vuln.xml 5.42 MB
Newer Older
1
<?xml version="1.0" encoding="utf-8"?>
nectar's avatar
nectar committed
2
<!DOCTYPE vuxml PUBLIC "-//vuxml.org//DTD VuXML 1.1//EN" "http://www.vuxml.org/dtd/vuxml-1/vuxml-11.dtd">
3
<!--
riggs's avatar
riggs committed
4
Copyright 2003-2018 Jacques Vidrine and contributors
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
HTML, PDF, PostScript, RTF and so forth) with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code (VuXML) must retain the above
   copyright notice, this list of conditions and the following
   disclaimer as the first lines of this file unmodified.
2. Redistributions in compiled form (transformed to other DTDs,
   published online in any format, converted to PDF, PostScript,
   RTF and other formats) must reproduce the above copyright
   notice, this list of conditions and the following disclaimer
   in the documentation and/or other materials provided with the
   distribution.

THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

eik's avatar
eik committed
31
32
  $FreeBSD$

33
34
35

QUICK GUIDE TO ADDING A NEW ENTRY

36
1. run 'make newentry' to add a template to the top of the document
37
2. fill in the template
38
3. use 'make validate' to verify syntax correctness (you might need to install
39
   textproc/libxml2 for parser, and this port for catalogs)
40
4. fix any errors
41
42
5. use 'make VID=xxx-yyy-zzz html' to emit the entry's html file for formatting review
6. profit!
43

44
Additional tests can be done this way:
ohauer's avatar
ohauer committed
45
46
 $ pkg audit -f ./vuln.xml py26-django-1.6
 $ pkg audit -f ./vuln.xml py27-django-1.6.1
47

48
49
Extensive documentation of the format and help with writing and verifying
a new entry is available in The Porter's Handbook at:
50
51
52

  http://www.freebsd.org/doc/en/books/porters-handbook/security-notify.html

53
Help is also available from ports-security@freebsd.org.
54

55
Notes:
56

57
58
  * Please add new entries to the beginning of this file.
  * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
59
-->
60
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
  <vuln vid="5536ea5f-6814-11e9-a8f7-0050562a4d7b">
    <topic>buildbot -- CRLF injection in Buildbot login and logout redirect code</topic>
    <affects>
      <package>
	<name>py27-buildbot</name>
	<name>py35-buildbot</name>
	<name>py36-buildbot</name>
	<name>py37-buildbot</name>
	<range><lt>1.8.0</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<blockquote cite="https://github.com/buildbot/buildbot/wiki/CRLF-injection-in-Buildbot-login-and-logout-redirect-code">
	  <p>A CRLF can be injected in Location header of /auth/login and /auth/logout
	    This is due to lack of input validation in the buildbot redirection code.
	  </p>
	  <p>It was not found a way to impact Buildbot product own security through
	    this vulnerability, but it could be used to compromise other sites
	    hosted on the same domain as Buildbot.

	     - cookie injection a master domain (ie if your buildbot is on
		buildbot.buildbot.net, one can inject a cookie on *.buildbot.net,
		which could impact another website hosted in your domain)

	     - HTTP response splitting and cache poisoning (browser or proxy) are
		also typical impact of this vulnerability class, but might be impractical
		to exploit.
	   </p>
	</blockquote>
      </body>
    </description>
    <references>
      <url>https://github.com/buildbot/buildbot/wiki/CRLF-injection-in-Buildbot-login-and-logout-redirect-code</url>
      <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7313</url>
      <cvename>CVE-2019-7313</cvename>
    </references>
    <dates>
      <discovery>2019-01-29</discovery>
      <entry>2019-04-26</entry>
    </dates>
  </vuln>

acm's avatar
acm committed
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
  <vuln vid="2bad8b5d-66fb-11e9-9815-78acc0a3b880">
    <topic>drupal -- Drupal core - Moderately critical</topic>
    <affects>
      <package>
	<name>drupal7</name>
	<range><lt>7.66</lt></range>
      </package>
      <package>
	<name>drupal8</name>
	<range><lt>8.6.15</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Drupal Security Team reports:</p>
	<blockquote cite="https://www.drupal.org/SA-CORE-2019-005">
	  <p>CVE-2019-10909: Escape validation messages in the PHP templating engine.</p>
	  <p>CVE-2019-10910: Check service IDs are valid.</p>
	  <p>CVE-2019-10911: Add a separator in the remember me cookie hash.</p>
	</blockquote>
	<blockquote cite="https://www.drupal.org/sa-core-2019-006">
	  <p>jQuery 3.4.0 includes a fix for some unintended behavior when using
	    jQuery.extend(true, {}, ...). If an unsanitized source object contained
	    an enumerable __proto__ property, it could extend the native Object.prototype.
	    This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous
	    jQuery versions.</p>

