Index: security/vuxml/vuln.xml =================================================================== diff -u -N -r606ba309c38434b95986a96a77b8b1b2129fc421 -r2a4df6448d7c255f0a772b30e78794d0176ad268 --- security/vuxml/vuln.xml (.../vuln.xml) (revision 606ba309c38434b95986a96a77b8b1b2129fc421) +++ security/vuxml/vuln.xml (.../vuln.xml) (revision 2a4df6448d7c255f0a772b30e78794d0176ad268) @@ -28,7 +28,7 @@ OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - $FreeBSD: head/security/vuxml/vuln.xml 546226 2020-08-25 19:00:36Z sunpoet $ + $FreeBSD: head/security/vuxml/vuln.xml 555466 2020-11-16 11:13:14Z fluffy $ QUICK GUIDE TO ADDING A NEW ENTRY @@ -58,12 +58,2747 @@ * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + mozjpeg -- heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file + + + mozjpeg + 4.0.0 + + + + +

NIST reports:

+
+
    +
  • Heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.
    • +
+
+ + + + CVE-2020-13790 + https://nvd.nist.gov/vuln/detail/CVE-2020-13790 + + + 2020-06-03 + 2020-10-10 + + + + + libjpeg-turbo -- Issue in the PPM reader causing a buffer overrun in cjpeg, TJBench, or the tjLoadImage() function. + + + libjpeg-turbo + 2.0.4 + + + + +

libjpeg-turbo releases reports:

+
+

This release fixes the following security issue:

+
    +
  • Heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.
    • +
+
+ + + + CVE-2020-13790 + https://nvd.nist.gov/vuln/detail/CVE-2020-13790 + + + 2020-06-03 + 2020-10-10 + + + + + mantis -- multiple vulnerabilities + + + mantis-php72 + mantis-php73 + mantis-php74 + mantis-php80 + 2.24.3 + + + + +

Mantis 2.24.3 release reports:

+
+

This release fixes 3 security issues:

+
    +
  • 0027039: CVE-2020-25781: Access to private bug note attachments
    • +
  • 0027275: CVE-2020-25288: HTML Injection on bug_update_page.php
    • +
  • 0027304: CVE-2020-25830: HTML Injection in bug_actiongroup_page.php
    • +
+
+ + + + ports/251141 + CVE-2020-25781 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25781 + CVE-2020-25288 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25288 + CVE-2020-25830 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25830 + + + 2020-09-13 + 2020-11-14 + + + + + go -- math/big: panic during recursive division of very large numbers; cmd/go: arbitrary code execution at build time through cgo + + + go + 1.15.5,1 + + + + +

The Go project reports:

+
+

A number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, + QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD) can panic + when provided crafted large inputs. For the panic to happen, + the divisor or modulo argument must be larger than 3168 bits + (on 32-bit architectures) or 6336 bits (on 64-bit architectures). + Multiple math/big.Rat methods are similarly affected.

+
+
+

The go command may execute arbitrary code at build time when + cgo is in use. This may occur when running go get on a malicious + package, or any other command that builds untrusted code. This + can be caused by a malicious gcc flags specified via a #cgo + directive.

+
+
+

The go command may execute arbitrary code at build time when + cgo is in use. This may occur when running go get on a malicious + package, or any other command that builds untrusted code. This + can be caused by malicious unquoted symbol names.

+
+ + + + CVE-2020-28362 + https://github.com/golang/go/issues/42552 + CVE-2020-28367 + https://github.com/golang/go/issues/42556 + CVE-2020-28366 + https://github.com/golang/go/issues/42559 + + + 2020-11-09 + 2020-11-12 + + + + + salt -- multiple vulnerabilities + + + py36-salt + py37-salt + py38-salt + 30023002.1 + + + + +

SaltStack reports multiple security vulnerabilities in Salt 3002:

+
+
    +
  • CVE-2020-16846: Prevent shell injections in netapi ssh client.
    • +
  • CVE-2020-17490: Prevent creating world readable private keys with the tls execution module.
    • +
  • CVE-2020-25592: Properly validate eauth credentials and tokens along with their ACLs. + Prior to this change eauth was not properly validated when calling Salt ssh via the salt-api. + Any value for 'eauth' or 'token' would allow a user to bypass authentication and make calls + to Salt ssh.
    • +
+
+ + + + https://docs.saltstack.com/en/latest/topics/releases/3002.1.html + CVE-2020-16846 + https://nvd.nist.gov/vuln/detail/CVE-2020-16846 + CVE-2020-17490 + https://nvd.nist.gov/vuln/detail/CVE-2020-17490 + CVE-2020-25592 + https://nvd.nist.gov/vuln/detail/CVE-2020-25592 + + + 2020-11-06 + 2020-11-12 + + + + + Apache OpenOffice -- Unrestricted actions leads to arbitrary code execution in crafted documents + + + apache-openoffice + 4.1.8 + + + apache-openoffice-devel + 4.2.1602022694,4 + + + + +

The Apache Openofffice project reports:

+
+

CVE-2020-13958 Unrestricted actions leads to arbitrary code execution in crafted documents

+

Description

+

A vulnerability in Apache OpenOffice scripting events allows an attacker to construct documents containing hyperlinks pointing to an executable on the target users file system. These hyperlinks can be triggered unconditionally. In fixed versions no internal protocol may be called from the document event handler and other hyperlinks require a control-click.

+

Severity: Low

+

There are no known exploits of this vulnerability.
A proof-of-concept demonstration exists.

+

Thanks to the reporter for discovering this issue.

+

Acknowledgments

+

The Apache OpenOffice Security Team would like to thank Imre Rad for discovering and reporting this attack vector.

+
+ + + + https://www.openoffice.org/security/cves/CVE-2020-13958.html + CVE-2020-13958 + + + 2020-04-28 + 2020-11-10 + + + + + raptor2 -- buffer overflow + + + raptor2 + 2.0.15_16 + + + + +

CVE MITRE reports:

+
+

+ raptor_xml_writer_start_element_common in raptor_xml_writer.c in Raptor RDF Syntax Library 2.0.15 miscalculates the maximum nspace declarations for the XML writer, leading to heap-based buffer overflows (sometimes seen in raptor_qname_format_as_xml). +

+
+ + + + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18926 + https://github.com/LibreOffice/core/blob/master/external/redland/raptor/0001-Calcualte-max-nspace-declarations-correctly-for-XML-.patch.1 + CVE-2017-18926 + + + 2017-04-16 + 2020-11-09 + + + + + jupyter notebook -- open redirect vulnerability + + + py37-notebook + py38-notebook + py39-notebook + 6.1.5 + + + + +

Jupyter reports:

+
+

6.1.5 is a security release, fixing one vulnerability: + Fix open redirect vulnerability GHSA-c7vm-f5p4-8fqh (CVE to be assigned) +

+
+ + + + https://jupyter-notebook.readthedocs.io/en/stable/changelog.html#release-6-1-5 + https://github.com/jupyter/notebook/blob/6.1.5/docs/source/changelog.rst + + + 2020-10-15 + 2020-11-08 + + + + + asterisk -- Outbound INVITE loop on challenge with different nonce + + + asterisk13 + 13.37.1 + + + asterisk16 + 16.14.1 + + + asterisk18 + 18.0.1 + + + + +

The Asterisk project reports:

+
+

If Asterisk is challenged on an outbound INVITE and + the nonce is changed in each response, Asterisk will + continually send INVITEs in a loop. This causes Asterisk + to consume more and more memory since the transaction + will never terminate (even if the call is hung up), + ultimately leading to a restart or shutdown of Asterisk. + Outbound authentication must be configured on the endpoint + for this to occur.

+
+ + + + https://downloads.asterisk.org/pub/security/AST-2020-002.html + + + 2020-11-05 + 2020-11-05 + + + + + asterisk -- Remote crash in res_pjsip_session + + + asterisk13 + 13.37.1 + + + asterisk16 + 16.14.1 + + + asterisk18 + 18.0.1 + + + + +

The Asterisk project reports:

+
+

Upon receiving a new SIP Invite, Asterisk did not + return the created dialog locked or referenced. This + caused a gap between the creation of the dialog object, + and its next use by the thread that created it. Depending + upon some off nominal circumstances, and timing it was + possible for another thread to free said dialog in this + gap. Asterisk could then crash when the dialog object, + or any of its dependent objects were de-referenced, or + accessed next by the initial creation thread.

