<vuln vid="4b3a7e70-afce-11e5-b864-14dae9d210b8">
<topic>mono -- DoS and code execution</topic>
<affects>
<package>
<name>mono</name>
<range><lt>4.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NCC Group reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2015/q4/543">
<p>An attacker who can cause a carefully-chosen string to be
converted to a floating-point number can cause a crash and potentially
induce arbitrary code execution.</p>
</blockquote>
</body>
</description>
<references>
<url>http://seclists.org/oss-sec/2015/q4/543</url>
<cvename>CVE-2009-0689</cvename>
</references>
<dates>
<discovery>2015-12-19</discovery>
<entry>2015-12-31</entry>
</dates>
</vuln>
<vuln vid="84c7ea88-bf04-4bdc-973b-36744bf540ab">
<topic>flash -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-c6-flashplugin</name>
<name>linux-f10-flashplugin</name>
<name>linux-c6_64-flashplugin</name>
<range><lt>11.2r202.559</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-01.html">
<p>These updates resolve a type confusion vulnerability that
could lead to code execution (CVE-2015-8644).</p>
<p>These updates resolve an integer overflow vulnerability
that could lead to code execution (CVE-2015-8651).</p>
<p>These updates resolve use-after-free vulnerabilities that
could lead to code execution (CVE-2015-8634, CVE-2015-8635,
CVE-2015-8638, CVE-2015-8639, CVE-2015-8640, CVE-2015-8641,
CVE-2015-8642, CVE-2015-8643, CVE-2015-8646, CVE-2015-8647,
CVE-2015-8648, CVE-2015-8649, CVE-2015-8650).</p>
<p>These updates resolve memory corruption vulnerabilities
that could lead to code execution (CVE-2015-8459,
CVE-2015-8460, CVE-2015-8636, CVE-2015-8645).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8459</cvename>
<cvename>CVE-2015-8460</cvename>
<cvename>CVE-2015-8634</cvename>
<cvename>CVE-2015-8636</cvename>
<cvename>CVE-2015-8638</cvename>
<cvename>CVE-2015-8639</cvename>
<cvename>CVE-2015-8640</cvename>
<cvename>CVE-2015-8641</cvename>
<cvename>CVE-2015-8642</cvename>
<cvename>CVE-2015-8643</cvename>
<cvename>CVE-2015-8644</cvename>
<cvename>CVE-2015-8645</cvename>
<cvename>CVE-2015-8646</cvename>
<cvename>CVE-2015-8647</cvename>
<cvename>CVE-2015-8648</cvename>
<cvename>CVE-2015-8649</cvename>
<cvename>CVE-2015-8650</cvename>
<cvename>CVE-2015-8651</cvename>
<url>https://helpx.adobe.com/security/products/flash-player/apsb16-01.html</url>
</references>
<dates>
<discovery>2015-12-28</discovery>
<entry>2015-12-29</entry>
</dates>
</vuln>
<vuln vid="b808c3a8-ae30-11e5-b864-14dae9d210b8">
<topic>inspircd -- DoS</topic>
<affects>
<package>
<name>inspircd</name>
<range><lt>2.0.19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Inspircd reports:</p>
<blockquote cite="http://www.inspircd.org/2015/04/16/v2019-released.html">
<p>This release fixes the issues discovered since 2.0.18,
containing multiple important stability and correctness related
improvements, including a fix for a bug which allowed malformed DNS
records to cause netsplits on a network.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.inspircd.org/2015/04/16/v2019-released.html</url>
<url>https://github.com/inspircd/inspircd/commit/6058483d9fbc1b904d5ae7cfea47bfcde5c5b559</url>
<url>http://comments.gmane.org/gmane.comp.security.oss.general/18464</url>
<cvename>CVE-2015-8702</cvename>
</references>
<dates>
<discovery>2015-04-16</discovery>
<entry>2015-12-29</entry>
<modified>2015-12-29</modified>
</dates>
</vuln>
<vuln vid="4bae544d-06a3-4352-938c-b3bcbca89298">
<topic>ffmpeg -- multiple vulnerabilities</topic>
<affects>
<package>
<name>libav</name>
<!-- no known fixed version -->
<range><ge>0</ge></range>
</package>
<package>
<name>gstreamer-ffmpeg</name>
<!-- gst-ffmpeg-0.10.13 has libav-0.7.2 (0.7.7 in freebsd port) -->
<!-- no known fixed version -->
<range><ge>0</ge></range>
</package>
<package>
<name>handbrake</name>
<!-- handbrake prior to 1.2.0 has libav-10.1 -->
<!-- backend library has been switched from libav to ffmpeg since 1.2.0 -->
<range><lt>1.2.0</lt></range>
</package>
<package>
<name>ffmpeg</name>
<range><ge>2.8,1</ge><lt>2.8.4,1</lt></range>
<range><lt>2.7.4,1</lt></range>
</package>
<package>
<name>ffmpeg26</name>
<range><lt>2.6.6</lt></range>
</package>
<package>
<name>ffmpeg25</name>
<range><lt>2.5.9</lt></range>
</package>
<package>
<name>ffmpeg24</name>
<range><lt>2.4.12</lt></range>
</package>
<package>
<name>ffmpeg-devel</name>
<name>ffmpeg23</name>
<name>ffmpeg2</name>
<name>ffmpeg1</name>
<name>ffmpeg-011</name>
<name>ffmpeg0</name>
<!-- no known fixed version -->
<range><ge>0</ge></range>
</package>
<package>
<name>avidemux</name>
<name>avidemux2</name>
<name>avidemux26</name>
<!-- avidemux-2.6.10 has ffmpeg-2.6.1 -->
<!-- no known fixed version -->
<range><le>2.6.11</le></range>
</package>
<package>
<name>kodi</name>
<!-- kodi-15.2 has ffmpeg-2.6.4 -->
<range><lt>16.0</lt></range>
</package>
<package>
<name>mplayer</name>
<name>mencoder</name>
<!-- mplayer-1.2.r20151219 has ffmpeg-2.8.3 -->
<range><lt>1.2.r20151219_1</lt></range>
</package>
<package>
<name>mythtv</name>
<name>mythtv-frontend</name>
<!-- mythtv-0.27.0.20140121 has ffmpeg-1.2.2+ (snapshot, f9c8726) -->
<range><le>0.27.5,1</le></range>
</package>
<package>
<name>plexhometheater</name>
<!-- plexhometheater-1.4.1 has ffmpeg-0.10.2 fork -->
<!-- no known fixed version -->
<range><ge>0</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NVD reports:</p>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8662">
<p>The ff_dwt_decode function in libavcodec/jpeg2000dwt.c in
FFmpeg before 2.8.4 does not validate the number of
decomposition levels before proceeding with Discrete Wavelet
Transform decoding, which allows remote attackers to cause a
denial of service (out-of-bounds array access) or possibly
have unspecified other impact via crafted JPEG 2000
data.</p>
</blockquote>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8663">
<p>The ff_get_buffer function in libavcodec/utils.c in
FFmpeg before 2.8.4 preserves width and height values after
a failure, which allows remote attackers to cause a denial
of service (out-of-bounds array access) or possibly have
unspecified other impact via a crafted .mov file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8662</cvename>
<cvename>CVE-2015-8663</cvename>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=75422280fbcdfbe9dc56bde5525b4d8b280f1bc5</url>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=abee0a1c60612e8638640a8a3738fffb65e16dbf</url>
<url>https://ffmpeg.org/security.html</url>
</references>
<dates>
<discovery>2015-12-20</discovery>
<entry>2015-12-28</entry>
<modified>2018-03-25</modified>
</dates>
</vuln>
<vuln vid="10f7bc76-0335-4a88-b391-0b05b3a8ce1c">
<topic>NSS -- MD5 downgrade in TLS 1.2 signatures</topic>
<affects>
<package>
<name>nss</name>
<name>linux-c6-nss</name>
<range><ge>3.20</ge><lt>3.20.2</lt></range>
<range><lt>3.19.2.2</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>43.0.2,1</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>38.5.1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.40</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2015-150/">
<p>Security researcher Karthikeyan Bhargavan reported an
issue in Network Security Services (NSS) where MD5
signatures in the server signature within the TLS 1.2
ServerKeyExchange message are still accepted. This is an
issue since NSS has officially disallowed the accepting MD5
as a hash algorithm in signatures since 2011. This issues
exposes NSS based clients such as Firefox to theoretical
collision-based forgery attacks.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7575</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2015-150/</url>
<url>https://hg.mozilla.org/projects/nss/rev/94e1157f3fbb</url>
</references>
<dates>
<discovery>2015-12-22</discovery>
<entry>2015-12-28</entry>
</dates>
</vuln>
<vuln vid="88f75070-abcf-11e5-83d3-6805ca0b3d42">
<topic>phpMyAdmin -- path disclosure vulnerability</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><ge>4.5.0</ge><lt>4.5.3.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2015-6/">
<p>By calling some scripts that are part of phpMyAdmin in an
unexpected way, it is possible to trigger phpMyAdmin to
display a PHP error message which contains the full path of
the directory where phpMyAdmin is installed.</p>
<p>We consider these vulnerabilities to be non-critical.</p>
<p>This path disclosure is possible on servers where the
recommended setting of the PHP configuration directive
display_errors is set to on, which is against the
recommendations given in the PHP manual for a production
server.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.phpmyadmin.net/security/PMASA-2015-6/</url>
<cvename>CVE-2015-8669</cvename>
</references>
<dates>
<discovery>2015-12-25</discovery>
<entry>2015-12-26</entry>
</dates>
</vuln>
<vuln vid="876768aa-ab1e-11e5-8a30-5453ed2e2b49">
<topic>dpkg -- stack-based buffer overflow</topic>
<affects>
<package>
<name>dpkg</name>
<range><lt>1.16.17</lt></range>
<range><lt>1.17.26</lt></range>
<range><lt>1.18.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Salvatore Bonaccorso reports:</p>
<blockquote cite="https://lists.debian.org/debian-security-announce/2015/msg00312.html">
<p>Hanno Boeck discovered a stack-based buffer overflow in the
dpkg-deb component of dpkg, the Debian package management system.
This flaw could potentially lead to arbitrary code execution if a
user or an automated system were tricked into processing a specially
crafted Debian binary package (.deb) in the old style Debian binary
package format.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-0860</cvename>
<url>http://openwall.com/lists/oss-security/2015/11/26/3</url>
<url>https://anonscm.debian.org/cgit/dpkg/dpkg.git/commit/?id=f1aac7d933819569bf6f347c3c0d5a64a90bbce0</url>
</references>
<dates>
<discovery>2015-11-26</discovery>
<entry>2015-12-25</entry>
</dates>
</vuln>
<vuln vid="e1b5318c-aa4d-11e5-8f5c-002590263bf5">
<topic>mantis -- information disclosure vulnerability</topic>
<affects>
<package>
<name>mantis</name>
<range><lt>1.2.19_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mantis reports:</p>
<blockquote cite="https://mantisbt.org/bugs/view.php?id=19873">
<p>CVE-2015-5059: documentation in private projects can be seen by
every user</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5059</cvename>
<freebsdpr>ports/201106</freebsdpr>
<url>https://mantisbt.org/bugs/view.php?id=19873</url>
<url>http://openwall.com/lists/oss-security/2015/06/25/3</url>
</references>
<dates>
<discovery>2015-06-23</discovery>
<entry>2015-12-24</entry>
</dates>
</vuln>
<vuln vid="f36bbd66-aa44-11e5-8f5c-002590263bf5">
<topic>mediawiki -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mediawiki123</name>
<range><lt>1.23.12</lt></range>
</package>
<package>
<name>mediawiki124</name>
<range><lt>1.24.5</lt></range>
</package>
<package>
<name>mediawiki125</name>
<range><lt>1.25.4</lt></range>
</package>
<package>
<name>mediawiki126</name>
<range><lt>1.26.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MediaWiki reports:</p>
<blockquote cite="https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-December/000186.html">
<p>(T117899) SECURITY: $wgArticlePath can no longer be set to relative
paths that do not begin with a slash. This enabled trivial XSS
attacks. Configuration values such as "http://my.wiki.com/wiki/$1"
are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is
not and will now throw an error.</p>
<p>(T119309) SECURITY: Use hash_compare() for edit token comparison.