	  <p>It's possible that this vulnerability is exploitable with some Drupal modules.
	    As a precaution, this Drupal security release backports the fix to jQuery.extend(),
	    without making any other changes to the jQuery version that is included in
	    Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7) or running on the site
	    via some other module such as jQuery Update.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <url>https://www.drupal.org/SA-CORE-2019-005</url>
      <url>https://www.drupal.org/SA-CORE-2019-006</url>
    </references>
    <dates>
      <discovery>2019-04-17</discovery>
      <entry>2019-04-25</entry>
    </dates>
  </vuln>

jpaetzel's avatar
jpaetzel committed
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
  <vuln vid="f6ea18bb-65b9-11e9-8b31-002590045d9c">
    <topic>py-yaml -- arbitrary code execution</topic>
    <affects>
      <package>
	<name>py27-yaml</name>
	<name>py35-yaml</name>
	<name>py36-yaml</name>
	<name>py37-yaml</name>
	<range><lt>4.1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>pyyaml reports:</p>
	<blockquote cite="https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation">
	  <p>the PyYAML.load function could be easily exploited to call any Python
	function. That means it could call any system command using os.system()</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2017-18342</cvename>
      <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342</url>
      <url>https://github.com/yaml/pyyaml/pull/74</url>
    </references>
    <dates>
      <discovery>2018-06-27</discovery>
      <entry>2019-04-23</entry>
    </dates>
  </vuln>

180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
  <vuln vid="a207bbd8-6572-11e9-8e67-206a8a720317">
    <topic>FreeBSD -- EAP-pwd message reassembly issue with unexpected fragment</topic>
    <affects>
      <package>
	<name>FreeBSD</name>
	<range><ge>12.0</ge><lt>12.0_3</lt></range>
	<range><ge>11.2</ge><lt>11.2_9</lt></range>
      </package>
      <package>
	<name>wpa_supplicant</name>
	<range><lt>2.8</lt></range>
      </package>
      <package>
	<name>hostapd</name>
	<range><lt>2.8</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<h1>Problem Description:</h1>
	<p>EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant
	(EAP peer) does not to validate fragmentation reassembly state
	properly for a case where an unexpected fragment could be received.
	This could result in process termination due to NULL pointer
	dereference.</p>
	<p>See
	https://w1.fi/security/2019-5/eap-pwd-message-reassembly-issue-with-unexpected-fragment.txt
	for a detailed description of the bug.</p>
	<h1>Impact:</h1>
	<p>All wpa_supplicant and hostapd versions with EAP-pwd support could
	suffer a denial of service attack through process termination.</p>
      </body>
    </description>
    <references>
      <url>https://w1.fi/security/2019-5/eap-pwd-message-reassembly-issue-with-unexpected-fragment.txt</url>
    </references>
    <dates>
      <discovery>2019-04-18</discovery>
      <entry>2019-04-23</entry>
    </dates>
  </vuln>

222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
  <vuln vid="2da3cb25-6571-11e9-8e67-206a8a720317">
    <topic>FreeBSD -- EAP-pwd missing commit validation</topic>
    <affects>
      <package>
	<name>FreeBSD</name>
	<range><ge>12.0</ge><lt>12.0_3</lt></range>
	<range><ge>11.2</ge><lt>11.2_9</lt></range>
      </package>
      <package>
	<name>wpa_supplicant</name>
	<range><lt>2.8</lt></range>
      </package>
      <package>
	<name>hostapd</name>
	<range><lt>2.8</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<h1>Problem Description:</h1>
	<p>EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant
	(EAP peer) does not to validate the received scalar and element values
	in EAP-pwd-Commit messages properly. This could result in attacks that
	would be able to complete EAP-pwd authentication exchange without the
	attacker having to know the used password.</p>
	<p>See
	https://w1.fi/security/2019-4/eap-pwd-missing-commit-validation.txt
	for a detailed description of the bug.</p>
	<h1>Impact:</h1>
	<p>All wpa_supplicant and hostapd versions with EAP-pwd support.</p>
      </body>
    </description>
    <references>
      <cvename>CVE-2019-9497</cvename>
      <cvename>CVE-2019-9498</cvename>
      <cvename>CVE-2019-9499</cvename>
    </references>
    <dates>
      <discovery>2019-04-10</discovery>
      <entry>2019-04-23</entry>
    </dates>
  </vuln>