+
+ + + + https://downloads.asterisk.org/pub/security/AST-2020-001.html + + + 2020-11-05 + 2020-11-05 + + + + + chromium -- multiple vulnerabilities + + + chromium + 86.0.4240.183 + + + + +

Chrome Releases reports:

+
+

This release contains 10 security fixes, including:

+
    +
  • [1138911] High CVE-2020-16004: Use after free in user interface. + Reported by Leecraso and Guang Gong of 360 Alpha Lab working with + 360 BugCloud on 2020-10-15
    • +
  • [1139398] High CVE-2020-16005: Insufficient policy enforcement + in ANGLE. Reported by Jaehun Jeong (@n3sk) of Theori on + 2020-10-16
    • +
  • [1133527] High CVE-2020-16006: Inappropriate implementation in + V8. Reported by Bill Parks on 2020-09-29
    • +
  • [1125018] High CVE-2020-16007: Insufficient data validation in + installer. Reported by Abdelhamid Naceri (halov) on + 2020-09-04
    • +
  • [1134107] High CVE-2020-16008: Stack buffer overflow in WebRTC. + Reported by Tolya Korniltsev on 2020-10-01
    • +
  • [1143772] High CVE-2020-16009: Inappropriate implementation in + V8. Reported by Clement Lecigne of Google's Threat Analysis Group + and Samuel Groß of Google Project Zero on 2020-10-29
    • +
  • [1144489] High CVE-2020-16011: Heap buffer overflow in UI on + Windows. Reported by Sergei Glazunov of Google Project Zero on + 2020-11-01
    • +
+

There are reports that an exploit for CVE-2020-16009 exists in the + wild.

+
+ + + + CVE-2020-16004 + CVE-2020-16005 + CVE-2020-16006 + CVE-2020-16007 + CVE-2020-16008 + CVE-2020-16009 + CVE-2020-16011 + https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop.html + + + 2020-11-02 + 2020-11-03 + + + + + Gitlab -- Multiple vulnerabilities + + + gitlab-ce + 13.5.013.5.2 + 13.4.013.4.5 + 8.8.913.3.9 + + + + +

Gitlab reports:

+
+

Path Traversal in LFS Upload

+

Path traversal allows saving packages in arbitrary location

+

Kubernetes agent API leaks private repos

+

Terraform state deletion API exposes object storage URL

+

Stored-XSS in error message of build-dependencies

+

Git credentials persisted on disk

+

Potential Denial of service via container registry

+

Info leak when group is transferred from private to public group

+

Limited File Disclosure Via Multipart Bypass

+

Unauthorized user is able to access scheduled pipeline variables and values

+

CSRF in runner administration page allows an attacker to pause/resume runners

+

Regex backtracking attack in path parsing of Advanced Search result

+

Bypass of required CODEOWNERS approval

+

SAST CiConfiguration information visible without permissions

+
+ + + + https://about.gitlab.com/releases/2020/11/02/security-release-gitlab-13-5-2-released/ + CVE-2020-13355 + CVE-2020-26405 + CVE-2020-13358 + CVE-2020-13359 + CVE-2020-13340 + CVE-2020-13353 + CVE-2020-13354 + CVE-2020-13352 + CVE-2020-13356 + CVE-2020-13351 + CVE-2020-13350 + CVE-2020-13349 + CVE-2020-13348 + + + 2020-11-02 + 2020-11-02 + + + + + wordpress -- multiple issues + + + wordpress + fr-wordpress + 5.5.2,1 + + + de-wordpress + zh_CN-wordpress + zh_TW-wordpress + ja-wordpress + ru-wordpress + 5.5.2 + + + + +

wordpress developers reports:

+
+

Ten security issues affect WordPress versions 5.5.1 and earlier. If you havent yet updated to 5.5, + all WordPress versions since 3.7 have also been updated to fix the following security issues: + -Props to Alex Concha of the WordPress Security Team for their work in hardening deserialization requests. + -Props to David Binovec on a fix to disable spam embeds from disabled sites on a multisite network. + -Thanks to Marc Montas from Sucuri for reporting an issue that could lead to XSS from global variables. + -Thanks to Justin Tran who reported an issue surrounding privilege escalation in XML-RPC. He also found and disclosed an issue around privilege escalation around post commenting via XML-RPC. + -Props to Omar Ganiev who reported a method where a DoS attack could lead to RCE. + -Thanks to Karim El Ouerghemmi from RIPS who disclosed a method to store XSS in post slugs. + -Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a method to bypass protected meta that could lead to arbitrary file deletion.

+
+ + + + https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/ + + + 2020-10-29 + 2020-11-02 + + + + + samba -- Multiple Vulnerabilities + + + samba410 + 4.10.18 + + + samba411 + 4.11.15 + + + samba412 + 4.12.9 + + + samba413 + 4.13.1 + + + + +

The Samba Team reports:

+
+
    +
  • CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify
    • +
  • CVE-2020-14323: Unprivileged user can crash winbind
    • +
  • CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records
    • +
+
+ + + + https://www.samba.org/samba/security/CVE-2020-14318.html + https://www.samba.org/samba/security/CVE-2020-14323.html + https://www.samba.org/samba/security/CVE-2020-14383.html + CVE-2020-14318 + CVE-2020-14323 + CVE-2020-14383 + + + 2020-10-29 + 2020-10-30 + + + + + tmux -- stack overflow in CSI parsing + + + tmux + 3.1c + + + + +

Nicholas Marriott reports:

+
+

tmux has a stack overflow in CSI parsing.

+
+ + + + https://groups.google.com/g/tmux-users/c/DGfmsD9CM00/m/Six6uZG0AQAJ + https://marc.info/?l=openbsd-announce&m=160399126725142&w=2 + + + 2020-10-29 + 2020-10-30 + + + + + motion -- Denial of Service + + + motion + 3.24.3.1 + + + + +

cxsecurity.com reports:

+
+

A Denial of Service condition in Motion-Project Motion 3.2 through + 4.3.1 allows remote unauthenticated users to cause a webu.c + segmentation fault and kill the main process via a crafted HTTP + request

+
+ + + + https://cve-search.iicrai.org/cve/CVE-2020-26566 + + + 2020-10-05 + 2020-10-28 + + + + + freetype2 -- heap buffer overlfow + + + freetype2 + 2.10.4 + + + + +

The freetype project reports:

+
+

A heap buffer overflow has been found in the handling of embedded + PNG bitmaps, introduced in FreeType version 2.6. +

+
+ + + + https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/ + CVE-2020-15999 + + + 2020-10-20 + 2020-10-22 + + + + + MySQL -- Multiple vulnerabilities + + + mariadb103-server + 10.3.26 + + + mariadb104-server + 10.4.16 + + + mariadb105-server + 10.5.7 + + + mysql56-server + 5.6.50 + + + mysql57-server + 5.7.32 + + + mysql80-server + 8.0.22 + + + + +

Oracle reports:

+
+

This Critical Patch Update contains 48 new security patches for + Oracle MySQL.

+

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle + MySQL is 8.

+

NOTE: MariaDB only contains CVE-2020-14812 CVE-2020-14765 + CVE-2020-14776 and CVE-2020-14789

+
+ + + + https://www.oracle.com/security-alerts/cpuoct2020.html#AppendixMSQL + CVE-2020-14878 + CVE-2020-14828 + CVE-2020-14775 + CVE-2020-14765 + CVE-2020-14769 + CVE-2020-14830 + CVE-2020-14836 + CVE-2020-14846 + CVE-2020-14800 + CVE-2020-14827 + CVE-2020-14760 + CVE-2020-14776 + CVE-2020-14821 + CVE-2020-14829 + CVE-2020-14848 + CVE-2020-14852 + CVE-2020-14814 + CVE-2020-14789 + CVE-2020-14804 + CVE-2020-14812 + CVE-2020-14773 + CVE-2020-14777 + CVE-2020-14785 + CVE-2020-14793 + CVE-2020-14794 + CVE-2020-14809 + CVE-2020-14837 + CVE-2020-14839 + CVE-2020-14845 + CVE-2020-14861 + CVE-2020-14866 + CVE-2020-14868 + CVE-2020-14888 + CVE-2020-14891 + CVE-2020-14893 + CVE-2020-14786 + CVE-2020-14790 + CVE-2020-14844 + CVE-2020-14799 + CVE-2020-14869 + CVE-2020-14672 + CVE-2020-14870 + CVE-2020-14867 + CVE-2020-14873 + CVE-2020-14838 + CVE-2020-14860 + CVE-2020-14791 + CVE-2020-14771 + + + 2020-10-20 + 2020-10-21 + 2020-11-07 + + + + + chromium -- multiple vulnerabilities + + + chromium + 86.0.4240.111 + + + + +