</p>
<p>(T118032) SECURITY: Don't allow cURL to interpret POST parameters
starting with '@' as file uploads.</p>
<p>(T115522) SECURITY: Passwords generated by User::randomPassword()
can no longer be shorter than $wgMinimalPasswordLength.</p>
<p>(T97897) SECURITY: Improve IP parsing and trimming. Previous
behavior could result in improper blocks being issued.</p>
<p>(T109724) SECURITY: Special:MyPage, Special:MyTalk,
Special:MyContributions and related pages no longer use HTTP
redirects and are now redirected by MediaWiki.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8622</cvename>
<cvename>CVE-2015-8623</cvename>
<cvename>CVE-2015-8624</cvename>
<cvename>CVE-2015-8625</cvename>
<cvename>CVE-2015-8626</cvename>
<cvename>CVE-2015-8627</cvename>
<cvename>CVE-2015-8628</cvename>
<url>https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-December/000186.html</url>
<url>https://phabricator.wikimedia.org/T117899</url>
<url>https://phabricator.wikimedia.org/T119309</url>
<url>https://phabricator.wikimedia.org/T118032</url>
<url>https://phabricator.wikimedia.org/T115522</url>
<url>https://phabricator.wikimedia.org/T97897</url>
<url>https://phabricator.wikimedia.org/T109724</url>
<url>http://www.openwall.com/lists/oss-security/2015/12/23/7</url>
</references>
<dates>
<discovery>2015-12-18</discovery>
<entry>2015-12-24</entry>
</dates>
</vuln>
<vuln vid="3b50881d-1860-4721-aab1-503290e23f6c">
<topic>Ruby -- unsafe tainted string vulnerability</topic>
<affects>
<package>
<name>ruby</name>
<range><ge>2.0.0,1</ge><lt>2.0.0.648,1</lt></range>
<range><ge>2.1.0,1</ge><lt>2.1.8,1</lt></range>
<range><ge>2.2.0,1</ge><lt>2.2.4,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ruby developer reports:</p>
<blockquote cite="https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/">
<p>There is an unsafe tainted string vulnerability in Fiddle and DL.
This issue was originally reported and fixed with CVE-2009-5147 in
DL, but reappeared after DL was reimplemented using Fiddle and
libffi.</p>
<p>And, about DL, CVE-2009-5147 was fixed at Ruby 1.9.1, but not
fixed at other branches, then rubies which bundled DL except Ruby
1.9.1 are still vulnerable.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/</url>
<cvename>CVE-2015-7551</cvename>
</references>
<dates>
<discovery>2015-12-16</discovery>
<entry>2015-12-23</entry>
</dates>
</vuln>
<vuln vid="54075861-a95a-11e5-8b40-20cf30e32f6d">
<topic>Bugzilla security issues</topic>
<affects>
<package>
<name>bugzilla44</name>
<range><lt>4.4.11</lt></range>
</package>
<package>
<name>bugzilla50</name>
<range><lt>5.0.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Bugzilla Security Advisory</p>
<blockquote cite="https://www.bugzilla.org/security/4.2.15/">
<p>During the generation of a dependency graph, the code for
the HTML image map is generated locally if a local dot
installation is used. With escaped HTML characters in a bug
summary, it is possible to inject unfiltered HTML code in
the map file which the CreateImagemap function generates.
This could be used for a cross-site scripting attack.</p>
<p>If an external HTML page contains a <script> element with
its src attribute pointing to a buglist in CSV format, some
web browsers incorrectly try to parse the CSV file as valid
JavaScript code. As the buglist is generated based on the
privileges of the user logged into Bugzilla, the external
page could collect confidential data contained in the CSV
file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8508</cvename>
<cvename>CVE-2015-8509</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=1221518</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=1232785</url>
</references>
<dates>
<discovery>2015-12-22</discovery>
<entry>2015-12-23</entry>
</dates>
</vuln>
<vuln vid="d6c51737-a84b-11e5-8f5c-002590263bf5">
<topic>librsvg2 -- denial of service vulnerability</topic>
<affects>
<package>
<name>librsvg2</name>
<range><lt>2.40.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adam Maris, Red Hat Product Security, reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/21/5">
<p>CVE-2015-7558: Stack exhaustion due to cyclic dependency causing to
crash an application was found in librsvg2 while parsing SVG file.
It has been fixed in 2.40.12 by many commits that has rewritten the
checks for cyclic references.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7558</cvename>
<freebsdpr>ports/205502</freebsdpr>
<url>http://www.openwall.com/lists/oss-security/2015/12/21/5</url>
<url>https://bugzilla.redhat.com/1268243</url>
</references>
<dates>
<discovery>2015-10-02</discovery>
<entry>2015-12-22</entry>
</dates>
</vuln>
<vuln vid="da634091-a84a-11e5-8f5c-002590263bf5">
<topic>librsvg2 -- denial of service vulnerability</topic>
<affects>
<package>
<name>librsvg2</name>
<range><lt>2.40.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adam Maris, Red Hat Product Security, reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/21/5">
<p>CVE-2015-7557: Out-of-bounds heap read in librsvg2 was found when
parsing SVG file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7557</cvename>
<url>http://www.openwall.com/lists/oss-security/2015/12/21/5</url>
<url>https://git.gnome.org/browse/librsvg/commit/rsvg-shapes.c?id=40af93e6eb1c94b90c3b9a0b87e0840e126bb8df</url>
</references>
<dates>
<discovery>2015-02-06</discovery>
<entry>2015-12-22</entry>
</dates>
</vuln>
<vuln vid="9e7306b9-a5c3-11e5-b864-14dae9d210b8">
<topic>quassel -- remote denial of service</topic>
<affects>
<package>
<name>quassel</name>
<range><lt>0.12.2_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Pierre Schweitzer reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/12/1">
<p>Any client sending the command "/op *" in a query will
cause the Quassel core to crash.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openwall.com/lists/oss-security/2015/12/12/1</url>
<cvename>CVE-2015-8547</cvename>
</references>
<dates>
<discovery>2015-11-22</discovery>
<entry>2015-12-18</entry>
</dates>
</vuln>
<vuln vid="f714b4c9-a6c1-11e5-88d7-047d7b492d07">
<topic>libvirt -- ACL bypass using ../ to access beyond storage pool</topic>
<affects>
<package>
<name>libvirt</name>
<range><ge>1.1.0</ge><lt>1.2.19_2</lt></range>
<range><ge>1.2.20</ge><lt>1.3.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Libvit development team reports:</p>
<blockquote cite="http://security.libvirt.org/2015/0004.html">
<p>Various virStorageVol* API operate on user-supplied volume names by
concatenating the volume name to the pool location. Note that the
virStoragePoolListVolumes API, when used on a storage pool backed by
a directory in a file system, will only list volumes immediately in
that directory (there is no traversal into subdirectories). However,
other APIs such as virStorageVolCreateXML were not checking if a
potential volume name represented one of the volumes that could be
returned by virStoragePoolListVolumes; because they were not rejecting
the use of '/' in a volume name.</p>
<p>Because no checking was done on volume names, a user could supply
a potential volume name of something like '../../../etc/passwd' to
attempt to access a file not belonging to the storage pool. When
fine-grained Access Control Lists (ACL) are in effect, a user with
storage_vol:create ACL permission but lacking domain:write permission
could thus abuse virStorageVolCreateXML and similar APIs to gain
access to files not normally permitted to that user. Fortunately, it
appears that the only APIs that could leak information or corrupt
files require read-write connection to libvirtd; and when ACLs are not
in use (the default without any further configuration), a user with
read-write access can already be considered to have full access to the
machine, and without an escalation of privilege there is no security
problem.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5313</cvename>
<url>http://security.libvirt.org/2015/0004.html</url>
</references>
<dates>
<discovery>2015-10-30</discovery>
<entry>2015-12-20</entry>
</dates>
</vuln>
<vuln vid="ef434839-a6a4-11e5-8275-000c292e4fd8">
<topic>samba -- multiple vulnerabilities</topic>
<affects>
<package>
<name>samba36</name>
<range><ge>3.6.0</ge><lt>3.6.25_2</lt></range>
</package>
<package>
<name>samba4</name>
<range><ge>4.0.0</ge><le>4.0.26</le></range>
</package>
<package>
<name>samba41</name>
<range><ge>4.1.0</ge><lt>4.1.22</lt></range>
</package>
<package>
<name>samba42</name>
<range><ge>4.2.0</ge><lt>4.2.7</lt></range>
</package>
<package>
<name>samba43</name>
<range><ge>4.3.0</ge><lt>4.3.3</lt></range>
</package>
<package>
<name>ldb</name>
<range><ge>1.0.0</ge><lt>1.1.24</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Samba team reports:</p>
<blockquote cite="https://www.samba.org/samba/latest_news.html#4.3.3">
<p>[CVE-2015-3223] Malicious request can cause Samba LDAP server to hang, spinning using CPU.</p>
<p>[CVE-2015-5330] Malicious request can cause Samba LDAP server
to return uninitialized memory that should not be part of the reply.</p>
<p>[CVE-2015-5296] Requesting encryption should also request
signing when setting up the connection to protect against man-in-the-middle attacks.</p>
<p>[CVE-2015-5299] A missing access control check in the VFS
shadow_copy2 module could allow unauthorized users to access snapshots.</p>
<p>[CVE-2015-7540] Malicious request can cause Samba LDAP server to return crash.</p>
<p>[CVE-2015-8467] Samba can expose Windows DCs to MS15-096
Denial of service via the creation of multiple machine accounts(The Microsoft issue is CVE-2015-2535).</p>
<p>[CVE-2015-5252] Insufficient symlink verification could allow data access outside share path.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3223</cvename>
<url>https://www.samba.org/samba/security/CVE-2015-3223.html</url>
<cvename>CVE-2015-5252</cvename>
<url>https://www.samba.org/samba/security/CVE-2015-5252.html</url>
<cvename>CVE-2015-5296</cvename>
<url>https://www.samba.org/samba/security/CVE-2015-5296.html</url>
<cvename>CVE-2015-5299</cvename>
<url>https://www.samba.org/samba/security/CVE-2015-5299.html</url>
<cvename>CVE-2015-5330</cvename>
<url>https://www.samba.org/samba/security/CVE-2015-5330.html</url>
<cvename>CVE-2015-7540</cvename>
<url>https://www.samba.org/samba/security/CVE-2015-7540.html</url>
<cvename>CVE-2015-8467</cvename>
<url>https://www.samba.org/samba/security/CVE-2015-8467.html</url>
</references>
<dates>
<discovery>2015-12-16</discovery>
<entry>2015-12-19</entry>
<modified>2016-02-05</modified>
</dates>
</vuln>
<vuln vid="bb7d4791-a5bf-11e5-a0e5-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>47.0.2526.106</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/2015/12/stable-channel-update_15.html">
<p>2 security fixes in this release, including:</p>
<ul>
<li>[569486] CVE-2015-6792: Fixes from internal audits and
fuzzing.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-6792</cvename>
<url>http://googlechromereleases.blogspot.nl/2015/12/stable-channel-update_15.html</url>
</references>
<dates>
<discovery>2015-12-16</discovery>
<entry>2015-12-18</entry>
</dates>
</vuln>
<vuln vid="7329938b-a4e6-11e5-b864-14dae9d210b8">
<topic>cups-filters -- code execution</topic>
<affects>
<package>
<name>cups-filters</name>
<range><lt>1.4.0</lt></range>
</package>
<package>
<name>foomatic-filters</name>
<range><lt>4.0.17_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Till Kamppeter reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/14/13">
<p>Cups Filters/Foomatic Filters does not consider semicolon
as an illegal escape character.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openwall.com/lists/oss-security/2015/12/14/13</url>
<cvename>CVE-2015-8560</cvename>
</references>
<dates>
<discovery>2015-12-12</discovery>
<entry>2015-12-17</entry>
</dates>
</vuln>
<vuln vid="6dbae1a8-a4e6-11e5-b864-14dae9d210b8">
<topic>cups-filters -- code execution</topic>
<affects>
<package>
<name>cups-filters</name>
<range><lt>1.2.0</lt></range>
</package>
<package>
<name>foomatic-filters</name>
<range><lt>4.0.17_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Salvatore Bonaccorso reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/13/2">