265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
  <vuln vid="98b71436-656d-11e9-8e67-206a8a720317">
    <topic>FreeBSD -- SAE confirm missing state validation</topic>
    <affects>
      <package>
	<name>FreeBSD</name>
	<range><ge>12.0</ge><lt>12.0_3</lt></range>
	<range><ge>11.2</ge><lt>11.2_9</lt></range>
      </package>
      <package>
	<name>wpa_supplicant</name>
	<range><lt>2.8</lt></range>
      </package>
      <package>
	<name>hostapd</name>
	<range><lt>2.8</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<h1>Problem Description:</h1>
	<p>When hostapd is used to operate an access point with SAE
	(Simultaneous Authentication of Equals; also known as WPA3-Personal),
	an invalid authentication sequence could result in the hostapd process
	terminating due to a NULL pointer dereference when processing SAE
	confirm message. This was caused by missing state validation steps
	when processing the SAE confirm message in hostapd/AP mode.</p>
	<p>See
	https://w1.fi/security/2019-3/sae-confirm-missing-state-validation.txt
	for a detailed description of the bug.</p>
	<h1>Impact:</h1>
	<p>All hostapd versions with SAE support (CONFIG_SAE=y in the build
	configuration and SAE being enabled in the runtime configuration).</p>
      </body>
    </description>
    <references>
      <cvename>CVE-2019-9496</cvename>
    </references>
    <dates>
      <discovery>2019-04-10</discovery>
      <entry>2019-04-23</entry>
    </dates>
  </vuln>

308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
  <vuln vid="60129efe-656d-11e9-8e67-206a8a720317">
    <topic>FreeBSD -- EAP-pwd side-channel attack</topic>
    <affects>
      <package>
	<name>FreeBSD</name>
	<range><ge>12.0</ge><lt>12.0_3</lt></range>
	<range><ge>11.2</ge><lt>11.2_9</lt></range>
      </package>
      <package>
	<name>wpa_supplicant</name>
	<range><lt>2.8</lt></range>
      </package>
      <package>
	<name>hostapd</name>
	<range><lt>2.8</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<h1>Problem Description:</h1>
	<p>Potential side channel attacks in the SAE implementations used
	by both hostapd and wpa_supplicant (see CVE-2019-9494 and VU#871675).
	EAP-pwd uses a similar design for deriving PWE from the password and
	while a specific attack against EAP-pwd is not yet known to be tested,
	there is no reason to believe that the EAP-pwd implementation would
	be immune against the type of cache attack that was identified for the
	SAE implementation. Since the EAP-pwd implementation in hostapd (EAP
	server) and wpa_supplicant (EAP peer) does not support MODP groups,
	the timing attack described against SAE is not applicable for the
	EAP-pwd implementation.</p>
	<p>See
	https://w1.fi/security/2019-2/eap-pwd-side-channel-attack.txt
	for a detailed description of the bug.</p>
	<h1>Impact:</h1>
	<p>All wpa_supplicant and hostapd versions with EAP-pwd support
	(CONFIG_EAP_PWD=y in the build configuration and EAP-pwd being enabled
	in the runtime configuration).</p>
      </body>
    </description>
    <references>
      <cvename>CVE-2019-9495</cvename>
    </references>
    <dates>
      <discovery>2019-04-10</discovery>
      <entry>2019-04-23</entry>
    </dates>
  </vuln>

356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
  <vuln vid="7e53f9cc-656d-11e9-8e67-206a8a720317">
    <topic>FreeBSD -- SAE side-channel attacks</topic>
    <affects>
      <package>
	<name>FreeBSD</name>
	<range><ge>12.0</ge><lt>12.0_3</lt></range>
	<range><ge>11.2</ge><lt>11.2_9</lt></range>
      </package>
      <package>
	<name>wpa_supplicant</name>
	<range><lt>2.8</lt></range>
      </package>
      <package>
	<name>hostapd</name>
	<range><lt>2.8</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<h1>Problem Description:</h1>
	<p>Side channel attacks in the SAE implementations used by both
	hostapd (AP) and wpa_supplicant (infrastructure BSS station/mesh
	station). SAE (Simultaneous Authentication of Equals) is also known
	as WPA3-Personal. The discovered side channel attacks may be able to
	leak information about the used password based on observable timing
	differences and cache access patterns. This might result in full
	password recovery when combined with an offline dictionary attack and
	if the password is not strong enough to protect against dictionary
	attacks.</p>
	<p>See
	https://w1.fi/security/2019-1/sae-side-channel-attacks.txt
	for a detailed description of the bug.</p>
	<h1>Impact:</h1>
	<p>All wpa_supplicant and hostapd versions with SAE support
	(CONFIG_SAE=y in the build configuration and SAE being enabled in
	the runtime configuration).</p>
      </body>
    </description>
    <references>
      <cvename>CVE-2019-9494</cvename>
    </references>
    <dates>
      <discovery>2019-04-10</discovery>
      <entry>2019-04-23</entry>
    </dates>
  </vuln>