Chrome Releases reports:

+
+

This release includes 5 security fixes:

+
    +
  • [1125337] High CVE-2020-16000: Inappropriate implementation in + Blink. Reported by amaebi_jp on 2020-09-06
    • +
  • [1135018] High CVE-2020-16001: Use after free in media. + Reported by Khalil Zhani on 2020-10-05
    • +
  • [1137630] High CVE-2020-16002: Use after free in PDFium. + Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec + at Qi'anxin Group on 2020-10-13
    • +
  • [1139963] High CVE-2020-15999: Heap buffer overflow in + Freetype. Reported by Sergei Glazunov of Google Project Zero on + 2020-10-19
    • +
  • [1134960] Medium CVE-2020-16003: Use after free in printing. + Reported by Khalil Zhani on 2020-10-04
    • +
+
+ + + + CVE-2020-15999 + CVE-2020-16000 + CVE-2020-16001 + CVE-2020-16002 + CVE-2020-16003 + https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html + + + 2020-10-20 + 2020-10-21 + + + + + powerdns-recursor -- cache pollution + + + powerdns-recursor + 4.3.04.3.5 + 4.2.04.2.5 + 4.1.04.1.18 + + + + +

PowerDNS Team reports:

+
+

CVE-2020-25829: An issue has been found in PowerDNS Recursor where a + remote attacker can cause the cached records for a given name to be + updated to the ‘Bogus’ DNSSEC validation state, instead of their actual + DNSSEC ‘Secure’ state, via a DNS ANY query. This results in a denial + of service for installations that always validate (dnssec=validate) + and for clients requesting validation when on-demand validation is + enabled (dnssec=process).

+
+ + + + https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html + CVE-2020-25829 + + + 2020-10-13 + 2020-10-14 + + + + + MariaDB -- Undisclosed vulnerability + + + mariadb103-client + 10.3.25 + + + mariadb103-server + 10.3.25 + + + mariadb104-client + 10.4.15 + + + mariadb104-server + 10.4.15 + + + mariadb105-client + 10.5.6 + + + mariadb105-server + 10.5.6 + + + + +

The MariaDB project reports:

+
+

Details of this vulnerability have not yet been disclosed

+
+ + + + https://mariadb.com/kb/en/mariadb-1056-release-notes/ + https://mariadb.com/kb/en/mariadb-10415-release-notes/ + https://mariadb.com/kb/en/mariadb-10325-release-notes/ + CVE-2020-15180 + + + 2020-10-07 + 2020-10-18 + + + + + py-matrix-synapse -- XSS vulnerability + + + py36-matrix-synapse + py37-matrix-synapse + py38-matrix-synapse + py39-matrix-synapse + 1.21.0 + + + + +

Matrix developers reports:

+
+

The fallback authentication endpoint served via Synapse were vulnerable + to cross-site scripting (XSS) attacks. The impact depends on the + configuration of the domain that Synapse is deployed on, but may allow + access to cookies and other browser data, CSRF vulnerabilities, and + access to other resources served on the same domain or parent domains.

+
+ + + + CVE-2020-26891 + https://github.com/matrix-org/synapse/security/advisories/GHSA-3x8c-fmpc-5rmq + https://github.com/matrix-org/synapse/releases/tag/v1.21.2 + ports/249948 + + + 2020-10-01 + 2020-10-17 + + + + + drupal -- Multiple Vulnerabilities + + + drupal7 + 7.72 + + + + +

Drupal Security Team reports:

+
+

The Drupal AJAX API does not disable JSONP by default, which can + lead to cross-site scripting.

+
+ + + + https://www.drupal.org/sa-core-2020-007 + + + 2020-09-16 + 2020-10-17 + + + + + Flash Player -- arbitrary code execution + + + linux-flashplayer + 32.0.0.445 + + + + +

Adobe reports:

+
+
    +
  • This update resolves a NULL pointer dereference vulnerability + that could lead to arbitrary code execution (CVE-2020-9746).
    • +
+
+ + + + CVE-2020-9746 + https://helpx.adobe.com/security/products/flash-player/apsb20-58.html + + + 2020-10-13 + 2020-10-13 + + + + + Rails -- Possible XSS vulnerability + + + rubygem-actionpack60 + 6.0.3.4 + + + + +

Ruby on Rails blog:

+
+

Rails version 6.0.3.4 has been released! This version is a security + release and addresses one possible XSS attack vector in Actionable + Exceptions.

+
+ + + + https://weblog.rubyonrails.org/2020/10/7/Rails-6-0-3-4-has-been-released/ + CVE-2020-8264 + + + 2020-10-07 + 2020-10-10 + + + + + Payara -- path trasversal flaw via either loc/con parameters in Eclipse Mojarra + + + payara + 5.201 + + + + +

Payara Releases reports:

+
+

The following is a list of tracked Common Vulnerabilities and Exposures that have been reported and analyzed, which can or have impacted Payara Server across releases:

+
    +
  • CVE-2020-6950 Eclipse Mojarra vulnerable to path trasversal flaw via either loc/con parameters
    • +
+
+ + + + CVE-2020-6950 + https://docs.payara.fish/community/docs/5.2020.4/security/security-fix-list.html + + + 2020-01-13 + 2020-10-06 + + + + + Payara -- A Polymorphic Typing issue in FasterXML jackson-databind + + + payara + 5.193 + + + + +

Payara Releases reports:

+
+

The following is a list of tracked Common Vulnerabilities and Exposures that have been reported and analyzed, which can or have impacted Payara Server across releases:

+
    +
  • CVE-2019-12086 A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9
    • +
+
+ + + + CVE-2019-12086 + https://docs.payara.fish/community/docs/5.193/security/security-fix-list.html + + + 2019-05-17 + 2020-10-06 + + + + + payara -- multiple vulnerabilities + + + payara + 5.191 + + + + +

Payara Releases reports:

+
+

The following is a list of tracked Common Vulnerabilities and Exposures that have been reported and analyzed, which can or have impacted Payara Server across releases:

+
    +
  • CVE-2018-14721 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks
    • +
  • CVE-2018-14720 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct external XML entity (XXE) attacks
    • +
  • CVE-2018-14719 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code
    • +
  • CVE-2018-14718 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code
    • +
  • CVE-2018-14371 Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter
    • +
+
+ + + + CVE-2018-14721 + CVE-2018-14720 + CVE-2018-14719 + CVE-2018-14718 + CVE-2018-14371 + https://docs.payara.fish/community/docs/5.191/security/security-fix-list.html + + + 2019-02-01 + 2020-10-06 + + + + + zeek -- Vulnerability due to memory leak + + + zeek + 3.0.11 + + + + +

Jon Siwek of Corelight reports:

+
+

This release fixes the following security issue:

+
    +
  • A memory leak in multipart MIME code has potential + for remote exploitation and cause for Denial of Service + via resource exhaustion.
    • +
+
+ + + + https://github.com/zeek/zeek/releases/tag/v3.0.11 + + + 2020-09-29 + 2020-10-07 + + + + + chromium -- multiple vulnerabilities + + + chromium + 86.0.4240.75 + + + + +

Chrome releases reports:

+
+

This release contains 35 security fixes, including:

+
    +
  • [1127322] Critical CVE-2020-15967: Use after free in payments. + Reported by Man Yue Mo of GitHub Security Lab on 2020-09-11
    • +
  • [1126424] High CVE-2020-15968: Use after free in Blink. + Reported by Anonymous on 2020-09-09
    • +
  • [1124659] High CVE-2020-15969: Use after free in WebRTC. + Reported by Anonymous on 2020-09-03
    • +
  • [1108299] High CVE-2020-15970: Use after free in NFC. Reported + by Man Yue Mo of GitHub Security Lab on 2020-07-22
    • +
  • [1114062] High CVE-2020-15971: Use after free in printing. + Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on + 2020-08-07
    • +
  • [1115901] High CVE-2020-15972: Use after free in audio. + Reported by Anonymous on 2020-08-13
    • +
  • [1133671] High CVE-2020-15990: Use after free in autofill. + Reported by Rong Jian and Guang Gong of Alpha Lab, Qihoo 360 on + 2020-09-30
    • +
  • [1133688] High CVE-2020-15991: Use after free in password + manager. Reported by Rong Jian and Guang Gong of Alpha Lab, Qihoo + 360 on 2020-09-30
    • +
  • [1106890] Medium CVE-2020-15973: Insufficient policy + enforcement in extensions. Reported by David Erceg on + 2020-07-17
    • +
  • [1104103] Medium CVE-2020-15974: Integer overflow in Blink. + Reported by Juno Im (junorouse) of Theori on 2020-07-10
    • +
  • [1110800] Medium CVE-2020-15975: Integer overflow in + SwiftShader. Reported by Anonymous on 2020-07-29
    • +
  • [1123522] Medium CVE-2020-15976: Use after free in WebXR. + Reported by YoungJoo Lee (@ashuu_lee) of Raon Whitehat on + 2020-08-31
    • +
  • [1083278] Medium CVE-2020-6557: Inappropriate implementation + in networking. Reported by Matthias Gierlings and Marcus Brinkmann + (NDS Ruhr-University Bochum) on 2020-05-15
    • +
  • [1097724] Medium CVE-2020-15977: Insufficient data validation + in dialogs. Reported by Narendra Bhati (@imnarendrabhati) on + 2020-06-22
    • +
  • [1116280] Medium CVE-2020-15978: Insufficient data validation + in navigation. Reported by Luan Herrera (@lbherrera_) on + 2020-08-14
    • +
  • [1127319] Medium CVE-2020-15979: Inappropriate implementation + in V8. Reported by Avihay Cohen (@SeraphicAlgorithms) on + 2020-09-11
    • +
  • [1092453] Medium CVE-2020-15980: Insufficient policy + enforcement in Intents. Reported by Yongke Wang (@Rudykewang) and + Aryb1n (@aryb1n) of Tencent Security Xuanwu Lab on 2020-06-08
    • +
  • [1123023] Medium CVE-2020-15981: Out of bounds read in audio. + Reported by Christoph Guttandin on 2020-08-28
    • +
  • [1039882] Medium CVE-2020-15982: Side-channel information + leakage in cache. Reported by Luan Herrera (@lbherrera_) on + 2020-01-07
    • +
  • [1076786] Medium CVE-2020-15983: Insufficient data validation + in webUI. Reported by Jun Kokatsu, Microsoft Browser Vulnerability + Research on 2020-04-30
    • +
  • [1080395] Medium CVE-2020-15984: Insufficient policy + enforcement in Omnibox. Reported by Rayyan Bijoora on + 2020-05-07
    • +
  • [1099276] Medium CVE-2020-15985: Inappropriate implementation + in Blink. Reported by Abdulrahman Alqabandi, Microsoft Browser + Vulnerability Research on 2020-06-25
    • +
  • [1100247] Medium CVE-2020-15986: Integer overflow in media. + Reported by Mark Brand of Google Project Zero on 2020-06-29
    • +
  • [1127774] Medium CVE-2020-15987: Use after free in WebRTC. + Reported by Philipp Hancke on 2020-09-14
    • +
  • [1110195] Medium CVE-2020-15992: Insufficient policy + enforcement in networking. Reported by Alison Huffman, Microsoft + Browser Vulnerability Research on 2020-07-28
    • +
  • [1092518] Low CVE-2020-15988: Insufficient policy enforcement + in downloads. Reported by Samuel Attard on 2020-06-08
    • +
  • [1108351] Low CVE-2020-15989: Uninitialized Use in PDFium. + Reported by Gareth Evans (Microsoft) on 2020-07-22
    • +
+
+ + + + CVE-2020-6557 + CVE-2020-15967 + CVE-2020-15968 + CVE-2020-15969 + CVE-2020-15970 + CVE-2020-15971 + CVE-2020-15972 + CVE-2020-15973 + CVE-2020-15974 + CVE-2020-15975 + CVE-2020-15976 + CVE-2020-15977 + CVE-2020-15978 + CVE-2020-15979 + CVE-2020-15980 + CVE-2020-15981 + CVE-2020-15982 + CVE-2020-15983 + CVE-2020-15984 + CVE-2020-15985 + CVE-2020-15986 + CVE-2020-15987 + CVE-2020-15988 + CVE-2020-15989 + CVE-2020-15990 + CVE-2020-15991 + CVE-2020-15992 + https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html + + + 2020-10-06 + 2020-10-07 + + + + + libexif -- multiple vulnerabilities + + + libexif + 0.6.22 + + + + +

Release notes:

+
+

Lots of fixes exposed by fuzzers like AFL, ClusterFuzz, OSSFuzz and others:

+

CVE-2016-6328: fixed integer overflow when parsing maker notes

+

CVE-2017-7544: fixed buffer overread

+

CVE-2018-20030: Fix for recursion DoS

+

CVE-2019-9278: replaced integer overflow checks the compiler could optimize away by safer constructs

+

CVE-2020-0093: read overflow

+

CVE-2020-12767: fixed division by zero

+

CVE-2020-13112: Various buffer overread fixes due to integer overflows in maker notes

+

CVE-2020-13113: Potential use of uninitialized memory

+

CVE-2020-13114: Time consumption DoS when parsing canon array markers

+
+ + + + https://github.com/libexif/libexif/blob/master/NEWS + CVE-2016-6328 + CVE-2017-7544 + CVE-2018-20030 + CVE-2019-9278 + CVE-2020-0093 + CVE-2020-12767 + CVE-2020-13112 + CVE-2020-13113 + CVE-2020-13114 + + + 2020-05-18 + 2020-10-05 + + + + + kdeconnect -- packet manipulation can be exploited in a Denial of Service attack + + + kdeconnect-kde + 20.08.1 + + + + +

Albert Astals Cid reports:

+
+

KDE Project Security Advisory

+ + + + + + + + + + + + + + + + + + + + + + + + + +
TitleKDE Connect: packet manipulation can be exploited in a Denial of Service attack
Risk RatingImportant
CVECVE-2020-26164
Versionskdeconnect <= 20.08.1
AuthorAlbert Vaca Cintora <albertvaka@gmail.com>
Date2 October 2020
+

Overview

+

+ An attacker on your local network could send maliciously crafted + packets to other hosts running kdeconnect on the network, causing + them to use large amounts of CPU, memory or network connections, + which could be used in a Denial of Service attack within the + network. +

+ +

Impact

+

+ Computers that run kdeconnect are susceptible to DoS attacks from + the local network. +

+ +

Workaround

+

+ We advise you to stop KDE Connect when on untrusted networks like + those on airports or conferences. +

+

+ Since kdeconnect is dbus activated it is relatively hard to make + sure it stays stopped so the brute force approach is to uninstall + the kdeconnect package from your system and then run +

+ 
+	      kquitapp5 kdeconnectd
+
+

+ Just install the package again once you're back in a trusted + network. +

+

Solution

+

+ KDE Connect 20.08.2 patches several code paths that could result + in a DoS. +

+

You can apply these patches on top of 20.08.1:

+
    +
  • + https://invent.kde.org/network/kdeconnect-kde/-/commit/f183b5447bad47655c21af87214579f03bf3a163 +
    • +
  • + https://invent.kde.org/network/kdeconnect-kde/-/commit/b279c52101d3f7cc30a26086d58de0b5f1c547fa +
    • +
  • + https://invent.kde.org/network/kdeconnect-kde/-/commit/d35b88c1b25fe13715f9170f18674d476ca9acdc +
    • +
  • + https://invent.kde.org/network/kdeconnect-kde/-/commit/b496e66899e5bc9547b6537a7f44ab44dd0aaf38 +
    • +
  • + https://invent.kde.org/network/kdeconnect-kde/-/commit/5310eae85dbdf92fba30375238a2481f2e34943e +
    • +
  • + https://invent.kde.org/network/kdeconnect-kde/-/commit/721ba9faafb79aac73973410ee1dd3624ded97a5 +
    • +
  • + https://invent.kde.org/network/kdeconnect-kde/-/commit/ae58b9dec49c809b85b5404cee17946116f8a706 +
    • +
  • + https://invent.kde.org/network/kdeconnect-kde/-/commit/66c768aa9e7fba30b119c8b801efd49ed1270b0a +
    • +
  • + https://invent.kde.org/network/kdeconnect-kde/-/commit/85b691e40f525e22ca5cc4ebe79c361d71d7dc05 +
    • +
  • + https://invent.kde.org/network/kdeconnect-kde/-/commit/48180b46552d40729a36b7431e97bbe2b5379306 +
    • +
+

Credits

+

+ Thanks Matthias Gerstner and the openSUSE security team for + reporting the issue. +

+

+ Thanks to Aleix Pol, Nicolas Fella and Albert Vaca Cintora for the + patches. +

+
+ + + + https://kde.org/info/security/advisory-20201002-1.txt + CVE-2020-26164 + + + 2020-10-02 + 2020-10-04 + + + + + upnp -- denial of service (crash) + + + upnp + 1.12.1_1,1 + + + + +

CVE mitre reports:

+
+

Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.