<p>Cups Filters/Foomatic Filters does not consider backtick
as an illegal escape character.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openwall.com/lists/oss-security/2015/12/13/2</url>
<cvename>CVE-2015-8327</cvename>
</references>
<dates>
<discovery>2015-10-30</discovery>
<entry>2015-12-17</entry>
</dates>
</vuln>
<vuln vid="1fbd6db1-a4e4-11e5-b864-14dae9d210b8">
<topic>py-amf -- input sanitization errors</topic>
<affects>
<package>
<name>py27-amf</name>
<name>py32-amf</name>
<name>py33-amf</name>
<name>py34-amf</name>
<range><lt>0.8.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>oCERT reports:</p>
<blockquote cite="http://www.ocert.org/advisories/ocert-2015-011.html">
<p>A specially crafted AMF payload, containing malicious
references to XML external entities, can be used to trigger Denial of
Service (DoS) conditions or arbitrarily return the contents of files
that are accessible with the running application privileges.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.ocert.org/advisories/ocert-2015-011.html</url>
<cvename>CVE-2015-8549</cvename>
</references>
<dates>
<discovery>2015-12-01</discovery>
<entry>2015-12-17</entry>
</dates>
</vuln>
<vuln vid="a9f60ce8-a4e0-11e5-b864-14dae9d210b8">
<topic>joomla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>joomla3</name>
<range><lt>3.4.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The JSST and the Joomla! Security Center report:</p>
<blockquote cite="https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html">
<h2>[20151201] - Core - Remote Code Execution Vulnerability</h2>
<p>Browser information is not filtered properly while saving the
session values into the database which leads to a Remote Code
Execution vulnerability.</p>
</blockquote>
<blockquote cite="https://developer.joomla.org/security-centre/633-20151214-core-csrf-hardening.html">
<h2>[20151202] - Core - CSRF Hardening</h2>
<p>Add additional CSRF hardening in com_templates.</p>
</blockquote>
<blockquote cite="https://developer.joomla.org/security-centre/634-20151214-core-directory-traversal.html">
<h2>[20151203] - Core - Directory Traversal</h2>
<p>Failure to properly sanitize input data from the XML install file
located within an extension's package archive allows for directory
traversal.</p>
</blockquote>
<blockquote cite="https://developer.joomla.org/security-centre/635-20151214-core-directory-traversal-2.html">
<h2>[20151204] - Core - Directory Traversal</h2>
<p>Inadequate filtering of request data leads to a Directory Traversal
vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.joomla.org/announcements/release-news/5641-joomla-3-4-6-released.html</url>
<cvename>CVE-2015-8562</cvename>
<cvename>CVE-2015-8563</cvename>
<cvename>CVE-2015-8564</cvename>
<cvename>CVE-2015-8565</cvename>
<url>https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html</url>
<url>https://developer.joomla.org/security-centre/633-20151214-core-csrf-hardening.html</url>
<url>https://developer.joomla.org/security-centre/634-20151214-core-directory-traversal.html</url>
<url>https://developer.joomla.org/security-centre/635-20151214-core-directory-traversal-2.html</url>
</references>
<dates>
<discovery>2015-12-14</discovery>
<entry>2015-12-17</entry>
<modified>2016-12-22</modified>
</dates>
</vuln>
<vuln vid="a8ec4db7-a398-11e5-85e9-14dae9d210b8">
<topic>bind -- multiple vulnerabilities</topic>
<affects>
<package>
<name>bind99</name>
<range><lt>9.9.8P2</lt></range>
</package>
<package>
<name>bind910</name>
<range><lt>9.10.3P2</lt></range>
</package>
<package>
<name>bind9-devel</name>
<range><lt>9.11.0.a20151215</lt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>9.3</ge><lt>9.3_32</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://kb.isc.org/article/AA-01328/0/BIND-9.10.3-P2-Release-Notes.html">
<p>Named is potentially vulnerable to the OpenSSL vulnerability described in CVE-2015-3193.</p>
<p>Incorrect reference counting could result in an INSIST
failure if a socket error occurred while performing a lookup. This flaw
is disclosed in CVE-2015-8461. [RT#40945]</p>
<p>Insufficient testing when parsing a message allowed records
with an incorrect class to be be accepted, triggering a REQUIRE failure
when those records were subsequently cached. This flaw is disclosed in
CVE-2015-8000. [RT #40987]</p>
</blockquote>
</body>
</description>
<references>
<url>https://kb.isc.org/article/AA-01328/0/BIND-9.10.3-P2-Release-Notes.html</url>
<url>https://kb.isc.org/article/AA-01317/0/CVE-2015-8000%3A-Responses-with-a-malformed-class-attribute-can-trigger-an-assertion-failure-in-db.c.html</url>
<url>https://kb.isc.org/article/AA-01319/0/CVE-2015-8461%3A-A-race-condition-when-handling-socket-errors-can-lead-to-an-assertion-failure-in-resolver.c.html</url>
<cvename>CVE-2015-3193</cvename>
<cvename>CVE-2015-8000</cvename>
<cvename>CVE-2015-8461</cvename>
<freebsdsa>SA-15:27.bind</freebsdsa>
</references>
<dates>
<discovery>2015-11-24</discovery>
<entry>2015-12-16</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="2c2d1c39-1396-459a-91f5-ca03ee7c64c6">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>43.0,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>43.0,1</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.40</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.40</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><lt>38.5.0,1</lt></range>
</package>
<package>
<name>libxul</name>
<range><lt>38.5.0</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><lt>38.5.0</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>38.5.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/">
<p>MFSA 2015-134 Miscellaneous memory safety hazards
(rv:43.0 / rv:38.5)</p>
<p>MFSA 2015-135 Crash with JavaScript variable assignment
with unboxed objects</p>
<p>MFSA 2015-136 Same-origin policy violation using
perfomance.getEntries and history navigation</p>
<p>MFSA 2015-137 Firefox allows for control characters to be
set in cookies</p>
<p>MFSA 2015-138 Use-after-free in WebRTC when datachannel
is used after being destroyed</p>
<p>MFSA 2015-139 Integer overflow allocating extremely large
textures</p>
<p>MFSA 2015-140 Cross-origin information leak through web
workers error events</p>
<p>MFSA 2015-141 Hash in data URI is incorrectly parsed</p>
<p>MFSA 2015-142 DOS due to malformed frames in HTTP/2</p>
<p>MFSA 2015-143 Linux file chooser crashes on malformed
images due to flaws in Jasper library</p>
<p>MFSA 2015-144 Buffer overflows found through code
inspection</p>
<p>MFSA 2015-145 Underflow through code inspection</p>
<p>MFSA 2015-146 Integer overflow in MP4 playback in 64-bit
versions</p>
<p>MFSA 2015-147 Integer underflow and buffer overflow
processing MP4 metadata in libstagefright</p>
<p>MFSA 2015-148 Privilege escalation vulnerabilities in
WebExtension APIs</p>
<p>MFSA 2015-149 Cross-site reading attack through data and
view-source URIs</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7201</cvename>
<cvename>CVE-2015-7202</cvename>
<cvename>CVE-2015-7203</cvename>
<cvename>CVE-2015-7204</cvename>
<cvename>CVE-2015-7205</cvename>
<cvename>CVE-2015-7207</cvename>
<cvename>CVE-2015-7208</cvename>
<cvename>CVE-2015-7210</cvename>
<cvename>CVE-2015-7211</cvename>
<cvename>CVE-2015-7212</cvename>
<cvename>CVE-2015-7213</cvename>
<cvename>CVE-2015-7214</cvename>
<cvename>CVE-2015-7215</cvename>
<cvename>CVE-2015-7216</cvename>
<cvename>CVE-2015-7217</cvename>
<cvename>CVE-2015-7218</cvename>
<cvename>CVE-2015-7219</cvename>
<cvename>CVE-2015-7220</cvename>
<cvename>CVE-2015-7221</cvename>
<cvename>CVE-2015-7222</cvename>
<cvename>CVE-2015-7223</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2015-134/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-135/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-136/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-137/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-138/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-139/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-140/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-141/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-142/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-143/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-144/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-145/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-146/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-147/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-148/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-149/</url>
</references>
<dates>
<discovery>2015-12-15</discovery>
<entry>2015-12-15</entry>
</dates>
</vuln>
<vuln vid="a5934ba8-a376-11e5-85e9-14dae9d210b8">
<topic>java -- multiple vulnerabilities</topic>
<affects>
<package>
<name>openjdk8</name>
<name>openjdk8-jre</name>
<range><lt>8.66.17</lt></range>
</package>
<package>
<name>openjdk7</name>
<name>openjdk7-jre</name>
<range><lt>7.91.02,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Oracle reports:</p>
<blockquote cite="http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html#AppendixJAVA">
<p>This Critical Patch Update contains 25 new security fixes
for Oracle Java SE. 24 of these vulnerabilities may be remotely
exploitable without authentication, i.e., may be exploited over a
network without the need for a username and password.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html#AppendixJAVA</url>
<cvename>CVE-2015-4835</cvename>
<cvename>CVE-2015-4881</cvename>
<cvename>CVE-2015-4843</cvename>
<cvename>CVE-2015-4883</cvename>
<cvename>CVE-2015-4860</cvename>
<cvename>CVE-2015-4805</cvename>
<cvename>CVE-2015-4844</cvename>
<cvename>CVE-2015-4901</cvename>
<cvename>CVE-2015-4868</cvename>
<cvename>CVE-2015-4810</cvename>
<cvename>CVE-2015-4806</cvename>
<cvename>CVE-2015-4871</cvename>
<cvename>CVE-2015-4902</cvename>
<cvename>CVE-2015-4840</cvename>
<cvename>CVE-2015-4882</cvename>
<cvename>CVE-2015-4842</cvename>
<cvename>CVE-2015-4734</cvename>
<cvename>CVE-2015-4903</cvename>
<cvename>CVE-2015-4803</cvename>
<cvename>CVE-2015-4893</cvename>
<cvename>CVE-2015-4911</cvename>
<cvename>CVE-2015-4872</cvename>
<cvename>CVE-2015-4906</cvename>
<cvename>CVE-2015-4916</cvename>
<cvename>CVE-2015-4908</cvename>
</references>
<dates>
<discovery>2015-10-20</discovery>
<entry>2015-12-15</entry>
<modified>2016-01-08</modified>
</dates>
</vuln>
<vuln vid="daadef86-a366-11e5-8b40-20cf30e32f6d">
<topic>subversion -- multiple vulnerabilities</topic>
<affects>
<package>
<name>subversion17</name>
<range><ge>1.7.0</ge><lt>1.7.22_1</lt></range>
</package>
<package>
<name>subversion18</name>
<range><ge>1.8.0</ge><lt>1.8.15</lt></range>
</package>
<package>
<name>subversion</name>
<range><ge>1.9.0</ge><lt>1.9.3</lt></range>
</package>
<package>
<name>mod_dav_svn</name>
<range><ge>1.7.0</ge><lt>1.7.22_1</lt></range>
<range><ge>1.8.0</ge><lt>1.8.15</lt></range>
<range><ge>1.9.0</ge><lt>1.9.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Subversion Project reports:</p>
<blockquote cite="http://subversion.apache.org/security/">
<p>Remotely triggerable heap overflow and out-of-bounds read caused
by integer overflow in the svn:// protocol parser.</p>
<p>Remotely triggerable heap overflow and out-of-bounds read in
mod_dav_svn caused by integer overflow when parsing skel-encoded
request bodies.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5343</cvename>
<url>http://subversion.apache.org/security/CVE-2015-5343-advisory.txt</url>
<cvename>CVE-2015-5259</cvename>
<url>http://subversion.apache.org/security/CVE-2015-5259-advisory.txt</url>
</references>
<dates>
<discovery>2015-11-14</discovery>
<entry>2015-12-15</entry>
</dates>
</vuln>
<vuln vid="72c145df-a1e0-11e5-8ad0-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<!--pcbsd-->
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>47.0.2526.80</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/2015/12/stable-channel-update_8.html">
<p>7 security fixes in this release, including:</p>
<ul>
<li>[548273] High CVE-2015-6788: Type confusion in extensions.