danilo's avatar
danilo committed
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
  <vuln vid="484d3f5e-653a-11e9-b0e3-1c39475b9f84">
    <topic>Istio -- Security vulnerabilities</topic>
    <affects>
      <package>
	<name>istio</name>
	<range><lt>1.1.2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Istio reports:</p>
	<blockquote cite="https://istio.io/blog/2019/announcing-1.1.2/#security-update">
	  <p>Two security vulnerabilities have recently been identified in the Envoy proxy.
		The vulnerabilities are centered on the fact that Envoy did not normalize
		HTTP URI paths and did not fully validate HTTP/1.1 header values. These
		vulnerabilities impact Istio features that rely on Envoy to enforce any of
		authorization, routing, or rate limiting.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2019-9900</cvename>
      <cvename>CVE-2019-9901</cvename>
      <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9900</url>
      <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9901</url>
      <url>https://github.com/envoyproxy/envoy/issues/6434</url>
      <url>https://github.com/envoyproxy/envoy/issues/6435</url>
    </references>
    <dates>
      <discovery>2019-03-29</discovery>
      <entry>2019-04-22</entry>
    </dates>
  </vuln>

437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
  <vuln vid="5ed7102e-6454-11e9-9a3a-001cc0382b2f">
    <topic>Ghostscript -- Security bypass vulnerability</topic>
    <affects>
      <package>
	<name>ghostscript9-agpl-base</name>
	<name>ghostscript9-agpl-x11</name>
	<range><lt>9.27</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Cedric Buissart (Red Hat) reports:</p>
	<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3835">
	  <p>It was found that the superexec operator was available in the
	    internal dictionary in ghostscript before 9.27. A specially crafted
	    PostScript file could use this flaw in order to, for example, have
	    access to the file system outside of the constrains imposed by
	    -dSAFER.</p>
	</blockquote>
	<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3838">
	  <p>It was found that the forceput operator could be extracted from
	    the DefineResource method in ghostscript before 9.27. A specially
	    crafted PostScript file could use this flaw in order to, for
	    example, have access to the file system outside of the constrains
	    imposed by -dSAFER.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3835</url>
      <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3838</url>
      <cvename>CVE-2019-3835</cvename>
      <cvename>CVE-2019-3838</cvename>
    </references>
    <dates>
      <discovery>2019-03-21</discovery>
      <entry>2019-04-21</entry>
    </dates>
  </vuln>

tijl's avatar
tijl committed
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
  <vuln vid="fb30db8f-62af-11e9-b0de-001cc0382b2f">
    <topic>GnuTLS -- double free, invalid pointer access</topic>
    <affects>
      <package>
	<name>gnutls</name>
	<range><lt>3.6.7</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>The GnuTLS project reports:</p>
	<blockquote cite="https://www.gnutls.org/security-new.html#GNUTLS-SA-2019-03-27">
	  <ul>
	    <li>Tavis Ormandy from Google Project Zero found a memory
	      corruption (double free) vulnerability in the certificate
	      verification API. Any client or server application that verifies
	      X.509 certificates with GnuTLS 3.5.8 or later is affected.</li>
	    <li>It was found using the TLS fuzzer tools that decoding a
	      malformed TLS1.3 asynchronous message can cause a server crash
	      via an invalid pointer access. The issue affects GnuTLS server
	      applications since 3.6.4.</li>
	  </ul>
	</blockquote>
      </body>
    </description>
    <references>
      <url>https://www.gnutls.org/security-new.html#GNUTLS-SA-2019-03-27</url>
      <cvename>CVE-2019-3829</cvename>
      <cvename>CVE-2019-3836</cvename>
    </references>
    <dates>
      <discovery>2019-03-27</discovery>
      <entry>2019-04-19</entry>
    </dates>
  </vuln>

