Date: Thu, 21 Jan 2021 13:19:10 +0000 (UTC) From: Baptiste Daroussin <bapt@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r562204 - head/security/vuxml Message-ID: <202101211319.10LDJAQq057389@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bapt Date: Thu Jan 21 13:19:10 2021 New Revision: 562204 URL: https://svnweb.freebsd.org/changeset/ports/562204 Log: Split vuln.xml file [2/2] The vuln.xml file has grown a lot since 2003. To avoid having to unlock the svn size limitation, the file is now split into 1 file per year up to the current year + previous one. The split is made based on the date when the entry has been added. In order to achieve the split without breaking any consumer we use a standard XML mechanism via the definition of entities. While here add a new target make vuln-flat.xml which will expand the entities in order to be able to regenerate a one uniq file if needed. This useful to for example allow to test with pkg audit directly given the XML parser used in pkg does not support custom entities. The vuxml web site generator has been modified to ensure the vuln.xml file it provides is the expanded version, so for consumers it is still only one single file to download. Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Jan 21 13:18:49 2021 (r562203) +++ head/security/vuxml/vuln.xml Thu Jan 21 13:19:10 2021 (r562204) @@ -1,7 +1,25 @@ <?xml version="1.0" encoding="utf-8"?> -<!DOCTYPE vuxml PUBLIC "-//vuxml.org//DTD VuXML 1.1//EN" "http://www.vuxml.org/dtd/vuxml-1/vuxml-11.dtd">; +<!DOCTYPE vuxml PUBLIC "-//vuxml.org//DTD VuXML 1.1//EN" "http://www.vuxml.org/dtd/vuxml-1/vuxml-11.dtd" [ +<!ENTITY vuln-2003 SYSTEM "vuln-2003.xml"> +<!ENTITY vuln-2004 SYSTEM "vuln-2004.xml"> +<!ENTITY vuln-2005 SYSTEM "vuln-2005.xml"> +<!ENTITY vuln-2006 SYSTEM "vuln-2006.xml"> +<!ENTITY vuln-2007 SYSTEM "vuln-2007.xml"> +<!ENTITY vuln-2008 SYSTEM "vuln-2008.xml"> +<!ENTITY vuln-2009 SYSTEM "vuln-2009.xml"> +<!ENTITY vuln-2010 SYSTEM "vuln-2010.xml"> +<!ENTITY vuln-2011 SYSTEM "vuln-2011.xml"> +<!ENTITY vuln-2012 SYSTEM "vuln-2012.xml"> +<!ENTITY vuln-2013 SYSTEM "vuln-2013.xml"> +<!ENTITY vuln-2014 SYSTEM "vuln-2014.xml"> +<!ENTITY vuln-2015 SYSTEM "vuln-2015.xml"> +<!ENTITY vuln-2016 SYSTEM "vuln-2016.xml"> +<!ENTITY vuln-2017 SYSTEM "vuln-2017.xml"> +<!ENTITY vuln-2018 SYSTEM "vuln-2018.xml"> +<!ENTITY vuln-2019 SYSTEM "vuln-2019.xml"> +]> <!-- -Copyright 2003-2018 Jacques Vidrine and contributors +Copyright 2003-2021 Jacques Vidrine and contributors Redistribution and use in source (VuXML) and 'compiled' forms (SGML, HTML, PDF, PostScript, RTF and so forth) with or without modification, @@ -8793,108 +8811,6 @@ Discovered by Tony Yesudas.</p> </dates> </vuln> - <vuln vid="8db2f8b2-9e12-11ea-9e83-0cc47ac16c9d"> - <topic>qmail -- 64 bit integer overflows with possible remote code execution on large SMTP requests</topic> - <affects> - <package> - <name>netqmail</name> - <range><le>1.06_4</le></range> - </package> - </affects> - <description> - <body xmlns="http://www.w3.org/1999/xhtml">; - <p>Georgi Guninski writes:</p> - <blockquote cite="http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html">; - <p>There are several issues with qmail on 64 bit platforms - classical integer overflow, pointer with signed index and signedness problem (not counting the memory consumtion dos, which just helps).</p> - <p>Update: the problem with the signed index is exploitable on Freebsd 5.4 amd64 wih a lot of virtual memory.</p> - </blockquote> - <p>The national vulnerability database summarizes:</p> - <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2005-1513">; - <p>Integer overflow in the stralloc_readyplus function in qmail, when running on 64 bit platforms with a large amount of virtual memory, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large SMTP request.</p> - </blockquote> - </body> - </description> - <references> - <url>http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html</url>; - <url>https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt</url>; - <cvename>CVE-2005-1513</cvename> - <cvename>CVE-2005-1514</cvename> - <cvename>CVE-2005-1515</cvename> - </references> - <dates> - <discovery>2005-05-06</discovery> - <entry>2005-05-11</entry> - </dates> - </vuln> - - <vuln vid="b495af21-9e10-11ea-9e83-0cc47ac16c9d"> - <topic>qmail -- 64 bit integer overflows with possible remote code execution on large SMTP requests</topic> - <affects> - <package> - <name>netqmail-tls</name> - <range><le>1.06.20160918_2</le></range> - </package> - </affects> - <description> - <body xmlns="http://www.w3.org/1999/xhtml">; - <p>Georgi Guninski writes:</p> - <blockquote cite="http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html">; - <p>There are several issues with qmail on 64 bit platforms - classical integer overflow, pointer with signed index and signedness problem (not counting the memory consumtion dos, which just helps).</p> - <p>Update: the problem with the signed index is exploitable on Freebsd 5.4 amd64 wih a lot of virtual memory.