+
+ + + + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13848 + https://nvd.nist.gov/vuln/detail/CVE-2020-13848 + https://github.com/pupnp/pupnp/issues/177 + https://github.com/pupnp/pupnp/commit/c805c1de1141cb22f74c0d94dd5664bda37398e0 + CVE-2020-13848 + + + 2020-06-04 + 2020-10-03 + + + + + Gitlab -- multiple vulnerabilities + + + gitlab-ce + 13.4.013.4.2 + 13.3.013.3.7 + 7.1213.2.10 + + + + +

Gitlab reports:

+
+

Potential Denial Of Service Via Update Release Links API

+

Insecure Storage of Session Key In Redis

+

Improper Access Expiration Date Validation

+

Cross-Site Scripting in Multiple Pages

+

Unauthorized Users Can View Custom Project Template

+

Cross-Site Scripting in SVG Image Preview

+

Incomplete Handling in Account Deletion

+

Insufficient Rate Limiting at Re-Sending Confirmation Email

+

Improper Type Check in GraphQL

+

To-dos Are Not Redacted When Membership Changes

+

Guest users can modify confidentiality attribute

+

Command injection on runner host

+

Insecure Runner Configuration in Kubernetes Environments

+
+ + + + https://about.gitlab.com/releases/2020/10/01/security-release-13-4-2-release/ + CVE-2020-13333 + CVE-2020-13332 + CVE-2020-13335 + CVE-2020-13334 + CVE-2020-13327 + + + 2020-10-01 + 2020-10-02 + + + + + tt-rss -- multiple vulnerabilities + + + tt-rss + g20200919 + + + + +

tt-rss project reports:

+
+

The cached_url feature mishandles JavaScript inside an SVG document.

+

imgproxy in plugins/af_proxy_http/init.php mishandles $_REQUEST["url"] in an error message.

+

It does not validate all URLs before requesting them.

+
+
+

Allows remote attackers to execute arbitrary PHP code via a crafted plural forms header.

+
+ + + + https://community.tt-rss.org/t/heads-up-several-vulnerabilities-fixed/3799 + https://community.tt-rss.org/t/replace-php-gettext/2889 + CVE-2020-25789 + CVE-2020-25788 + CVE-2020-25787 + CVE-2016-6175 + + + 2020-09-15 + 2020-09-20 + + + + + Apache Ant leaks sensitive information via the java.io.tmpdir + + + apache-ant + 1.11.10.8 + + + + +

Apache reports:

+
+

Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the + default temporary directory identified by the Java + system property java.io.tmpdir for several tasks and + may thus leak sensitive information. The fixcrlf and + replaceregexp tasks also copy files from the temporary + directory back into the build tree allowing an attacker + to inject modified source files into the build + process.

+
+ + + + https://issues.apache.org/jira/browse/RAT-269?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel + CVE-2020-1945 + + + 2020-05-14 + 2020-09-28 + + + + + powerdns -- Leaking uninitialised memory through crafted zone records + + + powerdns + 4.3.04.3.1 + 4.2.04.2.3 + 4.1.04.1.14 + + + + +

PowerDNS Team reports

+
+

CVE-2020-17482: An issue has been found in PowerDNS Authoritative + Server before 4.3.1 where an authorized user with the + ability to insert crafted records into a zone might + be able to leak the content of uninitialized memory. + Such a user could be a customer inserting data via a + control panel, or somebody with access to the REST + API. Crafted records cannot be inserted via AXFR.

+
+ + + + https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html + CVE-2020-17482 + + + 2020-09-22 + 2020-09-24 + + + + + chromium -- multiple vulnerabilities + + + chromium + 85.0.4183.121 + + + + +

Chrome Releases reports:

+
+

This release fixes 10 security issues, including:

+
    +
  • [1100136] High CVE-2020-15960: Out of bounds read in storage. + Reported by Anonymous on 2020-06-28
    • + +
  • [1114636] High CVE-2020-15961: Insufficient policy + enforcement in extensions. Reported by David Erceg on + 2020-08-10
    • + +
  • [1121836] High CVE-2020-15962: Insufficient policy + enforcement in serial. Reported by Leecraso and Guang Gong of 360 + Alpha Lab working with 360 BugCloud on 2020-08-26
    • + +
  • [1113558] High CVE-2020-15963: Insufficient policy + enforcement in extensions. Reported by David Erceg on + 2020-08-06
    • + +
  • [1126249] High CVE-2020-15965: Out of bounds write in V8. + Reported by Lucas Pinheiro, Microsoft Browser Vulnerability + Research on 2020-09-08
    • + +
  • [1113565] Medium CVE-2020-15966: Insufficient policy + enforcement in extensions. Reported by David Erceg on + 2020-08-06
    • + +
  • [1121414] Low CVE-2020-15964: Insufficient data validation in + media. Reported by Woojin Oh(@pwn_expoit) of STEALIEN on + 2020-08-25
    • +
+
+ + + + CVE-2020-15960 + CVE-2020-15961 + CVE-2020-15962 + CVE-2020-15963 + CVE-2020-15964 + CVE-2020-15965 + CVE-2020-15966 + https://chromereleases.googleblog.com/2020/09/stable-channel-update-for-desktop_21.html + + + 2020-09-21 + 2020-09-22 + + + + + libxml -- multiple vulnerabilities + + + libxml2 + 2.9.10_1 + + + + +

CVE mitre reports:

+
+

CVE-2019-20388

+

+ xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak. +

+

CVE-2020-7595

+

+ xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. +

+

CVE-2020-24977

+

+ GNOME project libxml2 v2.9.10 and earlier have a global buffer over-read vulnerability in xmlEncodeEntitiesInternal +

+
+ + + + https://nvd.nist.gov/vuln/detail/CVE-2019-20388 + https://nvd.nist.gov/vuln/detail/CVE-2020-7595 + https://nvd.nist.gov/vuln/detail/CVE-2020-24977 + + + 2020-01-21 + 2020-09-22 + + + + + py-matrix-synapse -- malformed events may prevent users from joining federated rooms + + + py36-matrix-synapse + py37-matrix-synapse + py38-matrix-synapse + 1.19.2 + + + + +

Problem Description:

+

Affected Synapse versions assume that all events have an "origin" field set. If an event + without the "origin" field is sent into a federated room, servers not already joined to + the room will be unable to do so due to failing to fetch the malformed event.

+

Impact:

+

An attacker could cause a denial of service by deliberately sending a malformed event + into a room, thus preventing new servers (and thus their users) from joining the + room.

+ + + + https://github.com/matrix-org/synapse/issues/8319 + https://github.com/matrix-org/synapse/pull/8324 + https://github.com/matrix-org/synapse/blob/v1.19.3/CHANGES.md + + + 2020-09-16 + 2020-09-21 + + + + + Python -- multiple vulnerabilities + + + python35 + 3.5.10 + + + + +

Python reports:

+
+

bpo-39603: Prevent http header injection by rejecting control characters in http.client.putrequest(…).

+

bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded (CVE-2020-15523).

+

bpo-41004: CVE-2020-14422: The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address).

+

bpo-39073: Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.

+

bpo-38576: Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised.

+

bpo-39503: CVE-2020-8492: The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager.

+

bpo-38945: Newline characters have been escaped when performing uu encoding to prevent them from overflowing into to content section of the encoded file. This prevents malicious or accidental modification of data during the decoding process.

+

bpo-38804: Fixes a ReDoS vulnerability in http.cookiejar. Patch by Ben Caller.

+

bpo-39017: Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907).

+

bpo-41183: Use 3072 RSA keys and SHA-256 signature for test certs and keys.

