308 CVE-2017-3737: Read/write after SSL object in error state; OpenSSL 1.0.2 introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This w ... oval:org.secpod.oval:def:1801401 CVE-2018-14647: Missing salt initialization in _elementtree.c module¶ A flaw was found in python"s _elementtree.c module, a wrapper for libexpat XML parser. xml.etree C accelerator don"t call XML_SetHashSalt, failing to properly initiate the random hash seed from a good CSPRNG source and making ... oval:org.secpod.oval:def:1801106 CVE-2017-9935: In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_fre ... oval:org.secpod.oval:def:1800959 In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against ... oval:org.secpod.oval:def:1800809 CVE-2017-5969: Null pointer derefence parsing xml file using libxml Upstream bug report: |