513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
  <vuln vid="a64aa22f-61ec-11e9-85b9-a4badb296695">
    <topic>dovecot -- json encoder crash</topic>
    <affects>
      <package>
	<name>dovecot</name>
	<range><lt>2.3.5.2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Aki Tuomi reports:</p>
	<blockquote cite="https://dovecot.org/pipermail/dovecot-news/2019-April/000407.html">
	  <p>* CVE-2019-10691: Trying to login with 8bit username containing
      invalid UTF8 input causes auth process to crash if auth policy is
      enabled. This could be used rather easily to cause a DoS. Similar
      crash also happens during mail delivery when using invalid UTF8 in
      From or Subject header when OX push notification driver is used.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <url>https://dovecot.org/pipermail/dovecot-news/2019-April/000407.html</url>
      <cvename>CVE-2019-10691</cvename>
    </references>
    <dates>
      <discovery>2019-04-09</discovery>
      <entry>2019-04-18</entry>
    </dates>
  </vuln>

swills's avatar
swills committed
543
544
545
546
547
  <vuln vid="6e58e1e9-2636-413e-9f84-4c0e21143628">
    <topic>libssh2 -- multiple issues</topic>
    <affects>
      <package>
	<name>libssh2</name>
548
	<range><lt>1.8.1,3</lt></range>
swills's avatar
swills committed
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>libssh2 developers report:</p>
	<blockquote cite="https://github.com/libssh2/libssh2/releases/tag/libssh2-1.8.1">
	  <ul>
	    <li>Defend against possible integer overflows in comp_method_zlib_decomp.</li>
	    <li>Defend against writing beyond the end of the payload in _libssh2_transport_read().</li>
	    <li>Sanitize padding_length - _libssh2_transport_read().</li>
	    <li>This prevents an underflow resulting in a potential out-of-bounds read if a server sends a too-large padding_length, possibly with malicious intent.</li>
	    <li>Prevent zero-byte allocation in sftp_packet_read() which could lead to an out-of-bounds read.</li>
	    <li>Check the length of data passed to sftp_packet_add() to prevent out-of-bounds reads.</li>
	    <li>Add a required_size parameter to sftp_packet_require et. al. to require callers of these functions to handle packets that are too short.</li>
	    <li>Additional length checks to prevent out-of-bounds reads and writes in _libssh2_packet_add().</li>
	  </ul>
	</blockquote>
      </body>
    </description>
    <references>
      <url>https://github.com/libssh2/libssh2/releases/tag/libssh2-1.8.1</url>
      <url>https://libssh2.org/CVE-2019-3858.html</url>
      <url>https://libssh2.org/CVE-2019-3860.html</url>
      <url>https://libssh2.org/CVE-2019-3861.html</url>
      <url>https://libssh2.org/CVE-2019-3862.html</url>
      <cvename>CVE-2019-3858</cvename>
      <cvename>CVE-2019-3860</cvename>
      <cvename>CVE-2019-3861</cvename>
      <cvename>CVE-2019-3862</cvename>
    </references>
    <dates>
      <discovery>2019-03-14</discovery>
      <entry>2019-04-18</entry>
    </dates>
  </vuln>

joneum's avatar
joneum committed
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
  <vuln vid="b747783f-5fb6-11e9-b2ac-08002705f877">
    <topic>gitea -- remote code execution</topic>
    <affects>
      <package>
	<name>gitea</name>
	<range><lt>1.7.5</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>The Gitea team reports:</p>
	<blockquote cite="https://blog.gitea.io/2019/04/gitea-1.7.6-is-released/">
	  <p>Prevent remote code execution vulnerability with mirror repo URL settings.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <url>https://blog.gitea.io/2019/04/gitea-1.7.6-is-released/</url>
    </references>
    <dates>
      <discovery>2019-04-13</discovery>
      <entry>2019-04-17</entry>
    </dates>
  </vuln>