+

bpo-39503: AbstractBasicAuthHandler of urllib.request now parses all WWW-Authenticate HTTP headers and accepts multiple challenges per header: use the realm of the first Basic challenge.

+
+ + + + CVE-2020-15523 + CVE-2020-14422 + CVE-2019-18348 + CVE-2020-8492 + CVE-2019-20907 + + + 2020-08-19 + 2020-09-20 + + + + + samba -- Unauthenticated domain takeover via netlogon + + + samba410 + 4.10.18 + + + samba411 + 4.11.13 + + + samba412 + 4.12.7 + + + + +

The Samba Team reports:

+
+

An unauthenticated attacker on the network can gain + administrator access by exploiting a netlogon protocol flaw.

+
+ + + + https://www.samba.org/samba/security/CVE-2020-1472.html + CVE-2020-1472 + + + 2020-01-01 + 2020-09-20 + + + + + Nextcloud -- Password share by mail not hashed + + + nextcloud + 19.0.1 + + + + +

The Nextcloud project reports:

+
+

NC-SA-2020-026 (low): Password of share by mail is not hashed when + given on the create share call
+ A logic error in Nextcloud Server 19.0.0 caused a plaintext storage + of the share password when it was given on the initial create API + call.

+
+ + + + https://nextcloud.com/security/advisory/?id=NC-SA-2020-026 + CVE-2020-8183 + + + 2020-06-04 + 2020-09-19 + + + + + webkit2-gtk3 -- multible vulnerabilities + + + webkit2-gtk3 + 2.28.3 + + + + +

The WebKitGTK project reports vulnerabilities:

+
+
    +
  • CVE-2020-9802: Processing maliciously crafted web content may lead to arbitrary code execution.
    • +
  • CVE-2020-9803: Processing maliciously crafted web content may lead to arbitrary code execution.
    • +
  • CVE-2020-9805: Processing maliciously crafted web content may lead to universal cross site scripting.
    • +
  • CVE-2020-9806: Processing maliciously crafted web content may lead to arbitrary code execution.
    • +
  • CVE-2020-9807: Processing maliciously crafted web content may lead to arbitrary code execution.
    • +
  • CVE-2020-9843: Processing maliciously crafted web content may lead to a cross site scripting attack.
    • +
  • CVE-2020-9850: A remote attacker may be able to cause arbitrary code execution.
    • +
  • CVE-2020-13753: CLONE_NEWUSER could potentially be used to confuse xdg- desktop-portal, which allows access outside the sandbox. TIOCSTI can be used to directly execute commands outside the sandbox by writing to the controlling terminal’s input buffer.
    • +
+
+ + + + https://webkitgtk.org/security/WSA-2020-0006.html + CVE-2020-9802 + CVE-2020-9803 + CVE-2020-9805 + CVE-2020-9806 + CVE-2020-9807 + CVE-2020-9843 + CVE-2020-9850 + CVE-2020-13753 + + + 2020-07-10 + 2020-07-10 + + + + + Node.js -- September 2020 Security Releases + + + node + 14.11.0 + + + node12 + 12.18.4 + + + node10 + 10.22.1 + + + + +

Node.js reports:

+
+

Updates are now available for v10,x, v12.x and v14.x Node.js release lines for the following issues.

+

HTTP Request Smuggling due to CR-to-Hyphen conversion (High) (CVE-2020-8201)

+

Affected Node.js versions converted carriage returns in HTTP request headers to a hyphen before parsing. This can lead to HTTP Request Smuggling as it is a non-standard interpretation of the header.

+

Impacts:

+
    +
  • All versions of the 14.x and 12.x releases line
    • +
+

Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests (Critical) (CVE-2020-8251)

+

Node.js is vulnerable to HTTP denial of service (DOS) attacks based on delayed requests submission which can make the server unable to accept new connections. The fix a new http.Server option called requestTimeout with a default value of 0 which means it is disabled by default. This should be set when Node.js is used as an edge server, for more details refer to the documentation.

+

Impacts:

+
    +
  • All versions of the 14.x release line
    • +
+

fs.realpath.native on may cause buffer overflow (Medium) (CVE-2020-8252)

+

libuv's realpath implementation incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.

+

Impacts:

+
    +
  • All versions of the 10.x release line
    • +
  • All versions of the 12.x release line
    • +
  • All versions of the 14.x release line before 14.9.0
    • +
+
+ + + + https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/ + CVE-2020-8201 + CVE-2020-8251 + CVE-2020-8252 + + + 2020-09-08 + 2020-09-16 + + + + + FreeBSD -- ftpd privilege escalation via ftpchroot feature + + + FreeBSD + 12.112.1_10 + 11.411.4_4 + 11.311.3_14 + + + + +

Problem Description:

+

A ftpd(8) bug in the implementation of the file system sandbox, combined + with capabilities available to an authenticated FTP user, can be used to + escape the file system restriction configured in ftpchroot(5). + Moreover, the bug allows a malicious client to gain root privileges.

+

Impact:

+

A malicious FTP user can gain privileged access to an affected system.

+ + + + CVE-2020-7468 + SA-20:30.ftpd + + + 2020-09-15 + 2020-09-16 + + + + + FreeBSD -- bhyve SVM guest escape + + + FreeBSD-kernel + 12.112.1_10 + 11.411.4_4 + 11.311.3_14 + + + + +

Problem Description:

+

A number of AMD virtualization instructions operate on host physical + addresses, are not subject to nested page table translation, and guest use of + these instructions was not trapped.

+

Impact:

+

From kernel mode a malicious guest can write to arbitrary host memory (with + some constraints), affording the guest full control of the host.

+ + + + CVE-2020-7467 + SA-20:29.bhyve_svm + + + 2020-09-15 + 2020-09-16 + + + + + FreeBSD -- bhyve privilege escalation via VMCS access + + + FreeBSD-kernel + 12.112.1_10 + 11.411.4_4 + 11.311.3_14 + + + + +

Problem Description:

+

AMD and Intel CPUs support hardware virtualization using specialized data + structures that control various aspects of guest operation. These are the + Virtual Machine Control Structure (VMCS) on Intel CPUs, and the Virtual + Machine Control Block (VMCB) on AMD CPUs. Insufficient access controls allow + root users, including those running in a jail, to change these data + structures.

+

Impact:

+

An attacker with host root access (including to a jailed bhyve instance) can + use this vulnerability to achieve kernel code execution.

+ + + + CVE-2020-24718 + SA-20:28.bhyve_vmcs + + + 2020-09-15 + 2020-09-16 + + + + + FreeBSD -- ure device driver susceptible to packet-in-packet attack + + + FreeBSD-kernel + 12.112.1_10 + 11.411.4_4 + 11.311.3_14 + + + + +

Problem Description:

+

A programming error in the ure(4) device driver caused some Realtek USB + Ethernet interfaces to incorrectly report packets with more than 2048 bytes + in a single USB transfer as having a length of only 2048 bytes.

+

An adversary can exploit this to cause the driver to misinterpret part of the + payload of a large packet as a separate packet, and thereby inject packets + across security boundaries such as VLANs.

+

Impact:

+

An attacker that can send large frames (larger than 2048 bytes in size) to be + received by the host (be it VLAN, or non-VLAN tagged packet), can inject + arbitrary packets to be received and processed by the host. This includes + spoofing packets from other hosts, or injecting packets to other VLANs than + the host is on.

+ + + + CVE-2020-7464 + SA-20:27.ure + + + 2020-09-15 + 2020-09-16 + + + + + Rails -- Potential XSS vulnerability + + + rubygem-actionview52 + 5.2.4.4 + + + rubygem-actionview60 + 6.0.3.3 + + + + +

Ruby on Rails blog:

+
+

Rails 5.2.4.4 and 6.0.3.3 have been released! These releases contain an + important security fix, so please upgrade when you can.