</p> - </blockquote> - <p>The national vulnerability database summarizes:</p> - <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2005-1513">; - <p>Integer overflow in the stralloc_readyplus function in qmail, when running on 64 bit platforms with a large amount of virtual memory, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large SMTP request.</p> - </blockquote> - </body> - </description> - <references> - <url>http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html</url>; - <url>https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt</url>; - <cvename>CVE-2005-1513</cvename> - <cvename>CVE-2005-1514</cvename> - <cvename>CVE-2005-1515</cvename> - </references> - <dates> - <discovery>2005-05-06</discovery> - <entry>2005-05-11</entry> - </dates> - </vuln> - - <vuln vid="d6540411-9e10-11ea-9e83-0cc47ac16c9d"> - <topic>qmail -- 64 bit integer overflows with possible remote code execution on large SMTP requests</topic> - <affects> - <package> - <name>netqmail-mysql</name> - <range><le>1.06.1.1.15_1</le></range> - </package> - </affects> - <description> - <body xmlns="http://www.w3.org/1999/xhtml">; - <p>Georgi Guninski writes:</p> - <blockquote cite="http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html">; - <p>There are several issues with qmail on 64 bit platforms - classical integer overflow, pointer with signed index and signedness problem (not counting the memory consumtion dos, which just helps).</p> - <p>Update: the problem with the signed index is exploitable on Freebsd 5.4 amd64 wih a lot of virtual memory.</p> - </blockquote> - <p>The national vulnerability database summarizes:</p> - <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2005-1513">; - <p>Integer overflow in the stralloc_readyplus function in qmail, when running on 64 bit platforms with a large amount of virtual memory, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large SMTP request.</p> - </blockquote> - </body> - </description> - <references> - <url>http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html</url>; - <url>https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt</url>; - <cvename>CVE-2005-1513</cvename> - <cvename>CVE-2005-1514</cvename> - <cvename>CVE-2005-1515</cvename> - </references> - <dates> - <discovery>2005-05-06</discovery> - <entry>2005-05-11</entry> - </dates> - </vuln> - <vuln vid="38c676bd-9def-11ea-a94c-3065ec8fd3ec"> <topic>chromium -- multiple vulnerabilities</topic> <affects> @@ -13913,164017 +13829,24 @@ whitespace) </dates> </vuln> - <vuln vid="66e4dc99-28b3-11ea-8dde-08002728f74c"> - <topic>rack -- information leak / session hijack vulnerability</topic> - <affects> - <package> - <name>rubygem-rack</name> - <range><ge>2.0.0</ge><lt>2.0.8,3</lt></range> - </package> - <package> - <name>rubygem-rack16</name> - <range><ge>1.6.0</ge><lt>1.6.12</lt></range> - </package> - </affects> - <description> - <body xmlns="http://www.w3.org/1999/xhtml">; - <p>National Vulnerability Database:</p> - <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2019-16782">; - <p>There's a possible information leak / session hijack vulnerability in - Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 - and 2.0.8. Attackers may be able to find and hijack sessions by using - timing attacks targeting the session id. Session ids are usually stored - and indexed in a database that uses some kind of scheme for speeding up - lookups of that session id. By carefully measuring the amount of time - it takes to look up a session, an attacker may be able to find a valid - session id and hijack the session. The session id itself may be - generated randomly, but the way the session is indexed by the backing - store does not use a secure comparison.</p> - </blockquote> - </body> - </description> - <references> - <url>https://nvd.nist.gov/vuln/detail/CVE-2019-16782</url>; - <url>https://github.com/rack/rack/blob/master/CHANGELOG.md</url>; - <cvename>CVE-2019-16782</cvename> - </references> - <dates> - <discovery>2019-12-08</discovery> - <entry>2019-12-29</entry> - </dates> - </vuln> + &vuln-2019; + &vuln-2018; + &vuln-2017; + &vuln-2016; + &vuln-2015; + &vuln-2014; + &vuln-2013; + &vuln-2012; + &vuln-2011; + &vuln-2010; + &vuln-2009; + &vuln-2008; + &vuln-2007; + &vuln-2006; + &vuln-2005; + &vuln-2004; + &vuln-2003; - <vuln vid="e4d9dffb-2a32-11ea-9693-e1b3f6feec79"> - <topic>OpenEXR -- heap buffer overflow, and out-of-memory bugs</topic> - <affects> - <package> - <name>ilmbase</name> - <range><lt>2.3.0_4</lt></range> - </package> - <package> - <name>openexr</name> - <range><lt>2.3.0_3</lt></range> - </package> - </affects> - <description> - <body xmlns="http://www.w3.org/1999/xhtml">; - <p>Cary Phillips reports:</p> - <blockquote cite="https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.4.0">; - <p>OpenEXR (IlmBase) v2.4.0 fixes the following security vulnerabilities:</p> - <ul> - <li>CVE-2018-18444 Issue #351 Out of Memory</li> - <li>CVE-2018-18443 Issue #350 heap-buffer-overflow</li> - </ul> - <p>The relevant patches have been backported to the FreeBSD ports.