Credit to anonymous.</li>
<li>[557981] High CVE-2015-6789: Use-after-free in Blink. Credit to
cloudfuzzer.</li>
<li>[542054] Medium CVE-2015-6790: Escaping issue in saved pages.
Credit to Inti De Ceukelaire.</li>
<li>[567513] CVE-2015-6791: Various fixes from internal audits,
fuzzing and other initiatives.</li>
<li>Multiple vulnerabilities in V8 fixed at the tip of the 4.7
branch (currently 4.7.80.23).</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-6788</cvename>
<cvename>CVE-2015-6789</cvename>
<cvename>CVE-2015-6790</cvename>
<cvename>CVE-2015-6791</cvename>
<url>http://googlechromereleases.blogspot.nl/2015/12/stable-channel-update_8.html</url>
</references>
<dates>
<discovery>2015-12-08</discovery>
<entry>2015-12-13</entry>
</dates>
</vuln>
<vuln vid="33459061-a1d6-11e5-8794-bcaec565249c">
<topic>freeimage -- multiple integer overflows</topic>
<affects>
<package>
<name>freeimage</name>
<range><lt>3.16.0_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Pcheng pcheng reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/08/28/1">
<p>An integer overflow issue in the FreeImage project was
reported and fixed recently.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-0852</cvename>
<url>http://www.openwall.com/lists/oss-security/2015/08/28/1</url>
</references>
<dates>
<discovery>2015-08-28</discovery>
<entry>2015-12-13</entry>
</dates>
</vuln>
<vuln vid="21bc4d71-9ed8-11e5-8f5c-002590263bf5">
<topic>redmine -- information leak vulnerability</topic>
<affects>
<package>
<name>redmine</name>
<range><lt>2.6.9</lt></range>
<range><ge>3.0.0</ge><lt>3.0.7</lt></range>
<range><ge>3.1.0</ge><lt>3.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Redmine reports:</p>
<blockquote cite="http://www.redmine.org/projects/redmine/wiki/Security_Advisories">
<p>Data disclosure in atom feed.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8537</cvename>
<url>http://www.redmine.org/projects/redmine/wiki/Security_Advisories</url>
</references>
<dates>
<discovery>2015-12-05</discovery>
<entry>2015-12-10</entry>
<modified>2015-12-11</modified>
</dates>
</vuln>
<vuln vid="be63533c-9ed7-11e5-8f5c-002590263bf5">
<topic>redmine -- multiple vulnerabilities</topic>
<affects>
<package>
<name>redmine</name>
<range><lt>2.6.8</lt></range>
<range><ge>3.0.0</ge><lt>3.0.6</lt></range>
<range><ge>3.1.0</ge><lt>3.1.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Redmine reports:</p>
<blockquote cite="http://www.redmine.org/projects/redmine/wiki/Security_Advisories">
<p>Potential changeset message disclosure in issues API.</p>
<p>Data disclosure on the time logging form</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8346</cvename>
<cvename>CVE-2015-8473</cvename>
<url>http://www.redmine.org/projects/redmine/wiki/Security_Advisories</url>
<url>http://www.openwall.com/lists/oss-security/2015/11/25/12</url>
<url>http://www.openwall.com/lists/oss-security/2015/12/03/7</url>
</references>
<dates>
<discovery>2015-11-14</discovery>
<entry>2015-12-10</entry>
</dates>
</vuln>
<vuln vid="3ec2e0bc-9ed7-11e5-8f5c-002590263bf5">
<topic>redmine -- open redirect vulnerability</topic>
<affects>
<package>
<name>redmine</name>
<range><ge>2.5.1</ge><lt>2.6.7</lt></range>
<range><ge>3.0.0</ge><lt>3.0.5</lt></range>
<range><eq>3.1.0</eq></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Redmine reports:</p>
<blockquote cite="http://www.redmine.org/projects/redmine/wiki/Security_Advisories">
<p>Open Redirect vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8474</cvename>
<url>http://www.redmine.org/projects/redmine/wiki/Security_Advisories</url>
<url>http://www.openwall.com/lists/oss-security/2015/12/04/1</url>
</references>
<dates>
<discovery>2015-09-20</discovery>
<entry>2015-12-10</entry>
</dates>
</vuln>
<vuln vid="939a7086-9ed6-11e5-8f5c-002590263bf5">
<topic>redmine -- potential XSS vulnerability</topic>
<affects>
<package>
<name>redmine</name>
<range><lt>2.6.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Redmine reports:</p>
<blockquote cite="http://www.redmine.org/projects/redmine/wiki/Security_Advisories">
<p>Potential XSS vulnerability when rendering some flash messages.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8477</cvename>
<url>http://www.redmine.org/projects/redmine/wiki/Security_Advisories</url>
<url>http://www.openwall.com/lists/oss-security/2015/12/05/6</url>
</references>
<dates>
<discovery>2015-02-19</discovery>
<entry>2015-12-10</entry>
</dates>
</vuln>
<vuln vid="49def4b7-9ed6-11e5-8f5c-002590263bf5">
<topic>redmine -- information leak vulnerability</topic>
<affects>
<package>
<name>redmine</name>
<range><lt>2.4.6</lt></range>
<range><ge>2.5.0</ge><lt>2.5.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Redmine reports:</p>
<blockquote cite="http://www.redmine.org/projects/redmine/wiki/Security_Advisories">
<p>Potential data leak (project names) in the invalid form
authenticity token error screen.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.redmine.org/projects/redmine/wiki/Security_Advisories</url>
</references>
<dates>
<discovery>2014-07-06</discovery>
<entry>2015-12-10</entry>
</dates>
</vuln>
<vuln vid="c2efcd46-9ed5-11e5-8f5c-002590263bf5">
<topic>redmine -- open redirect vulnerability</topic>
<affects>
<package>
<name>redmine</name>
<range><lt>2.4.5</lt></range>
<range><eq>2.5.0</eq></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Redmine reports:</p>
<blockquote cite="http://www.redmine.org/projects/redmine/wiki/Security_Advisories">
<p>Open Redirect vulnerability</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-1985</cvename>
<url>http://www.redmine.org/projects/redmine/wiki/Security_Advisories</url>
<url>https://jvn.jp/en/jp/JVN93004610/index.html</url>
</references>
<dates>
<discovery>2014-03-29</discovery>
<entry>2015-12-10</entry>
</dates>
</vuln>
<vuln vid="66ba5931-9ed5-11e5-8f5c-002590263bf5">
<topic>redmine -- XSS vulnerability</topic>
<affects>
<package>
<name>redmine</name>
<range><ge>2.1.0</ge><lt>2.1.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Redmine reports:</p>
<blockquote cite="http://www.redmine.org/projects/redmine/wiki/Security_Advisories">
<p>XSS vulnerability</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.redmine.org/projects/redmine/wiki/Security_Advisories</url>
</references>
<dates>
<discovery>2012-09-30</discovery>
<entry>2015-12-10</entry>
</dates>
</vuln>
<vuln vid="0e0385d1-9ed5-11e5-8f5c-002590263bf5">
<topic>redmine -- multiple vulnerabilities</topic>
<affects>
<package>
<name>redmine</name>
<range><lt>1.3.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Redmine reports:</p>
<blockquote cite="http://www.redmine.org/projects/redmine/wiki/Security_Advisories">
<p>Mass-assignment vulnerability that would allow an attacker to
bypass part of the security checks.</p>
<p>Persistent XSS vulnerability</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0327</cvename>
<url>http://www.redmine.org/projects/redmine/wiki/Security_Advisories</url>
<url>http://jvn.jp/en/jp/JVN93406632/</url>
</references>
<dates>
<discovery>2012-03-11</discovery>
<entry>2015-12-10</entry>
</dates>
</vuln>
<vuln vid="ae377aeb-9ed4-11e5-8f5c-002590263bf5">
<topic>redmine -- CSRF protection bypass</topic>
<affects>
<package>
<name>redmine</name>
<range><lt>1.3.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Redmine reports:</p>
<blockquote cite="http://www.redmine.org/projects/redmine/wiki/Security_Advisories">
<p>Vulnerability that would allow an attacker to bypass the CSRF
protection.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.redmine.org/projects/redmine/wiki/Security_Advisories</url>
</references>
<dates>
<discovery>2011-12-10</discovery>
<entry>2015-12-10</entry>
</dates>
</vuln>
<vuln vid="23af0425-9eac-11e5-b937-00e0814cab4e">
<topic>jenkins -- multiple vulnerabilities</topic>
<affects>
<package>
<name>jenkins</name>
<range><le>1.641</le></range>
</package>
<package>
<name>jenkins-lts</name>
<range><le>1.625.3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jenkins Security Advisory:</p>
<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09">
<h1>Description</h1>
<h5>SECURITY-95 / CVE-2015-7536 (Stored XSS vulnerability through workspace files and archived artifacts)</h5>
<p>In certain configurations, low privilege users were able to
create e.g. HTML files in workspaces and archived artifacts that
could result in XSS when accessed by other users. Jenkins now sends
Content-Security-Policy headers that enables sandboxing and
prohibits script execution by default.</p>
<h5>SECURITY-225 / CVE-2015-7537 (CSRF vulnerability in some administrative actions)</h5>
<p>Several administration/configuration related URLs could be
accessed using GET, which allowed attackers to circumvent CSRF
protection.</p>
<h5>SECURITY-233 / CVE-2015-7538 (CSRF protection ineffective)</h5>
<p>Malicious users were able to circumvent CSRF protection on any
URL by sending specially crafted POST requests.</p>
<h5>SECURITY-234 / CVE-2015-7539 (Jenkins plugin manager vulnerable to MITM attacks)</h5>
<p>While the Jenkins update site data is digitally signed, and the
signature verified by Jenkins, Jenkins did not verify the provided
SHA-1 checksums for the plugin files referenced in the update site
data. This enabled MITM attacks on the plugin manager, resulting
in installation of attacker-provided plugins.</p>
</blockquote>
</body>
</description>
<references>
<url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09</url>
</references>
<dates>
<discovery>2015-12-09</discovery>
<entry>2015-12-09</entry>
</dates>
</vuln>
<vuln vid="c8842a84-9ddd-11e5-8c2f-c485083ca99c">
<topic>flash -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-c6-flashplugin</name>
<name>linux-f10-flashplugin</name>
<name>linux-c6_64-flashplugin</name>
<range><lt>11.2r202.554</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb15-32.html">
<p>
These updates resolve heap buffer overflow vulnerabilities that
could lead to code execution (CVE-2015-8438, CVE-2015-8446).</p>
<p>
These updates resolve memory corruption vulnerabilities that