+

Both releases contain the following fix: [CVE-2020-15169] Potential XSS + vulnerability in Action View

+
+ + + + https://weblog.rubyonrails.org/2020/9/10/Rails-5-2-4-4-and-6-0-3-3-have-been-released/ + https://groups.google.com/forum/#!topic/rubyonrails-security/b-C9kSGXYrc + https://github.com/rails/rails/blob/5-2-stable/actionview/CHANGELOG.md + https://github.com/rails/rails/blob/6-0-stable/actionview/CHANGELOG.md + CVE-2020-15169 + + + 2020-09-09 + 2020-09-12 + + + + + zeek -- Various vulnerabilities + + + zeek + 3.0.10 + + + + +

Jon Siwek of Corelight reports:

+
+

This release fixes the following security issue:

+
    +
  • The AYIYA and GTPv1 parsing/decapsulation logic may + leak memory -- These leaks have potential for remote + exploitation to cause Denial of Service via resource + exhaustion.
    • +
+
+ + + + https://github.com/zeek/zeek/releases/tag/v3.0.10 + + + 2020-08-28 + 2020-09-09 + + + + + chromium -- multiple vulnerabilities + + + chromium + 85.0.4183.102 + + + + +

Chrome Releases reports:

+
+

This release contains 5 security fixes:

+
    +
  • [1116304] High CVE-2020-6573: Use after free in video. Reported + by Leecraso and Guang Gong of 360 Alpha Lab working with 360 + BugCloud on 2020-08-14
    • +
  • [1102196] High CVE-2020-6574: Insufficient policy + enforcement in installer. Reported by CodeColorist of + Ant-Financial LightYear Labs on 2020-07-05
    • +
  • [1081874] High CVE-2020-6575: Race in Mojo. Reported by + Microsoft on 2020-05-12
    • +
  • [1111737] High CVE-2020-6576: Use after free in offscreen + canvas. Reported by Looben Yang on 2020-07-31
    • +
  • [1122684] High CVE-2020-15959: Insufficient policy enforcement + in networking. Reported by Eric Lawrence of Microsoft on + 2020-08-27
    • +
+
+ + + + CVE-2020-6573 + CVE-2020-6574 + CVE-2020-6575 + CVE-2020-6576 + CVE-2020-15969 + https://chromereleases.googleblog.com/2020/09/stable-channel-update-for-desktop.html + + + 2020-09-08 + 2020-09-09 + + + + + Multi-link PPP protocol daemon MPD5 remotely exploitable crash + + + mpd5 + 5.9 + + + + +

Version 5.9 contains security fix for L2TP clients and servers. + Insufficient validation of incoming L2TP control packet + specially crafted by unauthenticated user might lead to unexpected + termination of the process. The problem affects mpd versions + since 4.0 that brought in initial support for L2TP. + Installations not using L2TP clients nor L2TP server configuration were not affected.

+ + + + CVE-2020-7465 + CVE-2020-7466 + http://mpd.sourceforge.net/doc5/mpd4.html#4 + + + 2020-09-04 + 2020-09-06 + 2020-09-07 + + + + + Mbed TLS -- Local side channel attack on RSA and static Diffie-Hellman + + + mbedtls + 2.16.8 + + + + +

Manuel Pégourié-Gonnard reports:

+
+

An attacker with access to precise enough timing and memory access + information (typically an untrusted operating system attacking a + secure enclave such as SGX or the TrustZone secure world) can + recover the private keys used in RSA or static (finite-field) + Diffie-Hellman operations.

+
+ + + + https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-2 + + + 2020-09-01 + 2020-09-06 + + + + + Mbed TLS -- Local side channel attack on classical CBC decryption in (D)TLS + + + mbedtls + 2.16.8 + + + + +

Manuel Pégourié-Gonnard reports:

+
+

When decrypting/authenticating (D)TLS record in a connection using + a CBC ciphersuite without the Encrypt-then-Mac extension RFC 7366, + Mbed TLS used dummy rounds of the compression function associated + with the hash used for HMAC in order to hide the length of the + padding to remote attackers, as recommended in the original Lucky + Thirteen paper.

+

A local attacker who is able to observe the state of the cache + could monitor the presence of mbedtls_md_process() in the cache in + order to determine when the actual computation ends and when the + dummy rounds start. This is a reliable target as it's always called + at least once, in response to a previous attack. The attacker can + then continue with one of many well-documented Lucky 13 + variants.

+
+ + + + https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-1 + CVE-2020-16150 + + + 2020-09-01 + 2020-09-06 + + + + + GnuTLS -- null pointer dereference + + + gnutls + 3.6.15 + + + + +

The GnuTLS project reports:

+
+

It was found by oss-fuzz that the server sending a + "no_renegotiation" alert in an unexpected timing, followed by an + invalid second handshake can cause a TLS 1.3 client to crash via a + null-pointer dereference. The crash happens in the application's + error handling path, where the gnutls_deinit function is called + after detecting a handshake failure.

+
+ + + + https://gnutls.org/security-new.html#GNUTLS-SA-2020-09-04 + CVE-2020-24659 + + + 2020-09-04 + 2020-09-06 + + + + + Django -- multiple vulnerabilities + + + py35-django22 + py36-django22 + py37-django22 + py38-django22 + 2.2.16 + + + py36-django30 + py37-django30 + py38-django30 + 3.0.10 + + + py36-django31 + py37-django31 + py38-django31 + 3.1.1 + + + + +

Django Release notes:

+
+

CVE-2020-24583: Incorrect permissions on intermediate-level directories + on Python 3.7+

+

On Python 3.7+, FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied + to intermediate-level directories created in the process of uploading + files and to intermediate-level collected static directories when using + the collectstatic management command.

+

CVE-2020-24584: Permission escalation in intermediate-level directories + of the file system cache on Python 3.7+

+

On Python 3.7+, the intermediate-level directories of the file system + cache had the system's standard umask rather than 0o077 (no group or + others permissions).

+
+ + + + https://docs.djangoproject.com/en/2.2/releases/2.2.16/ + https://docs.djangoproject.com/en/3.0/releases/3.0.10/ + https://docs.djangoproject.com/en/3.1/releases/3.1.1/ + CVE-2020-24583 + CVE-2020-24584 + + + 2020-09-01 + 2020-09-05 + + + + + gnupg -- AEAD key import overflow + + + gnupg + 2.2.212.2.23 + + + + +

Importing an OpenPGP key having a preference list for AEAD algorithms + will lead to an array overflow and thus often to a crash or other + undefined behaviour.

+ +

Importing an arbitrary key can often easily be triggered by an attacker + and thus triggering this bug. Exploiting the bug aside from crashes is + not trivial but likely possible for a dedicated attacker. The major + hurdle for an attacker is that only every second byte is under their + control with every first byte having a fixed value of 0x04.

+ + + + CVE-2020-25125 + https://dev.gnupg.org/T5050 + + + 2020-09-03 + 2020-09-03 + + + + + FreeBSD -- dhclient heap overflow + + + FreeBSD + 12.112.1_9 + 11.411.4_3 + 11.311.3_13 + + + + +

Problem Description:

+

When parsing option 119 data, dhclient(8) computes the uncompressed domain + list length so that it can allocate an appropriately sized buffer to store + the uncompressed list. The code to compute the length failed to handle + certain malformed input, resulting in a heap overflow when the uncompressed + list is copied into in inadequately sized buffer.

+

Impact:

+

The heap overflow could in principle be exploited to achieve remote code + execution. The affected process runs with reduced privileges in a Capsicum + sandbox, limiting the immediate impact of an exploit. However, it is + possible the bug could be combined with other vulnerabilities to escape the + sandbox.

+ + + + CVE-2020-7461 + SA-20:26.dhclient + + + 2020-09-02 + 2020-09-02 + + + + + FreeBSD -- SCTP socket use-after-free bug + + + FreeBSD-kernel + 12.112.1_9 + 11.411.4_3 + 11.311.3_13 + + + + +

Problem Description:

+

Due to improper handling in the kernel, a use-after-free bug can be triggered + by sending large user messages from multiple threads on the same socket.

+

Impact:

+

Triggering the use-after-free situation may result in unintended kernel + behaviour including a kernel panic.

+ + + + CVE-2020-7463 + SA-20:25.sctp + + + 2020-09-02 + 2020-09-02 + + + + + FreeBSD -- IPv6 Hop-by-Hop options use-after-free bug + + + FreeBSD-kernel + 11.311.3_13 + + + + +

Problem Description:

+

Due to improper mbuf handling in the kernel, a use-after-free bug might be + triggered by sending IPv6 Hop-by-Hop options over the loopback interface.

+

Impact:

+

Triggering the use-after-free situation may result in unintended kernel + behaviour including a kernel panic.