</p> - </blockquote> - </body> - </description> - <references> - <url>https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.4.0</url>; - <url>https://github.com/AcademySoftwareFoundation/openexr/issues/350</url>; - <url>https://github.com/AcademySoftwareFoundation/openexr/issues/351</url>; - <cvename>CVE-2018-18443</cvename> - <cvename>CVE-2018-18444</cvename> - </references> - <dates> - <discovery>2018-10-17</discovery> - <entry>2019-12-29</entry> - </dates> - </vuln> - - <vuln vid="7b97b32e-27c4-11ea-9673-4c72b94353b5"> - <topic>wordpress -- multiple issues</topic> - <affects> - <package> - <name>wordpress</name> - <name>fr-wordpress</name> - <range><lt>5.3.1,1</lt></range> - </package> - <package> - <name>de-wordpress</name> - <name>zh_CN-wordpress</name> - <name>zh_TW-wordpress</name> - <name>ja-wordpress</name> - <name>ru-wordpress</name> - <range><lt>5.3.1</lt></range> - </package> - </affects> - <description> - <body xmlns="http://www.w3.org/1999/xhtml">; - <p>wordpress developers reports:</p> - <blockquote cite="https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/">; - <p>Four security issues affect WordPress versions 5.3 and earlier; version 5.3.1 fixes them, so youll want to upgrade. - If you havent yet updated to 5.3, there are also updated versions of 5.2 and earlier that fix the security issues. - -Props to Daniel Bachhuber for finding an issue where an unprivileged user could make a post sticky via the REST API. - -Props to Simon Scannell of RIPS Technologies for finding and disclosing an issue where cross-site scripting (XSS) - could be stored in well-crafted links. - -Props to the WordPress.org Security Team for hardening wp_kses_bad_protocol() to ensure that it is aware of the named - colon attribute. - -Props to Nguyen The Duc for discovering a stored XSS vulnerability using block editor content.</p> - </blockquote> - </body> - </description> - <references> - <url>https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/</url>; - </references> - <dates> - <discovery>2019-12-13</discovery> - <entry>2019-12-26</entry> - </dates> - </vuln> - - <vuln vid="1c9178aa-2709-11ea-9673-4c72b94353b5"> - <topic>typo3 -- multiple vulnerabilities</topic> - <affects> - <package> - <name>typo3-8</name> - <range><lt>8.7.30</lt></range> - </package> - <package> - <name>typo3-9</name> - <range><lt>9.5.13</lt></range> - </package> - </affects> - <description> - <body xmlns="http://www.w3.org/1999/xhtml">; - <p>Typo3 core team reports:</p> - <blockquote cite="https://typo3.org/article/typo3-10-2-1-9-5-12-and-8-7-30-security-releases-published">; - <p>It has been discovered that the output of field validation errors in the Form Framework is vulnerable - to cross-site scripting.</p> - <p>It has been discovered that t3:// URL handling and typolink functionality are vulnerable to cross-site - scripting. Not only regular backend forms are affected but also frontend extensions which use the rendering - with typolink.</p> - <p>It has been discovered that the output table listing in the Files backend module is vulnerable to cross-site - scripting when a file extension contains malicious sequences. Access to the file system of the server - either - directly or through synchronization - is required to exploit the vulnerability.</p> - <p>It has been discovered that the extraction of manually uploaded ZIP archives in Extension Manager is vulnerable - to directory traversal. Admin privileges are required in order to exploit this vulnerability. Since TYPO3 v9 LTS, - System Maintainer privileges are required as well.</p> - <p>Failing to properly escape user submitted content, class QueryGenerator is vulnerable to SQL injection. - Having system extension ext:lowlevel installed and a valid backend user having administrator privileges are - required to exploit this vulnerability.</p> - <p>It has been discovered that classes QueryGenerator and QueryView are vulnerable to insecure deserialization. - Requirements for successfully exploiting this vulnerability (one of the following): - - having system extension ext:lowlevel (Backend Module: DB Check) installed and valid backend user having - administrator privileges - - having system extension ext:sys_action installed and valid backend user having limited privileges</p> - <p>TYPO3 allows to upload files either in the backend user interface as well as in custom developed extensions. - To reduce the possibility to upload potential malicious code TYPO3 uses the fileDenyPattern to deny e.g. user - submitted PHP scripts from being persisted. Besides that it is possible for any editor to upload file assets - using the file module (fileadmin) or changing their avatar image shown in the TYPO3 backend. - - Per default TYPO3 allows to upload and store HTML and SVG files as well using the mentioned functionalities. - Custom extension implementations probably would also accept those files when only the fileDenyPattern is evaluated. - - Since HTML and SVG files - which might