could lead to code execution (CVE-2015-8444, CVE-2015-8443,
CVE-2015-8417, CVE-2015-8416, CVE-2015-8451, CVE-2015-8047,
CVE-2015-8053, CVE-2015-8045, CVE-2015-8051, CVE-2015-8060,
CVE-2015-8419, CVE-2015-8408).</p>
<p>
These updates resolve security bypass vulnerabilities
(CVE-2015-8453, CVE-2015-8440, CVE-2015-8409).</p>
<p>
These updates resolve a stack overflow vulnerability that
could lead to code execution (CVE-2015-8407).</p>
<p>
These updates resolve a type confusion vulnerability that
could lead to code execution (CVE-2015-8439).</p>
<p>
These updates resolve an integer overflow vulnerability
that could lead to code execution (CVE-2015-8445).</p>
<p>
These updates resolve a buffer overflow vulnerability that
could lead to code execution (CVE-2015-8415).</p>
<p>
These updates resolve use-after-free vulnerabilities that
could lead to code execution (CVE-2015-8050, CVE-2015-8049,
CVE-2015-8437, CVE-2015-8450, CVE-2015-8449, CVE-2015-8448,
CVE-2015-8436, CVE-2015-8452, CVE-2015-8048, CVE-2015-8413,
CVE-2015-8412, CVE-2015-8410, CVE-2015-8411, CVE-2015-8424,
CVE-2015-8422, CVE-2015-8420, CVE-2015-8421, CVE-2015-8423,
CVE-2015-8425, CVE-2015-8433, CVE-2015-8432, CVE-2015-8431,
CVE-2015-8426, CVE-2015-8430, CVE-2015-8427, CVE-2015-8428,
CVE-2015-8429, CVE-2015-8434, CVE-2015-8435, CVE-2015-8414,
CVE-2015-8052, CVE-2015-8059, CVE-2015-8058, CVE-2015-8055,
CVE-2015-8057, CVE-2015-8056, CVE-2015-8061, CVE-2015-8067,
CVE-2015-8066, CVE-2015-8062, CVE-2015-8068, CVE-2015-8064,
CVE-2015-8065, CVE-2015-8063, CVE-2015-8405, CVE-2015-8404,
CVE-2015-8402, CVE-2015-8403, CVE-2015-8071, CVE-2015-8401,
CVE-2015-8406, CVE-2015-8069, CVE-2015-8070, CVE-2015-8441,
CVE-2015-8442, CVE-2015-8447).</p>
</blockquote>
</body>
</description>
<references>
<url>https://helpx.adobe.com/security/products/flash-player/apsb15-32.html</url>
<cvename>CVE-2015-8045</cvename>
<cvename>CVE-2015-8047</cvename>
<cvename>CVE-2015-8048</cvename>
<cvename>CVE-2015-8049</cvename>
<cvename>CVE-2015-8050</cvename>
<cvename>CVE-2015-8051</cvename>
<cvename>CVE-2015-8052</cvename>
<cvename>CVE-2015-8053</cvename>
<cvename>CVE-2015-8054</cvename>
<cvename>CVE-2015-8055</cvename>
<cvename>CVE-2015-8056</cvename>
<cvename>CVE-2015-8057</cvename>
<cvename>CVE-2015-8058</cvename>
<cvename>CVE-2015-8059</cvename>
<cvename>CVE-2015-8060</cvename>
<cvename>CVE-2015-8061</cvename>
<cvename>CVE-2015-8062</cvename>
<cvename>CVE-2015-8063</cvename>
<cvename>CVE-2015-8064</cvename>
<cvename>CVE-2015-8065</cvename>
<cvename>CVE-2015-8066</cvename>
<cvename>CVE-2015-8067</cvename>
<cvename>CVE-2015-8068</cvename>
<cvename>CVE-2015-8069</cvename>
<cvename>CVE-2015-8070</cvename>
<cvename>CVE-2015-8071</cvename>
<cvename>CVE-2015-8401</cvename>
<cvename>CVE-2015-8402</cvename>
<cvename>CVE-2015-8403</cvename>
<cvename>CVE-2015-8404</cvename>
<cvename>CVE-2015-8405</cvename>
<cvename>CVE-2015-8406</cvename>
<cvename>CVE-2015-8407</cvename>
<cvename>CVE-2015-8408</cvename>
<cvename>CVE-2015-8409</cvename>
<cvename>CVE-2015-8410</cvename>
<cvename>CVE-2015-8411</cvename>
<cvename>CVE-2015-8412</cvename>
<cvename>CVE-2015-8413</cvename>
<cvename>CVE-2015-8414</cvename>
<cvename>CVE-2015-8415</cvename>
<cvename>CVE-2015-8416</cvename>
<cvename>CVE-2015-8417</cvename>
<cvename>CVE-2015-8419</cvename>
<cvename>CVE-2015-8420</cvename>
<cvename>CVE-2015-8421</cvename>
<cvename>CVE-2015-8422</cvename>
<cvename>CVE-2015-8423</cvename>
<cvename>CVE-2015-8424</cvename>
<cvename>CVE-2015-8425</cvename>
<cvename>CVE-2015-8426</cvename>
<cvename>CVE-2015-8427</cvename>
<cvename>CVE-2015-8428</cvename>
<cvename>CVE-2015-8429</cvename>
<cvename>CVE-2015-8430</cvename>
<cvename>CVE-2015-8431</cvename>
<cvename>CVE-2015-8432</cvename>
<cvename>CVE-2015-8433</cvename>
<cvename>CVE-2015-8434</cvename>
<cvename>CVE-2015-8435</cvename>
<cvename>CVE-2015-8436</cvename>
<cvename>CVE-2015-8437</cvename>
<cvename>CVE-2015-8438</cvename>
<cvename>CVE-2015-8439</cvename>
<cvename>CVE-2015-8440</cvename>
<cvename>CVE-2015-8441</cvename>
<cvename>CVE-2015-8442</cvename>
<cvename>CVE-2015-8443</cvename>
<cvename>CVE-2015-8444</cvename>
<cvename>CVE-2015-8445</cvename>
<cvename>CVE-2015-8446</cvename>
<cvename>CVE-2015-8447</cvename>
<cvename>CVE-2015-8448</cvename>
<cvename>CVE-2015-8449</cvename>
<cvename>CVE-2015-8450</cvename>
<cvename>CVE-2015-8451</cvename>
<cvename>CVE-2015-8452</cvename>
<cvename>CVE-2015-8453</cvename>
</references>
<dates>
<discovery>2015-12-08</discovery>
<entry>2015-12-08</entry>
</dates>
</vuln>
<vuln vid="215e740e-9c56-11e5-90e7-b499baebfeaf">
<topic>libressl -- NULL pointer dereference</topic>
<affects>
<package>
<name>libressl</name>
<range><lt>2.2.5</lt></range>
<range><ge>2.3.0</ge><lt>2.3.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenBSD project reports:</p>
<blockquote cite="https://marc.info/?l=openbsd-announce&t=144920914600002">
<p>A NULL pointer deference could be triggered by a crafted
certificate sent to services configured to verify client
certificates on TLS/SSL connections.
</p>
</blockquote>
</body>
</description>
<references>
<url>https://marc.info/?l=openbsd-announce&t=144920914600002</url>
<cvename>CVE-2015-3194</cvename>
</references>
<dates>
<discovery>2015-12-03</discovery>
<entry>2015-12-08</entry>
</dates>
</vuln>
<vuln vid="918a5d1f-9d40-11e5-8f5c-002590263bf5">
<topic>KeePassX -- information disclosure</topic>
<affects>
<package>
<name>KeePassX</name>
<range><lt>0.4.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Yves-Alexis Perez reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/11/30/4">
<p>Starting an export (using File / Export to / KeepassX XML file) and
cancelling it leads to KeepassX saving a cleartext XML file in
~/.xml without any warning.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8378</cvename>
<freebsdpr>ports/205105</freebsdpr>
<url>http://www.openwall.com/lists/oss-security/2015/11/30/4</url>
</references>
<dates>
<discovery>2015-07-08</discovery>
<entry>2015-12-08</entry>
</dates>
</vuln>
<vuln vid="84fdd1bb-9d37-11e5-8f5c-002590263bf5">
<topic>passenger -- client controlled header overwriting</topic>
<affects>
<package>
<name>rubygem-passenger</name>
<range><ge>5.0.0</ge><lt>5.0.22</lt></range>
<range><lt>4.0.60</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Daniel Knoppel reports:</p>
<blockquote cite="https://blog.phusion.nl/2015/12/07/cve-2015-7519/">
<p>It was discovered by the SUSE security team that it was possible,
in some cases, for clients to overwrite headers set by the server,
resulting in a medium level security issue. CVE-2015-7519 has been
assigned to this issue.</p>
<p>Affected use-cases:</p>
<p>Header overwriting may occur if all of the following conditions are met:</p>
<ul>
<li>Apache integration mode, or standalone+builtin engine without
a filtering proxy</li>
<li>Ruby or Python applications only (Passenger 5); or any
application (Passenger 4)</li>
<li>The app depends on a request header containing a dash (-)</li>
<li>The header is supposed to be trusted (set by the server)</li>
<li>The client correctly guesses the header name</li>
</ul>
<p>This vulnerability has been fixed by filtering out client headers
that do not consist of alphanumeric/dash characters (Nginx already
did this, so Passenger+Nginx was not affected). If your application
depends on headers that don't conform to this, you can add a
workaround in Apache specifically for those to convert them to a
dash-based format.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7519</cvename>
<url>https://blog.phusion.nl/2015/12/07/cve-2015-7519/</url>
</references>
<dates>
<discovery>2015-12-07</discovery>
<entry>2015-12-07</entry>
</dates>
</vuln>
<vuln vid="e6b974ab-9d35-11e5-8f5c-002590263bf5">
<topic>Salt -- information disclosure</topic>
<affects>
<package>
<name>py27-salt</name>
<range><lt>2015.8.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Salt release notes report:</p>
<blockquote cite="https://docs.saltstack.com/en/latest/topics/releases/2015.8.3.html">
<p>CVE-2015-8034: Saving state.sls cache data to disk with insecure
permissions</p>
<p>This affects users of the state.sls function. The state run cache
on the minion was being created with incorrect permissions. This
file could potentially contain sensitive data that was inserted via
jinja into the state SLS files. The permissions for this file are
now being set correctly. Thanks to @zmalone for bringing this issue
to our attention.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8034</cvename>
<url>https://docs.saltstack.com/en/latest/topics/releases/2015.8.3.html</url>
</references>
<dates>
<discovery>2015-11-25</discovery>
<entry>2015-12-07</entry>
</dates>
</vuln>
<vuln vid="6bc6eed2-9cca-11e5-8c2b-c335fa8985d7">
<topic>libraw -- memory objects not properly initialized</topic>
<affects>
<package>
<name>libraw</name>
<range><lt>0.17.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ChenQin reports:</p>
<blockquote cite="http://seclists.org/fulldisclosure/2015/Nov/108">
<p>The LibRaw raw image decoder has multiple vulnerabilities that can
cause memory errors which may lead to code execution or other
problems.</p>
<p>In CVE-2015-8367, LibRaw's phase_one_correct function does not
handle memory initialization correctly, which may cause other
problems.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.libraw.org/news/libraw-0-17-1</url>
<url>https://github.com/LibRaw/LibRaw/commit/490ef94d1796f730180039e80997efe5c58db780</url>
<mlist>http://seclists.org/fulldisclosure/2015/Nov/108</mlist>
<cvename>CVE-2015-8367</cvename>
</references>
<dates>
<discovery>2015-11-30</discovery>
<entry>2015-12-07</entry>
</dates>
</vuln>
<vuln vid="db04bf07-9cc8-11e5-8c2b-c335fa8985d7">
<topic>libraw -- index overflow in smal_decode_segment</topic>
<affects>
<package>
<name>libraw</name>
<range><lt>0.17.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ChenQin reports:</p>
<blockquote cite="http://seclists.org/fulldisclosure/2015/Nov/108">
<p>The LibRaw raw image decoder has multiple vulnerabilities that can