+ + + + CVE-2020-7462 + SA-20:24.ipv6 + + + 2020-09-02 + 2020-09-02 + + + + + Gitlab -- multiple vulnerabilities + + + gitlab-ce + 13.3.013.3.4 + 13.2.013.2.8 + 013.1.10 + + + + +

Gitlab reports:

+
+

Vendor Cross-Account Assume-Role Attack

+

Stored XSS on the Vulnerability Page

+

Outdated Job Token Can Be Reused to Access Unauthorized Resources

+

File Disclosure Via Workhorse File Upload Bypass

+

Unauthorized Maintainer Can Edit Group Badge

+

Denial of Service Within Wiki Functionality

+

Sign-in Vulnerable to Brute-force Attacks

+

Invalidated Session Allows Account Access With an Old Password

+

GitLab Omniauth Endpoint Renders User Controlled Messages

+

Blind SSRF Through Repository Mirroring

+

Information Disclosure Through Incorrect Group Permission Verifications

+

No Rate Limit on GitLab Webhook Feature

+

GitLab Session Revocation Feature Does Not Invalidate All Sessions

+

OAuth Authorization Scope for an External Application Can Be Changed Without User Consent

+

Unauthorized Maintainer Can Delete Repository

+

Improper Verification of Deploy-Key Leads to Access Restricted Repository

+

Disabled Repository Still Accessible With a Deploy-Token

+

Duplicated Secret Code Generated by 2 Factor Authentication Mechanism

+

Lack of Validation Within Project Invitation Flow

+

Current Sessions Not Invalidated Upon Enabling 2 Factor Authentication

+

Users Without 2 Factor Authentication Can Be Blocked Accessing GitLab

+

Lack of Upper Bound Check Leading to Possible Denial of Service

+

2 Factor Authentication for Groups Was Not Enforced Within API Endpoint

+

GitLab Runner Denial of Service via CI Jobs

+

Update jQuery Dependency

+
+ + + + https://about.gitlab.com/releases/2020/09/02/security-release-gitlab-13-3-3-released/ + CVE-2020-13318 + CVE-2020-13301 + CVE-2020-13284 + CVE-2020-13298 + CVE-2020-13313 + CVE-2020-13311 + CVE-2020-13289 + CVE-2020-13302 + CVE-2020-13314 + CVE-2020-13309 + CVE-2020-13287 + CVE-2020-13306 + CVE-2020-13299 + CVE-2020-13300 + CVE-2020-13317 + CVE-2020-13303 + CVE-2020-13316 + CVE-2020-13304 + CVE-2020-13305 + CVE-2020-13307 + CVE-2020-13308 + CVE-2020-13315 + CVE-2020-13297 + CVE-2020-13310 + CVE-2020-11022 + + + 2020-09-02 + 2020-09-02 + + + + + go -- net/http/cgi, net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type is not specified + + + go + 1.14.8,1 + 1.15,11.15.1,1 + + + + +

The Go project reports:

+
+

When a Handler does not explicitly set the Content-Type header, both + CGI implementations default to “text/html”. If an attacker can make + a server generate content under their control (e.g. a JSON + containing user data or an uploaded image file) this might be + mistakenly returned by the server as “text/html”. If a victim visits + such a page they could get the attacker's code executed in the + context of the server origin. If an attacker can make a server + generate content under their control (e.g. a JSON containing user + data or an uploaded image file) this might be mistakenly returned by + the server as “text/html”. If a victim visits such a page they could + get the attacker's code executed in the context of the server + origin.

+
+ + + + CVE-2020-24553 + https://github.com/golang/go/issues/40928 + + + 2020-08-20 + 2020-09-01 + + + + + ark -- extraction outside of extraction directory + + + ark + 20.08.0_1 + + + + +

Albert Astals Cid reports:

+
+

Overview

+

A maliciously crafted TAR archive containing symlink entries + would install files anywhere in the user's home directory upon extraction.

+

Proof of concept

+

For testing, an example of malicious archive can be found at + dirsymlink.tar +

+

Impact

+

Users can unwillingly install files like a modified .bashrc, or a malicious + script placed in ~/.config/autostart.

+

Workaround

+

Before extracting a downloaded archive using the Ark GUI, users should inspect it + to make sure it doesn't contain symlink entries pointing outside the extraction folder.

+

The 'Extract' context menu from the Dolphin file manager shouldn't be used.

+

Solution

+

Ark 20.08.1 skips maliciously crafted symlinks when extracting TAR archives.

+

Alternatively, 8bf8c5ef07b0ac5e914d752681e470dea403a5bd can be applied to previous releases.

+

Credits

+

Thanks to Fabian Vogt for reporting this issue and for fixing it.

+
+ + + + https://kde.org/info/security/advisory-20200827-1.txt + CVE-2020-24654 + + + 2020-08-27 + 2020-08-28 + + + + + php72 -- use of freed hash key + + + php72 + 7.2.33 + + + php73 + 7.3.21 + + + php74 + 7.4.9 + + + + +

grigoritchy at gmail dot com reports:

+
+

The phar_parse_zipfile function had use-after-free + vulnerability because of mishandling of the actual_alias + variable.

+
+ + + + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7068 + CVE-2020-7068 + + + 2020-07-06 + 2020-08-27 + + + + + chromium -- multiple vulnerabilities + + + chromium + 85.0.4183.83 + + + + +

Chrome Releases reports:

+
+

This update includes 20 security fixes, including:

+
    +
  • [1109120] High CVE-2020-6558: Insufficient policy + enforcement in iOS. Reported by Alison Huffman, Microsoft Browser + Vulnerability Research on 2020-07-24
    • +
  • [1116706] High CVE-2020-6559: Use after free in presentation + API. Reported by Liu Wei and Wu Zekai of Tencent Security Xuanwu + Lab on 2020-08-15
    • +
  • [1108181] Medium CVE-2020-6560: Insufficient policy + enforcement in autofill. Reported by Nadja Ungethuem from + www.unnex.de on 2020-07-22
    • +
  • [932892] Medium CVE-2020-6561: Inappropriate implementation + in Content Security Policy. Reported by Rob Wu on 2019-02-16
    • +
  • [1086845] Medium CVE-2020-6562: Insufficient policy + enforcement in Blink. Reported by Masato Kinugawa on + 2020-05-27
    • +
  • [1104628] Medium CVE-2020-6563: Insufficient policy + enforcement in intent handling. Reported by Pedro Oliveira on + 2020-07-12
    • +
  • [841622] Medium CVE-2020-6564: Incorrect security UI in + permissions. Reported by Khalil Zhani on 2018-05-10
    • +
  • [1029907] Medium CVE-2020-6565: Incorrect security UI in + Omnibox. Reported by Khalil Zhani on 2019-12-02
    • +
  • [1065264] Medium CVE-2020-6566: Insufficient policy + enforcement in media. Reported by Jun Kokatsu, Microsoft Browser + Vulnerability Research on 2020-03-27
    • +
  • [937179] Low CVE-2020-6567: Insufficient validation of + untrusted input in command line handling. Reported by Joshua + Graham of TSS on 2019-03-01
    • +
  • [1092451] Low CVE-2020-6568: Insufficient policy enforcement + in intent handling. Reported by Yongke Wang(@Rudykewang) and + Aryb1n(@aryb1n) of Tencent Security Xuanwu Lab on 2020-06-08
    • +
  • [995732] Low CVE-2020-6569: Integer overflow in WebUSB. + Reported by guaixiaomei on 2019-08-20
    • +
  • [1084699] Low CVE-2020-6570: Side-channel information leakage + in WebRTC. Reported by Signal/Tenable on 2020-05-19
    • +
  • [1085315] Low CVE-2020-6571: Incorrect security UI in Omnibox. + Reported by Rayyan Bijoora on 2020-05-21
    • +
+
+ + + + CVE-2020-6558 + CVE-2020-6559 + CVE-2020-6560 + CVE-2020-6561 + CVE-2020-6562 + CVE-2020-6563 + CVE-2020-6564 + CVE-2020-6565 + CVE-2020-6566 + CVE-2020-6567 + CVE-2020-6568 + CVE-2020-6569 + CVE-2020-6570 + CVE-2020-6571 + https://chromereleases.googleblog.com/2020/08/stable-channel-update-for-desktop_25.html + + + 2020-08-25 + 2020-08-26 + + + jasper -- multiple vulnerabilities jasper - 2.0.19 + 2.0.20 @@ -117,6 +2852,7 @@ 2020-07-28 2020-08-25 + 2020-09-05 @@ -1624,7 +4360,7 @@ pango - 1.42.4_4 + 1.42.4_5 @@ -1646,6 +4382,7 @@ 2019-07-19 2020-07-23 + 2020-09-26