contain executable JavaScript code per W3C standard - could be directly - displayed in web clients, the whole web application is exposed to be vulnerable concerning Cross-Site Scripting. - Currently the following scenarios are known - given an authenticated regular editor is able to upload files using - the TYPO3 backend: - - directly target a potential victim to a known public resource in a URL, e.g. /fileadmin/malicious.svg or - /fileadmin/malicious.html - - using the TypoScript content object “SVG” (implemented in class ScalableVectorGraphicsContentObject) - having renderMode set to inline for SVG files (available since TYPO3 v9.0) - - custom implementations that directly output and render markup of HTML and SVG files - - SVG files that are embedded using an img src=”malicious.svg” tag are not vulnerable since potential - scripts are not executed in these scenarios (see https://www.w3.org/wiki/SVG_Security). The icon API of TYPO3 - is not scope of this announcement since SVG icons need to be registered using an individual implementation, - which is not considered as user submitted content.</p> - <p>It has been discovered that request handling in Extbase can be vulnerable to insecure deserialization. - User submitted payload has to be signed with a corresponding HMAC-SHA1 using the sensitive TYPO3 encryptionKey - as secret - invalid or unsigned payload is not deserialized. - - However, since sensitive information could have been leaked by accident (e.g. in repositories or in commonly - known and unprotected backup files), there is the possibility that attackers know the private encryptionKey - and are able to calculate the required HMAC-SHA1 to allow a malicious payload to be deserialized. - - Requirements for successfully exploiting this vulnerability (all of the following): - - rendering at least one Extbase plugin in the frontend - - encryptionKey has been leaked (from LocalConfiguration.php or corresponding .env file). </p> - </blockquote> - </body> - </description> - <references> - <url>https://typo3.org/security/advisory/typo3-core-sa-2019-021/</url>; - <url>https://typo3.org/security/advisory/typo3-core-sa-2019-022/</url>; - <url>https://typo3.org/security/advisory/typo3-core-sa-2019-023/</url>; - <url>https://typo3.org/security/advisory/typo3-core-sa-2019-024/</url>; - <url>https://typo3.org/security/advisory/typo3-core-sa-2019-025/</url>; - <url>https://typo3.org/security/advisory/typo3-core-sa-2019-026/</url>; - <url>https://typo3.org/security/advisory/typo3-psa-2019-010/</url>; - <url>https://typo3.org/security/advisory/typo3-psa-2019-011/</url>; - </references> - <dates> - <discovery>2019-12-17</discovery> - <entry>2019-12-25</entry> - </dates> - </vuln> - - <vuln vid="ad3451b9-23e0-11ea-8b36-f1925a339a82"> - <topic>e2fsprogs -- maliciously corrupted file systems can trigger buffer overruns in the quota code used by e2fsck</topic> - <affects> - <package> - <name>e2fsprogs</name> - <range><lt>1.45.4</lt></range> - </package> - </affects> - <description> - <body xmlns="http://www.w3.org/1999/xhtml">; - <p>Ted Y. Ts'o reports:</p> - <blockquote cite="http://e2fsprogs.sourceforge.net/e2fsprogs-release.html#1.45.4">; - <p>A maliciously corrupted file systems can trigger buffer overruns in the quota code used by e2fsck.</p> - </blockquote> - </body> - </description> - <references> - <url>http://e2fsprogs.sourceforge.net/e2fsprogs-release.html#1.45.4</url>; - <cvename>CVE-2019-5094</cvename> - </references> - <dates> - <discovery>2019-09-23</discovery> - <entry>2019-12-21</entry> - </dates> - </vuln> - - <vuln vid="3da0352f-2397-11ea-966e-000ffec0b3e1"> - <topic>drupal -- Drupal Core - Multiple Vulnerabilities</topic> - <affects> - <package> - <name>drupal7</name> - <range><lt>7.69</lt></range> - </package> - <package> - <name>drupal8</name> - <range><lt>8.8.1</lt></range> - </package> - </affects> - <description> - <body xmlns="http://www.w3.org/1999/xhtml">; - <p>Drupal Security Team reports:</p> - <blockquote cite="https://www.drupal.org/sa-core-2019-009">; - <p>A visit to install.php can cause cached data to become corrupted. - This could cause a site to be impaired until caches are rebuilt.</p> - </blockquote> - <blockquote cite="https://www.drupal.org/sa-core-2019-010">; - <p>Drupal 8 core's file_save_upload() function does not strip the - leading and trailing dot ('.') from filenames, like Drupal 7 did. - Users with the ability to upload files with any extension in - conjunction with contributed modules may be able to use this to - upload system files such as .htaccess in order to bypass protections - afforded by Drupal's default .htaccess file. After this fix, - file_save_upload() now trims leading and trailing dots from filenames. - </p> - </blockquote> - <blockquote cite="https://www.drupal.org/sa-core-2019-011">; - <p>The Media Library module has a security vulnerability whereby it - doesn't sufficiently restrict access to media items in certain - configurations. - </p> - </blockquote> - <blockquote cite="https://www.drupal.org/sa-core-2019-012">; - <p>The