cause memory errors which may lead to code execution or other
problems.</p>
<p>In CVE-2015-8366, LibRaw's smal_decode_segment function does not
handle indexes carefully, which can cause an index overflow.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.libraw.org/news/libraw-0-17-1</url>
<url>https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2</url>
<mlist>http://seclists.org/fulldisclosure/2015/Nov/108</mlist>
<cvename>CVE-2015-8366</cvename>
</references>
<dates>
<discovery>2015-11-30</discovery>
<entry>2015-12-07</entry>
</dates>
</vuln>
<vuln vid="4c8d1d72-9b38-11e5-aece-d050996490d0">
<topic>openssl -- multiple vulnerabilities</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.0.2_5</lt></range>
</package>
<package>
<name>mingw32-openssl</name>
<range><ge>1.0.1</ge><lt>1.0.2e</lt></range>
</package>
<package>
<name>linux-c6-openssl</name>
<range><lt>1.0.1e_7</lt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>10.2</ge><lt>10.2_8</lt></range>
<range><ge>10.1</ge><lt>10.1_25</lt></range>
<range><ge>9.3</ge><lt>9.3_31</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenSSL project reports:</p>
<blockquote cite="https://www.openssl.org/news/secadv/20151203.txt">
<ol>
<li>BN_mod_exp may produce incorrect results on x86_64
(CVE-2015-3193)</li>
<li>Certificate verify crash with missing PSS parameter
(CVE-2015-3194)</li>
<li>X509_ATTRIBUTE memory leak (CVE-2015-3195)</li>
<li>Race condition handling PSK identify hint
(CVE-2015-3196)</li>
<li>Anon DH ServerKeyExchange with 0 p parameter
(CVE-2015-1794)</li>
</ol>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-15:26.openssl</freebsdsa>
<cvename>CVE-2015-1794</cvename>
<cvename>CVE-2015-3193</cvename>
<cvename>CVE-2015-3194</cvename>
<cvename>CVE-2015-3195</cvename>
<cvename>CVE-2015-3196</cvename>
<url>https://www.openssl.org/news/secadv/20151203.txt</url>
</references>
<dates>
<discovery>2015-12-03</discovery>
<entry>2015-12-05</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="8a90dc87-89f9-11e5-a408-00248c0c745d">
<topic>PHPmailer -- SMTP injection vulnerability</topic>
<affects>
<package>
<name>phpmailer</name>
<range><lt>5.2.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PHPMailer changelog reports:</p>
<blockquote cite="https://github.com/PHPMailer/PHPMailer/blob/v5.2.14/changelog.md">
<p>Fix vulnerability that allowed email addresses with
line breaks (valid in RFC5322) to pass to SMTP, permitting
message injection at the SMTP level. Mitigated in both
the address validator and in the lower-level SMTP class.
Thanks to Takeshi Terada.</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/PHPMailer/PHPMailer/blob/v5.2.14/changelog.md</url>
</references>
<dates>
<discovery>2015-11-05</discovery>
<entry>2015-12-03</entry>
</dates>
</vuln>
<vuln vid="b0da85af-21a3-4c15-a137-fe9e4bc86002">
<topic>ffmpeg -- multiple vulnerabilities</topic>
<affects>
<package>
<name>libav</name>
<!-- no known fixed version -->
<range><ge>0</ge></range>
</package>
<package>
<name>gstreamer-ffmpeg</name>
<!-- gst-ffmpeg-0.10.13 has libav-0.7.2 (0.7.7 in freebsd port) -->
<!-- no known fixed version -->
<range><ge>0</ge></range>
</package>
<package>
<name>handbrake</name>
<!-- handbrake prior to 1.2.0 has libav-10.1 -->
<!-- backend library has been switched from libav to ffmpeg since 1.2.0 -->
<range><lt>1.2.0</lt></range>
</package>
<package>
<name>ffmpeg</name>
<range><ge>2.8,1</ge><lt>2.8.3,1</lt></range>
<range><lt>2.7.3,1</lt></range>
</package>
<package>
<name>ffmpeg26</name>
<range><lt>2.6.5</lt></range>
</package>
<package>
<name>ffmpeg25</name>
<range><lt>2.5.9</lt></range>
</package>
<package>
<name>ffmpeg24</name>
<range><lt>2.4.12</lt></range>
</package>
<package>
<name>ffmpeg-devel</name>
<name>ffmpeg23</name>
<name>ffmpeg2</name>
<name>ffmpeg1</name>
<name>ffmpeg-011</name>
<name>ffmpeg0</name>
<!-- no known fixed version -->
<range><ge>0</ge></range>
</package>
<package>
<name>avidemux</name>
<name>avidemux2</name>
<name>avidemux26</name>
<!-- avidemux-2.6.10 has ffmpeg-2.6.1 -->
<!-- no known fixed version -->
<range><le>2.6.11</le></range>
</package>
<package>
<name>kodi</name>
<!-- kodi-15.2 has ffmpeg-2.6.4 -->
<range><lt>16.0</lt></range>
</package>
<package>
<name>mplayer</name>
<name>mencoder</name>
<!-- mplayer-1.1.r20150822_6 has ffmpeg-2.8.2 -->
<range><lt>1.1.r20150822_7</lt></range>
</package>
<package>
<name>mythtv</name>
<name>mythtv-frontend</name>
<!-- mythtv-0.27.0.20140121 has ffmpeg-1.2.2+ (snapshot, f9c8726) -->
<range><le>0.27.5,1</le></range>
</package>
<package>
<name>plexhometheater</name>
<!-- plexhometheater-1.4.1 has ffmpeg-0.10.2 fork -->
<!-- no known fixed version -->
<range><ge>0</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NVD reports:</p>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6761">
<p>The update_dimensions function in libavcodec/vp8.c in
FFmpeg through 2.8.1, as used in Google Chrome before
46.0.2490.71 and other products, relies on a
coefficient-partition count during multi-threaded operation,
which allows remote attackers to cause a denial of service
(race condition and memory corruption) or possibly have
unspecified other impact via a crafted WebM file.</p>
</blockquote>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8216">
<p>The ljpeg_decode_yuv_scan function in
libavcodec/mjpegdec.c in FFmpeg before 2.8.2 omits certain
width and height checks, which allows remote attackers to
cause a denial of service (out-of-bounds array access) or
possibly have unspecified other impact via crafted MJPEG
data.</p>
</blockquote>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8217">
<p>The ff_hevc_parse_sps function in libavcodec/hevc_ps.c in
FFmpeg before 2.8.2 does not validate the Chroma Format
Indicator, which allows remote attackers to cause a denial
of service (out-of-bounds array access) or possibly have
unspecified other impact via crafted High Efficiency Video
Coding (HEVC) data.</p>
</blockquote>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8218">
<p>The decode_uncompressed function in libavcodec/faxcompr.c
in FFmpeg before 2.8.2 does not validate uncompressed runs,
which allows remote attackers to cause a denial of service
(out-of-bounds array access) or possibly have unspecified
other impact via crafted CCITT FAX data.</p>
</blockquote>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8219">
<p>The init_tile function in libavcodec/jpeg2000dec.c in
FFmpeg before 2.8.2 does not enforce minimum-value and
maximum-value constraints on tile coordinates, which allows
remote attackers to cause a denial of service (out-of-bounds
array access) or possibly have unspecified other impact via
crafted JPEG 2000 data.</p>
</blockquote>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8363">
<p>The jpeg2000_read_main_headers function in
libavcodec/jpeg2000dec.c in FFmpeg before 2.6.5, 2.7.x
before 2.7.3, and 2.8.x through 2.8.2 does not enforce
uniqueness of the SIZ marker in a JPEG 2000 image, which
allows remote attackers to cause a denial of service
(out-of-bounds heap-memory access) or possibly have
unspecified other impact via a crafted image with two or
more of these markers.</p>
</blockquote>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8364">
<p>Integer overflow in the ff_ivi_init_planes function in
libavcodec/ivi.c in FFmpeg before 2.6.5, 2.7.x before 2.7.3,
and 2.8.x through 2.8.2 allows remote attackers to cause a
denial of service (out-of-bounds heap-memory access) or
possibly have unspecified other impact via crafted image
dimensions in Indeo Video Interactive data.</p>
</blockquote>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8365">
<p>The smka_decode_frame function in libavcodec/smacker.c in
FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through
2.8.2 does not verify that the data size is consistent with
the number of channels, which allows remote attackers to
cause a denial of service (out-of-bounds array access) or
possibly have unspecified other impact via crafted Smacker
data.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-6761</cvename>
<cvename>CVE-2015-8216</cvename>
<cvename>CVE-2015-8217</cvename>
<cvename>CVE-2015-8218</cvename>
<cvename>CVE-2015-8219</cvename>
<cvename>CVE-2015-8363</cvename>
<cvename>CVE-2015-8364</cvename>
<cvename>CVE-2015-8365</cvename>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=dabea74d0e82ea80cd344f630497cafcb3ef872c</url>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=d24888ef19ba38b787b11d1ee091a3d94920c76a</url>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=93f30f825c08477fe8f76be00539e96014cc83c8</url>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=d4a731b84a08f0f3839eaaaf82e97d8d9c67da46</url>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=43492ff3ab68a343c1264801baa1d5a02de10167</url>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=44a7f17d0b20e6f8d836b2957e3e357b639f19a2</url>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=df91aa034b82b77a3c4e01791f4a2b2ff6c82066</url>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=4a9af07a49295e014b059c1ab624c40345af5892</url>
<url>https://ffmpeg.org/security.html</url>
</references>
<dates>
<discovery>2015-11-27</discovery>
<entry>2015-12-02</entry>
<modified>2018-03-25</modified>
</dates>
</vuln>
<vuln vid="548f74bd-993c-11e5-956b-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<!--pcbsd-->
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>47.0.2526.73</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/2015/12/stable-channel-update.html">
<p>41 security fixes in this release, including:</p>
<ul>
<li>[558589] Critical CVE-2015-6765: Use-after-free in AppCache.
Credit to anonymous.</li>
<li>[551044] High CVE-2015-6766: Use-after-free in AppCache.
Credit to anonymous.</li>
<li>[554908] High CVE-2015-6767: Use-after-free in AppCache.
Credit to anonymous.</li>
<li>[556724] High CVE-2015-6768: Cross-origin bypass in DOM.
Credit to Mariusz Mlynski.</li>
<li>[534923] High CVE-2015-6769: Cross-origin bypass in core.