610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
  <vuln vid="4e1997e8-5de0-11e9-b95c-b499baebfeaf">
    <topic>MySQL -- multiple vulnerabilities</topic>
    <affects>
      <package>
	<name>mariadb55-server</name>
	<range><lt>5.5.64</lt></range>
      </package>
      <package>
	<name>mariadb101-server</name>
	<range><lt>10.1.39</lt></range>
      </package>
      <package>
	<name>mariadb102-server</name>
	<range><lt>10.2.23</lt></range>
      </package>
      <package>
	<name>mariadb103-server</name>
	<range><lt>10.3.14</lt></range>
      </package>
      <package>
	<name>mysql56-server</name>
	<range><lt>5.6.44</lt></range>
      </package>
      <package>
	<name>mysql57-server</name>
	<range><lt>5.7.26</lt></range>
      </package>
      <package>
	<name>mysql80-server</name>
	<range><lt>8.0.15</lt></range>
      </package>
      <package>
	<name>percona55-server</name>
	<range><lt>5.5.64</lt></range>
      </package>
      <package>
	<name>percona56-server</name>
	<range><lt>5.6.44</lt></range>
      </package>
      <package>
	<name>percona57-server</name>
	<range><lt>5.7.26</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Oracle reports:</p>
	<blockquote cite="https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html">
	  <p>Critical Patch Update Oracle MySQL Executive Summary</p>
	  <p>This Critical Patch Update contains 44 new security fixes for
	    Oracle MySQL. 3 of these vulnerabilities may be remotely exploitable
	    without authentication, i.e., may be exploited over a network without
	    requiring user credentials.</p>
	  <p>The Oracle MySQL products and versions affected by vulnerabilities
	    that are fixed in this Critical Patch Update are: MySQL Server, versions
	    5.6.43 and prior, 5.7.25 and prior, 8.0.15 and prior</p>
	  <p>Further details will be published by Oracle on 2019-04-16</p>
	</blockquote>
      </body>
    </description>
    <references>
      <url>https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html</url>
    </references>
    <dates>
      <discovery>2019-04-13</discovery>
      <entry>2019-04-13</entry>
    </dates>
  </vuln>

679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
  <vuln vid="a737eb11-5cfc-11e9-ab87-8cec4bf8fcfb">
    <topic>wget -- security flaw in caching credentials passed as a part of the URL</topic>
    <affects>
      <package>
	<name>wget</name>
	<range><ge>1.19</ge><lt>1.20.1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Gynvael Coldwind reports:</p>
	<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20483">
	  <p>
	    set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a
	    file's origin URL in the user.xdg.origin.url metadata attribute
	    of the extended attributes of the downloaded file, which allows
	    local users to obtain sensitive information (e.g., credentials
	    contained in the URL) by reading this attribute, as demonstrated
	    by getfattr. This also applies to Referer information in the
	    user.xdg.referrer.url metadata attribute.
	  </p>
	</blockquote>
      </body>
    </description>
    <references>
      <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20483</url>
      <cvename>CVE-2018-20483</cvename>
    </references>
    <dates>
      <discovery>2018-12-25</discovery>
      <entry>2019-04-12</entry>
    </dates>
  </vuln>

mfechner's avatar
mfechner committed
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
  <vuln vid="a0602fa0-5c1c-11e9-abd6-001b217b3468">
    <topic>Gitlab -- Group Runner Registration Token Exposure</topic>
    <affects>
      <package>
	<name>gitlab-ce</name>
	<range><ge>11.9.0</ge><lt>11.9.7</lt></range>
	<range><ge>11.8.0</ge><lt>11.8.7</lt></range>
	<range><ge>10.4.0</ge><lt>11.7.11</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Gitlab reports:</p>
	<blockquote cite="https://about.gitlab.com/2019/04/10/critical-security-release-gitlab-11-dot-9-dot-7-released/">
	  <p>Group Runner Registration Token Exposure</p>
	</blockquote>
      </body>
    </description>
    <references>
      <url>https://about.gitlab.com/2019/04/10/critical-security-release-gitlab-11-dot-9-dot-7-released/</url>
      <cvename>CVE-2019-11000</cvename>
    </references>
    <dates>
      <discovery>2019-04-10</discovery>
      <entry>2019-04-11</entry>
    </dates>
  </vuln>

741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
  <vuln vid="8e9c3f5a-715b-4336-8d05-19babef55e9e">
    <topic>jenkins -- multiple vulnerabilities</topic>
    <affects>
      <package>
	<name>jenkins</name>
	<range><lt>2.172</lt></range>
      </package>
      <package>
	<name>jenkins-lts</name>
	<range><lt>2.164.2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Jenkins Security Advisory:</p>
	<blockquote cite="https://jenkins.io/security/advisory/2019-04-10/">
	  <h1>Description</h1>
	  <h5>(Medium) SECURITY-1289</h5>
	  <p>Jenkins accepted cached legacy CLI authentication</p>
	  <h5>(Medium) SECURITY-1327</h5>
	  <p>XSS vulnerability in form validation button</p>
	</blockquote>
      </body>
    </description>
    <references>
      <url>https://jenkins.io/security/advisory/2019-04-10/</url>
    </references>
    <dates>
      <discovery>2019-04-10</discovery>
      <entry>2019-04-10</entry>
    </dates>
  </vuln>