Drupal project uses the third-party library Archive_Tar, which - has released a security-related feature that impacts some Drupal - configurations. Multiple vulnerabilities are possible if Drupal is - configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and - processes them. The latest versions of Drupal update Archive_Tar to - 1.4.9 to mitigate the file processing vulnerabilities. - </p> - </blockquote> - </body> - </description> - <references> - <url>https://www.drupal.org/sa-core-2019-009</url>; - <url>https://www.drupal.org/sa-core-2019-010</url>; - <url>https://www.drupal.org/sa-core-2019-011</url>; - <url>https://www.drupal.org/sa-core-2019-012</url>; - </references> - <dates> - <discovery>2019-12-18</discovery> - <entry>2019-12-21</entry> - </dates> - </vuln> - - <vuln vid="ed8cbad5-21a8-11ea-9b6d-901b0e934d69"> - <topic>py-matrix-synapse -- multiple vulnerabilities</topic> - <affects> - <package> - <name>py35-matrix-synapse</name> - <name>py36-matrix-synapse</name> - <name>py37-matrix-synapse</name> - <range><lt>1.7.1</lt></range> - </package> - </affects> - <description> - <body xmlns="http://www.w3.org/1999/xhtml">; - <p>Matrix developers report:</p> - <blockquote cite="https://github.com/matrix-org/synapse/releases/tag/v1.7.1">; - <p>The [synapse 1.7.1] release includes several security fixes as well - as a fix to a bug exposed by the security fixes. All previous releases - of Synapse are affected. Administrators are encouraged to upgrade as - soon as possible.</p> - <ul> - <li>Fix a bug which could cause room events to be incorrectly authorized - using events from a different room.</li> - <li>Fix a bug causing responses to the /context client endpoint to not - use the pruned version of the event.</li> - <li>Fix a cause of state resets in room versions 2 onwards.</li> - </ul> - </blockquote> - </body> - </description> - <references> - <url>https://github.com/matrix-org/synapse/releases/tag/v1.7.1</url>; - </references> - <dates> - <discovery>2019-12-18</discovery> - <entry>2019-12-18</entry> - </dates> - </vuln> - - <vuln vid="d778ddb0-2338-11ea-a1c7-b499baebfeaf"> - <topic>OpenSSL -- Overflow vulnerability</topic> - <affects> - <package> - <name>openssl</name> - <range><lt>1.0.2u,1</lt></range> - </package> - </affects> - <description> - <body xmlns="http://www.w3.org/1999/xhtml">; - <p>The OpenSSL project reports:</p> - <blockquote cite="https://www.openssl.org/news/secadv/20191206.txt">; - <p>rsaz_512_sqr overflow bug on x86_64 (CVE-2019-1551) (Low)<br/> - There is an overflow bug in the x64_64 Montgomery squaring procedure - used in exponentiation with 512-bit moduli. No EC algorithms are - affected. Analysis suggests that attacks against 2-prime RSA1024, - 3-prime RSA1536, and DSA1024 as a result of this defect would be very - difficult to perform and are not believed likely. Attacks against - DH512 are considered just feasible. However, for an attack the target - would have to re-use the DH512 private key, which is not recommended - anyway. Also applications directly using the low level API BN_mod_exp - may be affected if they use BN_FLG_CONSTTIME.</p> - </blockquote> - </body> - </description> - <references> - <url>https://www.openssl.org/news/secadv/20191206.txt</url>; - <cvename>CVE-2019-1551</cvename> - </references> - <dates> - <discovery>2019-12-06</discovery> - <entry>2019-12-20</entry> - </dates> - </vuln> - - <vuln vid="70111759-1dae-11ea-966a-206a8a720317"> - <topic>spamassassin -- multiple vulnerabilities</topic> - <affects> - <package> - <name>spamassassin</name> - <range><lt>3.4.3</lt></range> - </package> - </affects> - <description> - <body xmlns="http://www.w3.org/1999/xhtml">; - <p>the Apache Spamassassin project reports:</p> - <blockquote cite="https://www.cybersecurity-help.cz/vdb/SB2019121311">; - <p>An input validation error of user-supplied input parsing - multipart emails. Specially crafted emails can consume all - resources on the system.</p> - <p>A local user is able to execute arbitrary shell commands - through specially crafted nefarious CF files.</p> - </blockquote> - </body> - </description> - <references> - <url>https://www.cybersecurity-help.cz/vdb/SB2019121311</url>; - <cvename>CVE-2019-12420</cvename> - <cvename>CVE-2018-11805</cvename> - </references> - <dates> - <discovery>2019-12-11</discovery> - <entry>2019-12-13</entry> - </dates> - </vuln> - - <vuln vid="1edae47e-1cdd-11ea-8c2a-08002743b791"> - <topic>samba -- multiple vulnerabilities</topic> - <affects> - <package> - <name>samba48</name> - <range><ge>4.8.0</ge></range> - </package> - <package> - <name>samba410</name> - <range><lt>4.10.11</lt></range> - </package> - <package> - <name>samba411</name> - <range><lt>4.11.3</lt></range> - </package> - </affects> - <description> - <body xmlns="http://www.w3.org/1999/xhtml">; - <p>The Samba Team reports:</p> - <blockquote cite="https://www.samba.org/samba/history/samba-4.10.11.html">; - <p>CVE-2019-14861:</p> - <p>An authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name.