Credit to Mariusz Mlynski.</li>
<li>[541206] High CVE-2015-6770: Cross-origin bypass in DOM.
Credit to Mariusz Mlynski.</li>
<li>[544991] High CVE-2015-6771: Out of bounds access in v8.
Credit to anonymous.</li>
<li>[546545] High CVE-2015-6772: Cross-origin bypass in DOM.
Credit to Mariusz Mlynski.</li>
<li>[554946] High CVE-2015-6764: Out of bounds access in v8.
Credit to Guang Gong of Qihoo 360 via pwn2own.</li>
<li>[491660] High CVE-2015-6773: Out of bounds access in Skia.
Credit to cloudfuzzer.</li>
<li>[549251] High CVE-2015-6774: Use-after-free in Extensions.
Credit to anonymous.</li>
<li>[529012] High CVE-2015-6775: Type confusion in PDFium.
Credit to Atte Kettunen of OUSPG.</li>
<li>[457480] High CVE-2015-6776: Out of bounds access in PDFium.
Credit to Hanno Böck.</li>
<li>[544020] High CVE-2015-6777: Use-after-free in DOM.
Credit to Long Liu of Qihoo 360Vulcan Team.</li>
<li>[514891] Medium CVE-2015-6778: Out of bounds access in PDFium.
Credit to Karl Skomski.</li>
<li>[528505] Medium CVE-2015-6779: Scheme bypass in PDFium.
Credit to Til Jasper Ullrich.</li>
<li>[490492] Medium CVE-2015-6780: Use-after-free in Infobars.
Credit to Khalil Zhani.</li>
<li>[497302] Medium CVE-2015-6781: Integer overflow in Sfntly.
Credit to miaubiz.</li>
<li>[536652] Medium CVE-2015-6782: Content spoofing in Omnibox.
Credit to Luan Herrera.</li>
<li>[537205] Medium CVE-2015-6783: Signature validation issue in
Android Crazy Linker. Credit to Michal Bednarski.</li>
<li>[503217] Low CVE-2015-6784: Escaping issue in saved pages.
Credit to Inti De Ceukelaire.</li>
<li>[534542] Low CVE-2015-6785: Wildcard matching issue in CSP.
Credit to Michael Ficarra / Shape Security.</li>
<li>[534570] Low CVE-2015-6786: Scheme bypass in CSP. Credit to
Michael Ficarra / Shape Security.</li>
<li>[563930] CVE-2015-6787: Various fixes from internal audits,
fuzzing and other initiatives.</li>
<li> Multiple vulnerabilities in V8 fixed at the tip of the 4.7
branch (currently 4.7.80.23).</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-6765</cvename>
<cvename>CVE-2015-6766</cvename>
<cvename>CVE-2015-6767</cvename>
<cvename>CVE-2015-6768</cvename>
<cvename>CVE-2015-6769</cvename>
<cvename>CVE-2015-6770</cvename>
<cvename>CVE-2015-6771</cvename>
<cvename>CVE-2015-6772</cvename>
<cvename>CVE-2015-6773</cvename>
<cvename>CVE-2015-6774</cvename>
<cvename>CVE-2015-6775</cvename>
<cvename>CVE-2015-6776</cvename>
<cvename>CVE-2015-6777</cvename>
<cvename>CVE-2015-6778</cvename>
<cvename>CVE-2015-6779</cvename>
<cvename>CVE-2015-6780</cvename>
<cvename>CVE-2015-6781</cvename>
<cvename>CVE-2015-6782</cvename>
<cvename>CVE-2015-6783</cvename>
<cvename>CVE-2015-6784</cvename>
<cvename>CVE-2015-6785</cvename>
<cvename>CVE-2015-6786</cvename>
<cvename>CVE-2015-6787</cvename>
<url>http://googlechromereleases.blogspot.nl/2015/12/stable-channel-update.html</url>
</references>
<dates>
<discovery>2015-12-01</discovery>
<entry>2015-12-02</entry>
</dates>
</vuln>
<vuln vid="11351c82-9909-11e5-a9c8-14dae9d5a9d2">
<topic>piwik -- multiple vulnerabilities</topic>
<affects>
<package>
<name>piwik</name>
<range><lt>2.15.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Piwik changelog reports:</p>
<blockquote cite="http://piwik.org/changelog/piwik-2-15-0/">
<p>This release is rated critical.
We are grateful for Security researchers who disclosed
security issues privately to the Piwik Security Response
team: Elamaran Venkatraman, Egidio Romano and Dmitriy
Shcherbatov. The following vulnerabilities were fixed:
XSS, CSRF, possible file inclusion in older PHP versions
(low impact), possible Object Injection Vulnerability
(low impact).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7815</cvename>
<cvename>CVE-2015-7816</cvename>
<url>http://piwik.org/changelog/piwik-2-15-0/</url>
</references>
<dates>
<discovery>2015-11-17</discovery>
<entry>2015-12-02</entry>
</dates>
</vuln>
<vuln vid="d62ec98e-97d8-11e5-8c0e-080027b00c2e">
<topic>cyrus-imapd -- integer overflow in the start_octet addition</topic>
<affects>
<package>
<name>cyrus-imapd25</name>
<range><ge>2.5.0</ge><lt>2.5.7</lt></range>
</package>
<package>
<name>cyrus-imapd24</name>
<range><ge>2.4.0</ge><lt>2.4.18_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Cyrus IMAP 2.5.7 Release Note states:</p>
<blockquote cite="https://docs.cyrus.foundation/imap/release-notes/2.5/x/2.5.7.html">
<p>CVE-2015-8077, CVE-2015-8078: protect against integer overflow in urlfetch range checks</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8078</cvename>
<url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8078</url>
<url>http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8078.html</url>
<url>https://security-tracker.debian.org/tracker/CVE-2015-8078</url>
<cvename>CVE-2015-8077</cvename>
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8077</url>
<url>http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8077.html</url>
<url>https://security-tracker.debian.org/tracker/CVE-2015-8077</url>
</references>
<dates>
<discovery>2015-11-04</discovery>
<entry>2015-12-01</entry>
</dates>
</vuln>
<vuln vid="11c52bc6-97aa-11e5-b8df-14dae9d210b8">
<topic>django -- information leak vulnerability</topic>
<affects>
<package>
<name>py27-django</name>
<name>py32-django</name>
<name>py33-django</name>
<name>py34-django</name>
<range><lt>1.8.7</lt></range>
</package>
<package>
<name>py27-django18</name>
<name>py32-django18</name>
<name>py33-django18</name>
<name>py34-django18</name>
<range><lt>1.8.7</lt></range>
</package>
<package>
<name>py27-django17</name>
<name>py32-django17</name>
<name>py33-django17</name>
<name>py34-django17</name>
<range><lt>1.7.11</lt></range>
</package>
<package>
<name>py27-django-devel</name>
<name>py32-django-devel</name>
<name>py33-django-devel</name>
<name>py34-django-devel</name>
<range><le>20150709,1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Tim Graham reports:</p>
<blockquote cite="https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/">
<p>If an application allows users to specify an unvalidated
format for dates and passes this format to the date filter, e.g. {{
last_updated|date:user_date_format }}, then a malicious user could
obtain any secret in the application's settings by specifying a settings
key instead of a date format. e.g. "SECRET_KEY" instead of "j/m/Y".</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/</url>
<cvename>CVE-2015-8213</cvename>
</references>
<dates>
<discovery>2015-11-24</discovery>
<entry>2015-11-30</entry>
<modified>2015-12-24</modified>
</dates>
</vuln>
<vuln vid="fb2475c2-9125-11e5-bd18-002590263bf5">
<topic>kibana4 -- CSRF vulnerability</topic>
<affects>
<package>
<name>kibana4</name>
<name>kibana41</name>
<range><ge>4.0.0</ge><lt>4.1.3</lt></range>
</package>
<package>
<name>kibana42</name>
<range><ge>4.2.0</ge><lt>4.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Elastic reports:</p>
<blockquote cite="https://www.elastic.co/community/security/">
<p>Vulnerability Summary: Kibana versions prior to 4.1.3 and 4.2.1
are vulnerable to a CSRF attack.</p>
<p>Remediation Summary: Users should upgrade to 4.1.3 or 4.2.1.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8131</cvename>
<url>https://www.elastic.co/community/security/</url>
</references>
<dates>
<discovery>2015-11-17</discovery>
<entry>2015-11-22</entry>
</dates>
</vuln>
<vuln vid="e359051d-90bd-11e5-bd18-002590263bf5">
<topic>a2ps -- format string vulnerability</topic>
<affects>
<package>
<name>a2ps</name>
<range><lt>4.13b_8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jong-Gwon Kim reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/11/16/4">
<p>When user runs a2ps with malicious crafted pro(a2ps prologue) file,
an attacker can execute arbitrary code.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8107</cvename>
<url>http://www.openwall.com/lists/oss-security/2015/11/16/4</url>
</references>
<dates>
<discovery>2015-11-16</discovery>
<entry>2015-11-22</entry>
</dates>
</vuln>
<vuln vid="ecc268f2-8fc2-11e5-918c-bcaec565249c">
<topic>libxslt -- DoS vulnerability due to type confusing error</topic>
<affects>
<package>
<name>libsxlt</name>
<range><lt>1.1.28_8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>libxslt maintainer reports:</p>
<blockquote cite="https://git.gnome.org/browse/libxslt/commit/?id=7ca19df892ca22d9314e95d59ce2abdeff46b617">
<p>CVE-2015-7995:
http://www.openwall.com/lists/oss-security/2015/10/27/10
We need to check that the parent node is an element before
dereferencing its namespace.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7995</cvename>
<url>https://git.gnome.org/browse/libxslt/commit/?id=7ca19df892ca22d9314e95d59ce2abdeff46b617</url>
</references>
<dates>
<discovery>2015-10-29</discovery>
<entry>2015-11-20</entry>
</dates>
</vuln>
<vuln vid="e5423caf-8fb8-11e5-918c-bcaec565249c">
<topic>libxml2 -- multiple vulnerabilities</topic>
<affects>
<package>
<name>libxml2</name>
<range><lt>2.9.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>reports:</p>
<blockquote cite="http://xmlsoft.org/news.html">
<p>CVE-2015-5312 Another entity expansion issue (David Drysdale).</p>
<p>CVE-2015-7497 Avoid an heap buffer overflow in
xmlDictComputeFastQKey (David Drysdale).</p>
<p>CVE-2015-7498 Avoid processing entities after encoding
conversion failures (Daniel Veillard).</p>
<p>CVE-2015-7499 (1) Add xmlHaltParser() to stop the parser
(Daniel Veillard).</p>
<p>CVE-2015-7499 (2) Detect incoherency on GROW (Daniel
Veillard).</p>
<p>CVE-2015-7500 Fix memory access error due to incorrect
entities boundaries (Daniel Veillard).</p>
<p>CVE-2015-7941 (1) Stop parsing on entities boundaries
errors (Daniel Veillard).</p>
<p>CVE-2015-7941 (2) Cleanup conditional section error
handling (Daniel Veillard).</p>
<p>CVE-2015-7942 Another variation of overflow in
Conditional sections (Daniel Veillard).</p>
<p>CVE-2015-7942 (2) Fix an error in previous Conditional
section patch (Daniel Veillard).</p>
<p>CVE-2015-8035 Fix XZ compression support loop
(Daniel Veillard).</p>
<p>CVE-2015-8242 Buffer overead with HTML parser in push
mode (Hugh Davenport)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5312</cvename>
<cvename>CVE-2015-7497</cvename>
<cvename>CVE-2015-7498</cvename>
<cvename>CVE-2015-7499</cvename>
<cvename>CVE-2015-7500</cvename>
<cvename>CVE-2015-7941</cvename>
<cvename>CVE-2015-7942</cvename>
<cvename>CVE-2015-8035</cvename>
<cvename>CVE-2015-8241</cvename>
<cvename>CVE-2015-8242</cvename>
<url>http://xmlsoft.org/news.html</url>
<url>http://www.openwall.com/lists/oss-security/2015/11/18/23</url>
</references>
<dates>
<discovery>2015-11-20</discovery>
<entry>2015-11-20</entry>
</dates>
</vuln>
<vuln vid="9d04936c-75f1-4a2c-9ade-4c1708be5df9">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>nspr</name>