774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
  <vuln vid="45d89773-5b64-11e9-80ed-d43d7ef03aa6">
    <topic>Flash Player -- multiple vulnerabilities</topic>
    <affects>
      <package>
	<name>linux-flashplayer</name>
	<range><lt>32.0.0.171</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Adobe reports:</p>
	<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb19-19.html">
	  <ul>
	    <li>This update resolves a use-after-free vulnerability that
	      could lead to arbitrary code execution (CVE-2019-7096).</li>
	    <li>This update resolves an out-of-bounds read vulnerability that
	      could lead to information disclosure (CVE-2019-7108).</li>
	  </ul>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2019-7096</cvename>
      <cvename>CVE-2019-7108</cvename>
      <url>https://helpx.adobe.com/security/products/flash-player/apsb19-19.html</url>
    </references>
    <dates>
      <discovery>2019-04-09</discovery>
      <entry>2019-04-10</entry>
    </dates>
  </vuln>

806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
  <vuln vid="84ce26c3-5769-11e9-abd6-001b217b3468">
    <topic>clamav -- multiple vulnerabilities</topic>
    <affects>
      <package>
	<name>clamav</name>
	<range><lt>0.101.2,1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Clamav reports:</p>
	<blockquote cite="https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html">
	  <p>An out-of-bounds heap read condition may occur when scanning PDF documents</p>
	  <p>An out-of-bounds heap read condition may occur when scanning PE files</p>
	  <p>An out-of-bounds heap write condition may occur when scanning OLE2 files</p>
	  <p>An out-of-bounds heap read condition may occur when scanning malformed PDF documents</p>
	  <p>A path-traversal write condition may occur as a result of improper input validation when scanning RAR archives</p>
	  <p>A use-after-free condition may occur as a result of improper error handling when scanning nested RAR archives</p>
	</blockquote>
      </body>
    </description>
    <references>
      <url>https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html</url>
      <cvename>CVE-2019-1787</cvename>
      <cvename>CVE-2019-1789</cvename>
      <cvename>CVE-2019-1788</cvename>
      <cvename>CVE-2019-1786</cvename>
      <cvename>CVE-2019-1785</cvename>
      <cvename>CVE-2019-1798</cvename>
    </references>
    <dates>
      <discovery>2019-03-29</discovery>
      <entry>2019-04-05</entry>
    </dates>
  </vuln>

mfechner's avatar
mfechner committed
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
  <vuln vid="da459dbc-5586-11e9-abd6-001b217b3468">
    <topic>Gitlab -- Multiple vulnerabilities</topic>
    <affects>
      <package>
	<name>gitlab-ce</name>
	<range><ge>11.9.0</ge><lt>11.9.4</lt></range>
	<range><ge>11.8.0</ge><lt>11.8.6</lt></range>
	<range><lt>11.7.10</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Gitlab reports:</p>
	<blockquote cite="https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/">
	  <p>DoS potential for regex in CI/CD refs</p>
	  <p>Related branches visible in issues for guests</p>
	  <p>Persistent XSS at merge request resolve conflicts</p>
	  <p>Improper authorization control "move issue"</p>
	  <p>Guest users of private projects have access to releases</p>
	  <p>DoS potential on project languages page</p>
	  <p>Recurity assessment: information exposure through timing discrepancy</p>
	  <p>Recurity assessment: loginState HMAC issues</p>
	  <p>Recurity assessment: open redirect</p>
	  <p>PDF.js vulnerable to CVE-2018-5158</p>
	  <p>IDOR labels of private projects/groups</p>
	  <p>EXIF geolocation data not stripped from uploaded images</p>
	</blockquote>
      </body>
    </description>
    <references>
      <url>https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/</url>
      <cvename>CVE-2019-10640</cvename>
      <cvename>CVE-2019-10116</cvename>
      <cvename>CVE-2019-10111</cvename>
      <cvename>CVE-2019-10110</cvename>
      <cvename>CVE-2019-10115</cvename>
      <cvename>CVE-2019-10113</cvename>
      <cvename>CVE-2019-10114</cvename>
      <cvename>CVE-2019-10112</cvename>
      <cvename>CVE-2019-10117</cvename>
      <cvename>CVE-2018-5158</cvename>
      <cvename>CVE-2019-10108</cvename>
      <cvename>CVE-2019-10109</cvename>
    </references>
    <dates>
      <discovery>2019-04-01</discovery>
      <entry>2019-04-02</entry>
    </dates>
  </vuln>