</p> - <p>CVE-2019-14870:</p> - <p>The DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC.</p> - </blockquote> - </body> - </description> - <references> - <url>https://www.samba.org/samba/history/samba-4.10.11.html</url>; - <cvename>CVE-2019-14861</cvename> - <cvename>CVE-2019-14870</cvename> - </references> - <dates> - <discovery>2019-12-10</discovery> - <entry>2019-12-12</entry> - </dates> - </vuln> - - <vuln vid="b7dc4dde-2e48-43f9-967a-c68461537cf2"> - <topic>dovecot -- null pointer deref in notify with empty headers</topic> - <affects> - <package> - <name>dovecot</name> - <range><ge>2.3.9</ge><lt>2.3.9.2</lt></range> - </package> - </affects> - <description> - <body xmlns="http://www.w3.org/1999/xhtml">; - <p>Aki Tuomi reports</p> - <blockquote cite="https://dovecot.org/pipermail/dovecot/2019-December/117894.html">; - <p>Mail with group address as sender will cause a signal 11 crash in push - notification drivers. Group address as recipient can cause crash in some - drivers.</p> - </blockquote> - </body> - </description> - <references> - <url>https://dovecot.org/pipermail/dovecot/2019-December/117894.html</url>; - <cvename>CVE-2019-19722</cvename> - </references> - <dates> - <discovery>2019-12-10</discovery> - <entry>2019-12-13</entry> - </dates> - </vuln> - - <vuln vid="21944144-1b90-11ea-a2d4-001b217b3468"> - <topic>Gitlab -- Multiple Vulnerabilities</topic> - <affects> - <package> - <name>gitlab-ce</name> - <range><ge>12.5.0</ge><lt>12.5.4</lt></range> - <range><ge>12.4.0</ge><lt>12.4.6</lt></range> - <range><ge>10.5.0</ge><lt>12.3.9</lt></range> - </package> - </affects> - <description> - <body xmlns="http://www.w3.org/1999/xhtml">; - <p>Gitlab reports:</p> - <blockquote cite="https://about.gitlab.com/blog/2019/12/10/critical-security-release-gitlab-12-5-4-released/">; - <p>Path traversal with potential remote code execution</p> - <p>Disclosure of private code via Elasticsearch integration</p> - <p>Update Git dependency</p> - </blockquote> - </body> - </description> - <references> - <url>https://about.gitlab.com/blog/2019/12/10/critical-security-release-gitlab-12-5-4-released/</url>; - <cvename>CVE-2019-19628</cvename> - <cvename>CVE-2019-19629</cvename> - <cvename>CVE-2019-19604</cvename> - </references> - <dates> - <discovery>2019-12-10</discovery> - <entry>2019-12-10</entry> - </dates> - </vuln> - - <vuln vid="22ae307a-1ac4-11ea-b267-001cc0382b2f"> - <topic>Ghostscript -- Security bypass vulnerabilities</topic> - <affects> - <package> - <name>ghostscript9-agpl-base</name> - <name>ghostscript9-agpl-x11</name> - <range><lt>9.50</lt></range> - </package> - </affects> - <description> - <body xmlns="http://www.w3.org/1999/xhtml">; - <p>Cedric Buissart (Red Hat) reports:</p> - <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14811">; - <p>A flaw was found in, ghostscript versions prior to 9.50, in the - .pdf_hook_DSC_Creator procedure where it did not properly secure - its privileged calls, enabling scripts to bypass `-dSAFER` - restrictions. A specially crafted PostScript file could disable - security protection and then have access to the file system, or - execute arbitrary commands.</p> - </blockquote> - <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14812">; - <p>A flaw was found in all ghostscript versions 9.x before 9.50, in - the .setuserparams2 procedure where it did not properly secure its - privileged calls, enabling scripts to bypass `-dSAFER` - restrictions. A specially crafted PostScript file could disable - security protection and then have access to the file system, or - execute arbitrary commands.</p> - </blockquote> - <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14813">; - <p>A flaw was found in ghostscript, versions 9.x before 9.50, in the - setsystemparams procedure where it did not properly secure its - privileged calls, enabling scripts to bypass `-dSAFER` - restrictions. A specially crafted PostScript file could disable - security protection and then have access to the file system, or - execute arbitrary commands.</p> - </blockquote> - <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14817">; - <p>A flaw was found in, ghostscript versions prior to 9.50, in the - .pdfexectoken and other procedures where it did not properly secure - its privileged calls, enabling scripts to bypass `-dSAFER` - restrictions. A specially crafted PostScript file could disable - security protection and then have access to the file system, or - execute arbitrary commands.</p> - </blockquote> - </body> - </description> - <references> - <cvename>CVE-2019-14811</cvename> - <cvename>CVE-2019-14812</cvename> - <cvename>CVE-2019-14813</cvename> - <cvename>CVE-2019-14817</cvename> - </references> - <dates> - <discovery>2019-08-20</discovery> - <entry>2019-12-09</entry> - </dates> - </vuln> - - <vuln vid="ca3fe5b3-185e-11ea-9673-4c72b94353b5"> - <topic>phpmyadmin -- multiple vulnerabilities</topic> - <affects> - <package> - <name>phpmyadmin</name> - <range><lt>4.9.2</lt></range> - </package> - </affects> - <description> - <body xmlns="http://www.w3.org/1999/xhtml">; - <p>the phpmyadmin team reports:</p> - <blockquote cite="https://www.phpmyadmin.net/news/2019/11/22/phpmyadmin-492-released/">; - <p>This security fix is part of an ongoing effort to improve the security of the Designer feature - and is designated PMASA-2019-5. There is also an improvement for how we sanitize git version - information shown on the home page.</p> - </blockquote> - </body> - </description> - <references> - <url>https://www.phpmyadmin.net/news/2019/11/22/phpmyadmin-492-released/</url>; - </references> - <dates> - <discovery>2019-11-22</discovery> - <entry>2019-12-06</entry> - </dates> - </vuln> - - <vuln vid="4e3fa78b-1577-11ea-b66e-080027bdabe8"> - <topic>Django -- multiple vulnerabilities</topic> - <affects> - <package> - <name>py35-django21</name> - <name>py36-django21</name> - <name>py37-django21</name> - <name>py38-django21</name> - <range><lt>2.1.15</lt></range> - </package> - <package> - <name>py35-django22</name> - <name>py36-django22</name> - <name>py37-django22</name> - <name>py38-django22</name> - <range><lt>2.2.8</lt></range> - </package> - </affects> - <description> - <body xmlns="http://www.w3.org/1999/xhtml">; - <p>Django release reports:</p> - <blockquote cite="https://www.djangoproject.com/weblog/2019/dec/02/security-releases/">; - <p>CVE-2019-19118: Privilege escalation in the Django admin.</p> - <p>Since Django 2.1, a Django model admin displaying a parent model with related - model inlines, where the user has view-only permissions to a parent model but - edit permissions to the inline model, would display a read-only view of the parent - model but editable forms for the inline.</p> - <p>Submitting these forms would not allow direct edits to the parent model, but would - trigger the parent model's save() method, and cause pre and post-save signal handlers - to be invoked. This is a privilege escalation as a user who lacks permission to edit - a model should not be able to trigger its save-related signals.</p> - </blockquote> - </body> - </description> - <references> - <url>https://www.djangoproject.com/weblog/2019/dec/02/security-releases/</url>; - <cvename>CVE-2019-19118</cvename> - </references> - <dates> - <discovery>2019-11-25</discovery> - <entry>2019-12-03</entry> - </dates> - </vuln> - - <vuln vid="9c36d41c-11df-11ea-9b6d-901b0e934d69"> - <topic>py-matrix-synapse -- incomplete cleanup of 3rd-party-IDs on user deactivation</topic> - <affects> - <package> - <name>py35-matrix-synapse</name> - <name>py36-matrix-synapse</name> - <name>py37-matrix-synapse</name> - <range><lt>1.6.1</lt></range> - </package> - </affects> - <description> - <body xmlns="http://www.w3.org/1999/xhtml">; - <p>Matrix developers report:</p> - <blockquote cite="https://github.com/matrix-org/synapse/releases/tag/v1.6.1">; - <p>Clean up local threepids from user on account deactivation.</p> - </blockquote> - </body> - </description> - <references> - <url>https://github.com/matrix-org/synapse/releases/tag/v1.6.1</url>; - <url>https://github.com/matrix-org/synapse/pull/6426</url>; - </references> - <dates> - <discovery>2019-11-28</discovery> - <entry>2019-11-28</entry> - </dates> - </vuln> - - <vuln vid="42675046-fa70-11e9-ba4e-901b0e934d69"> - <topic>py-matrix-synapse -- missing signature checks on some federation APIs</topic> - <affects> - <package> - <name>py35-matrix-synapse</name> - <name>py36-matrix-synapse</name> - <name>py37-matrix-synapse</name> - <range><lt>1.5.0</lt></range> - </package> - </affects> - <description> - <body xmlns="http://www.w3.org/1999/xhtml">; - <p>Matrix developers report:</p> - <blockquote cite="https://github.com/matrix-org/synapse/pull/6262">; - <p>Make sure that [...] events sent over /send_join, /send_leave, and - /invite, are correctly signed and come from the expected servers.</p> - </blockquote> - </body> - </description> - <references> - <url>https://github.com/matrix-org/synapse/pull/6262</url>; - <url>https://github.com/matrix-org/synapse/releases/tag/v1.5.0</url>; - </references> - <dates> - <discovery>2019-10-29</discovery> - <entry>2019-10-29</entry> - </dates> - </vuln> - - <vuln vid="4ce7c28a-11ac-11ea-b537-001b217b3468"> - <topic>Gitlab -- Multiple Vulnerabilities</topic> - <affects> - <package> - <name>gitlab-ce</name> - <range><ge>12.5.0</ge><lt>12.5.2</lt></range> - <range><ge>12.4.0</ge><lt>12.4.5</lt></range> - <range><ge>11.9.0</ge><lt>12.3.8</lt></range> - </package> - </affects> - <description> - <body xmlns="http://www.w3.org/1999/xhtml">; - <p>Gitlab reports:</p> - <blockquote cite="https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-2-released/">; - <p>Unauthorized access to grafana metrics</p> - <p>Update Mattermost dependency</p> - </blockquote> - </body> - </description> - <references> - <url>https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-2-released/</url>; - <cvename>CVE-2019-19262</cvename> - </references> - <dates> - <discovery>2019-11-27</discovery> - <entry>2019-11-28</entry> - </dates> - </vuln> - - <vuln