892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
  <vuln vid="cf2105c6-551b-11e9-b95c-b499baebfeaf">
    <topic>Apache -- Multiple vulnerabilities</topic>
    <affects>
      <package>
	<name>apache24</name>
	<range><lt>2.4.39</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>The Apache httpd Project reports:</p>
	<blockquote cite="https://httpd.apache.org/security/vulnerabilities_24.html">
	  <p>Apache HTTP Server privilege escalation from modules' scripts
	    (CVE-2019-0211) (important)</p>
	  <p>mod_auth_digest access control bypass (CVE-2019-0217)
	    (important)</p>
	  <p>mod_ssl access control bypass (CVE-2019-0215) (important)</p>
	  <p>mod_http2, possible crash on late upgrade (CVE-2019-0197) (low)</p>
	  <p>mod_http2, read-after-free on a string compare (CVE-2019-0196)
	    (low)</p>
	  <p>Apache httpd URL normalization inconsistincy (CVE-2019-0220)
	    (low)</p>
	</blockquote>
      </body>
    </description>
    <references>
      <url>https://www.apache.org/dist/httpd/CHANGES_2.4.39</url>
      <url>https://httpd.apache.org/security/vulnerabilities_24.html</url>
      <cvename>CVE-2019-0211</cvename>
      <cvename>CVE-2019-0217</cvename>
      <cvename>CVE-2019-0215</cvename>
      <cvename>CVE-2019-0196</cvename>
      <cvename>CVE-2019-0220</cvename>
    </references>
    <dates>
      <discovery>2019-04-01</discovery>
      <entry>2019-04-02</entry>
    </dates>
  </vuln>

932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
  <vuln vid="6a0129bf-54ad-11e9-987c-1c39475b9f84">
    <topic>Kubectl -- Potential directory traversal</topic>
    <affects>
      <package>
	<name>kubectl</name>
	<range><lt>1.11.9</lt></range>
	<range><ge>1.12.0</ge><lt>1.12.7</lt></range>
	<range><ge>1.13.0</ge><lt>1.13.5</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Kubernetes.io reports:</p>
	<blockquote cite="https://discuss.kubernetes.io/t/announce-security-release-of-kubernetes-kubectl-potential-directory-traversal-releases-1-11-9-1-12-7-1-13-5-and-1-14-0-cve-2019-1002101/5712">
	  <p>A security issue was discovered with the Kubernetes kubectl cp
		command that could enable a directory traversal replacing or
		deleting files on a user’s workstation.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2019-1002101</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2019-1002101</url>
    </references>
    <dates>
      <discovery>2019-03-28</discovery>
      <entry>2019-04-01</entry>
    </dates>
  </vuln>

dbaio's avatar
dbaio committed
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
  <vuln vid="b22d6d4c-53b9-11e9-9310-28d244aee256">
    <topic>znc -- Denial of Service</topic>
    <affects>
      <package>
	<name>znc</name>
	<range><lt>1.7.3</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Mitre reports:</p>
	<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9917">
	  <p>ZNC before 1.7.3-rc1 allows an existing remote user to cause a Denial
	    of Service (crash) via invalid encoding.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2019-9917</cvename>
      <url>https://wiki.znc.in/ChangeLog/1.7.3</url>
    </references>
    <dates>
      <discovery>2019-03-21</discovery>
      <entry>2019-03-31</entry>
    </dates>
  </vuln>

sunpoet's avatar
sunpoet committed
989
990
991
992
993
994
995
996
  <vuln vid="fe7e322f-522d-11e9-98b5-216e512dad89">
    <topic>Jupyter notebook -- open redirect vulnerability</topic>
    <affects>
      <package>
	<name>py27-notebook</name>
	<name>py35-notebook</name>
	<name>py36-notebook</name>
	<name>py37-notebook</name>
sunpoet's avatar
sunpoet committed
997
	<range><lt>5.7.8</lt></range>
sunpoet's avatar
sunpoet committed
998
999
1000
      </package>
    </affects>
    <description>
For faster browsing, not all history is shown. View entire blame