vid="1aa7a094-1147-11ea-b537-001b217b3468"> - <topic>Gitlab -- Multiple Vulnerabilities</topic> - <affects> - <package> - <name>gitlab-ce</name> - <range><ge>12.5.0</ge><lt>12.5.1</lt></range> - <range><ge>12.4.0</ge><lt>12.4.4</lt></range> - <range><lt>12.3.7</lt></range> - </package> - </affects> - <description> - <body xmlns="http://www.w3.org/1999/xhtml">; - <p>Gitlab reports:</p> - <blockquote cite="https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/">; - <p>Path traversal with potential remote code execution</p> - <p>Private objects exposed through project import</p> - <p>Disclosure of notes via Elasticsearch integration</p> - <p>Disclosure of comments via Elasticsearch integration</p> - <p>DNS Rebind SSRF in various chat notifications</p> - <p>Disclosure of vulnerability status in dependency list</p> - <p>Disclosure of commit count in Cycle Analytics</p> - <p>Exposure of related branch names</p> - <p>Tags pushes from blocked users</p> - <p>Branches and Commits exposed to Guest members via integration</p> - <p>IDOR when adding users to protected environments</p> - <p>Former project members able to access repository information</p> - <p>Unauthorized access to grafana metrics</p> - <p>Todos created for former project members</p> - <p>Update Mattermost dependency</p> - <p>Disclosure of AWS secret keys on certain Admin pages</p> - <p>Stored XSS in Group and User profile fields</p> - <p>Forked project information disclosed via Project API</p> - <p>Denial of Service in the issue and commit comment pages</p> - <p>Tokens stored in plaintext</p> - </blockquote> - </body> - </description> - <references> - <url>https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/</url>; - <cvename>CVE-2019-19088</cvename> - <cvename>CVE-2019-19309</cvename> - <cvename>CVE-2019-19086</cvename> - <cvename>CVE-2019-19087</cvename> - <cvename>CVE-2019-19261</cvename> - <cvename>CVE-2019-19256</cvename> - <cvename>CVE-2019-19254</cvename> - <cvename>CVE-2019-19257</cvename> - <cvename>CVE-2019-19263</cvename> - <cvename>CVE-2019-19258</cvename> - <cvename>CVE-2019-19259</cvename> - <cvename>CVE-2019-19260</cvename> - <cvename>CVE-2019-19262</cvename> - <cvename>CVE-2019-19255</cvename> - <cvename>CVE-2019-19310</cvename> - <cvename>CVE-2019-19311</cvename> - <cvename>CVE-2019-19312</cvename> - <cvename>CVE-2019-19313</cvename> - <cvename>CVE-2019-19314</cvename> - </references> - <dates> - <discovery>2019-11-27</discovery> - <entry>2019-11-27</entry> - </dates> - </vuln> - - <vuln vid="3e748551-c732-45f6-bd88-928da16f23a8"> - <topic>webkit2-gtk3 -- Multiple vulnerabilities</topic> - <affects> - <package> - <name>webkit2-gtk3</name> - <range><lt>2.26.2</lt></range> - </package> - </affects> - <description> - <body xmlns="http://www.w3.org/1999/xhtml">; - <p>The WebKitGTK project reports multiple vulnerabilities.</p> - </body> - </description> - <references> - <url>https://webkitgtk.org/security/WSA-2019-0006.html</url>; - <cvename>CVE-2019-8710</cvename> - <cvename>CVE-2019-8743</cvename> - <cvename>CVE-2019-8764</cvename> - <cvename>CVE-2019-8765</cvename> - <cvename>CVE-2019-8766</cvename> - <cvename>CVE-2019-8782</cvename> - <cvename>CVE-2019-8783</cvename> - <cvename>CVE-2019-8808</cvename> - <cvename>CVE-2019-8811</cvename> - <cvename>CVE-2019-8812</cvename> - <cvename>CVE-2019-8813</cvename> - <cvename>CVE-2019-8814</cvename> - <cvename>CVE-2019-8815</cvename> - <cvename>CVE-2019-8816</cvename> - <cvename>CVE-2019-8819</cvename> - <cvename>CVE-2019-8820</cvename> - <cvename>CVE-2019-8821</cvename> - <cvename>CVE-2019-8822</cvename> - <cvename>CVE-2019-8823</cvename> - </references> - <dates> - <discovery>2019-11-08</discovery> - <entry>2019-11-27</entry> - </dates> - </vuln> - - <vuln vid="87270ba5-03d3-11ea-b81f-3085a9a95629"> - <topic>urllib3 -- multiple vulnerabilities</topic> - <affects> - <package> - <name>py27-urllib3</name> - <name>py35-urllib3</name> - <name>py36-urllib3</name> - <name>py37-urllib3</name> - <name>py38-urllib3</name> - <range><lt>1.24.3,1</lt></range> - </package> - </affects> - <description> - <body xmlns="http://www.w3.org/1999/xhtml">; - <p>NIST reports: (by search in the range 2018/01/01 - 2019/11/10):</p> - <blockquote cite="https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&query=urllib3&search_type=all&pub_start_date=01%2F01%2F2018&pub_end_date=11%2F10%2F2019">; - <p>urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.</p> - <p>In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.</p> - <p>The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.</p> - </blockquote> - </body> - </description> - <references> - <url>https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&query=urllib3&search_type=all&pub_start_date=01%2F01%2F2018&pub_end_date=11%2F10%2F2019</url>; - <cvename>CVE-2018-20060</cvename> - <cvename>CVE-2019-11236</cvename> - <cvename>CVE-2019-11324</cvename> - <freebsdpr>ports/229322</freebsdpr> *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202101211319.10LDJAQq057389>