<range><lt>4.10.10</lt></range>
</package>
<package>
<name>linux-c6-nspr</name>
<range><lt>4.10.10</lt></range>
</package>
<package>
<name>nss</name>
<range><ge>3.20</ge><lt>3.20.1</lt></range>
<range><ge>3.19.3</ge><lt>3.19.4</lt></range>
<range><lt>3.19.2.1</lt></range>
</package>
<package>
<name>firefox</name>
<range><lt>42.0,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>42.0,1</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.39</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.39</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><lt>38.4.0,1</lt></range>
</package>
<package>
<name>libxul</name>
<range><lt>38.4.0</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><lt>38.4.0</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>38.4.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/">
<p>MFSA 2015-133 NSS and NSPR memory corruption issues</p>
<p>MFSA 2015-132 Mixed content WebSocket policy bypass
through workers</p>
<p>MFSA 2015-131 Vulnerabilities found through code
inspection</p>
<p>MFSA 2015-130 JavaScript garbage collection crash with
Java applet</p>
<p>MFSA 2015-129 Certain escaped characters in host of
Location-header are being treated as non-escaped</p>
<p>MFSA 2015-128 Memory corruption in libjar through zip
files</p>
<p>MFSA 2015-127 CORS preflight is bypassed when
non-standard Content-Type headers are received</p>
<p>MFSA 2015-126 Crash when accessing HTML tables with
accessibility tools on OS X</p>
<p>MFSA 2015-125 XSS attack through intents on Firefox for
Android</p>
<p>MFSA 2015-124 Android intents can be used on Firefox for
Android to open privileged files</p>
<p>MFSA 2015-123 Buffer overflow during image interactions
in canvas</p>
<p>MFSA 2015-122 Trailing whitespace in IP address hostnames
can bypass same-origin policy</p>
<p>MFSA 2015-121 Disabling scripts in Add-on SDK panels has
no effect</p>
<p>MFSA 2015-120 Reading sensitive profile files through
local HTML file on Android</p>
<p>MFSA 2015-119 Firefox for Android addressbar can be
removed after fullscreen mode</p>
<p>MFSA 2015-118 CSP bypass due to permissive Reader mode
whitelist</p>
<p>MFSA 2015-117 Information disclosure through NTLM
authentication</p>
<p>MFSA 2015-116 Miscellaneous memory safety hazards
(rv:42.0 / rv:38.4)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4513</cvename>
<cvename>CVE-2015-4514</cvename>
<cvename>CVE-2015-4515</cvename>
<cvename>CVE-2015-4518</cvename>
<cvename>CVE-2015-7181</cvename>
<cvename>CVE-2015-7182</cvename>
<cvename>CVE-2015-7183</cvename>
<cvename>CVE-2015-7185</cvename>
<cvename>CVE-2015-7186</cvename>
<cvename>CVE-2015-7187</cvename>
<cvename>CVE-2015-7188</cvename>
<cvename>CVE-2015-7189</cvename>
<cvename>CVE-2015-7190</cvename>
<cvename>CVE-2015-7191</cvename>
<cvename>CVE-2015-7192</cvename>
<cvename>CVE-2015-7193</cvename>
<cvename>CVE-2015-7194</cvename>
<cvename>CVE-2015-7195</cvename>
<cvename>CVE-2015-7196</cvename>
<cvename>CVE-2015-7197</cvename>
<cvename>CVE-2015-7198</cvename>
<cvename>CVE-2015-7199</cvename>
<cvename>CVE-2015-7200</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2015-116/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-117/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-118/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-119/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-120/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-121/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-122/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-123/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-124/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-125/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-126/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-127/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-128/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-129/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-130/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-131/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-132/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-133/</url>
</references>
<dates>
<discovery>2015-11-03</discovery>
<entry>2015-11-19</entry>
<modified>2016-04-13</modified>
</dates>
</vuln>
<vuln vid="68847b20-8ddc-11e5-b69c-c86000169601">
<topic>gdm -- lock screen bypass when holding escape key</topic>
<affects>
<package>
<name>gdm</name>
<range><lt>3.16.2_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ray Strode reports:</p>
<blockquote cite="https://mail.gnome.org/archives/ftp-release-list/2015-November/msg00074.html">
<p>CVE-2015-7496 - lock screen bypass when holding escape key.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7496</cvename>
<url>https://mail.gnome.org/archives/ftp-release-list/2015-November/msg00074.html</url>
<url>https://bugzilla.gnome.org/show_bug.cgi?id=758032</url>
</references>
<dates>
<discovery>2015-11-12</discovery>
<entry>2015-11-18</entry>
</dates>
</vuln>
<vuln vid="3eb0ccc2-8c6a-11e5-8519-005056ac623e">
<topic>strongswan -- authentication bypass vulnerability in the eap-mschapv2 plugin</topic>
<affects>
<package>
<name>strongswan</name>
<range><lt>5.3.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Strongswan Release Notes reports:</p>
<blockquote cite="https://github.com/strongswan/strongswan/blob/master/NEWS">
<p>Fixed an authentication bypass vulnerability in the eap-mschapv2 plugin that
was caused by insufficient verification of the internal state when handling
MSCHAPv2 Success messages received by the client.
This vulnerability has been registered as CVE-2015-8023.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8023</cvename>
<url>https://github.com/strongswan/strongswan/commit/453e204ac40dfff2e0978e8f84a5f8ff0cbc45e2</url>
</references>
<dates>
<discovery>2015-11-16</discovery>
<entry>2015-11-16</entry>
</dates>
</vuln>
<vuln vid="82b3ca2a-8c07-11e5-bd18-002590263bf5">
<topic>moodle -- multiple vulnerabilities</topic>
<affects>
<package>
<name>moodle27</name>
<range><lt>2.7.11</lt></range>
</package>
<package>
<name>moodle28</name>
<range><lt>2.8.9</lt></range>
</package>
<package>
<name>moodle29</name>
<range><lt>2.9.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Moodle Release Notes report:</p>
<blockquote cite="https://docs.moodle.org/dev/Moodle_2.9.3_release_notes">
<p>MSA-15-0037 Possible to send a message to a user who blocked
messages from non contacts</p>
<p>MSA-15-0038 DDoS possibility in Atto</p>
<p>MSA-15-0039 CSRF in site registration form</p>
<p>MSA-15-0040 Student XSS in survey</p>
<p>MSA-15-0041 XSS in flash video player</p>
<p>MSA-15-0042 CSRF in lesson login form</p>
<p>MSA-15-0043 Web service core_enrol_get_enrolled_users does not
respect course group mode</p>
<p>MSA-15-0044 Capability to view available badges is not
respected</p>
<p>MSA-15-0045 SCORM module allows to bypass access restrictions based
on date</p>
<p>MSA-15-0046 Choice module closing date can be bypassed</p>
</blockquote>
</body>
</description>
<references>
<url>https://docs.moodle.org/dev/Moodle_2.7.11_release_notes</url>
<url>https://docs.moodle.org/dev/Moodle_2.8.9_release_notes</url>
<url>https://docs.moodle.org/dev/Moodle_2.9.3_release_notes</url>
</references>
<dates>
<discovery>2015-11-09</discovery>
<entry>2015-11-16</entry>
<modified>2015-12-21</modified>
</dates>
</vuln>
<vuln vid="2cabfbab-8bfb-11e5-bd18-002590263bf5">
<topic>xen-kernel -- CPU lockup during exception delivery</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><lt>4.5.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-156.html">
<p>A malicious HVM guest administrator can cause a denial of service.
Specifically, prevent use of a physical CPU for a significant,
perhaps indefinite period. If a host watchdog (Xen or dom0) is in
use, this can lead to a watchdog timeout and consequently a reboot
of the host. If another, innocent, guest, is configured with a
watchdog, this issue can lead to a reboot of such a guest.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5307</cvename>
<cvename>CVE-2015-8104</cvename>
<url>http://xenbits.xen.org/xsa/advisory-156.html</url>
</references>
<dates>
<discovery>2015-11-10</discovery>
<entry>2015-11-16</entry>
</dates>
</vuln>
<vuln vid="1886e195-8b87-11e5-90e7-b499baebfeaf">
<topic>libpng buffer overflow in png_set_PLTE</topic>
<affects>
<package>
<name>png</name>
<range><lt>1.6.20</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>libpng reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/11/12/2">
<p>CVE for a vulnerability in libpng, all versions, in the
png_set_PLTE/png_get_PLTE functions. These functions failed to check for
an out-of-range palette when reading or writing PNG files with a bit_depth
less than 8. Some applications might read the bit depth from the IHDR
chunk and allocate memory for a 2^N entry palette, while libpng can return
a palette with up to 256 entries even when the bit depth is less than 8.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openwall.com/lists/oss-security/2015/11/12/2</url>
<url>http://www.openwall.com/lists/oss-security/2015/12/03/6</url>
<cvename>CVE-2015-8126</cvename>
<cvename>CVE-2015-8472</cvename>
</references>
<dates>
<discovery>2015-11-15</discovery>
<entry>2015-11-15</entry>
<modified>2015-12-08</modified>
</dates>
</vuln>
<vuln vid="547fbd98-8b1f-11e5-b48b-bcaec565249c">
<topic>flash -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-c6-flashplugin</name>
<name>linux-f10-flashplugin</name>
<name>linux-c6_64-flashplugin</name>
<range><lt>11.2r202.548</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb15-28.html">
<p>These updates resolve a type confusion vulnerability that
could lead to code execution (CVE-2015-7659).</p>
<p>These updates resolve a security bypass vulnerability that
could be exploited to write arbitrary data to the file
system under user permissions (CVE-2015-7662).</p>
<p>These updates resolve use-after-free vulnerabilities that
could lead to code execution (CVE-2015-7651, CVE-2015-7652,
CVE-2015-7653, CVE-2015-7654, CVE-2015-7655, CVE-2015-7656,
CVE-2015-7657, CVE-2015-7658, CVE-2015-7660, CVE-2015-7661,
CVE-2015-7663, CVE-2015-8042, CVE-2015-8043, CVE-2015-8044,
CVE-2015-8046).</p>
</blockquote>
</body>
</description>
<references>
<url>https://helpx.adobe.com/security/products/flash-player/apsb15-28.html</url>
<cvename>CVE-2015-7651</cvename>
<cvename>CVE-2015-7652</cvename>
<cvename>CVE-2015-7653</cvename>
<cvename>CVE-2015-7654</cvename>
<cvename>CVE-2015-7655</cvename>
<cvename>CVE-2015-7656</cvename>
<cvename>CVE-2015-7657</cvename>
<cvename>CVE-2015-7658</cvename>
<cvename>CVE-2015-7659</cvename>
<cvename>CVE-2015-7660</cvename>
<cvename>CVE-2015-7661</cvename>
<cvename>CVE-2015-7662</cvename>
<cvename>CVE-2015-7663</cvename>
<cvename>CVE-2015-8043</cvename>
<cvename>CVE-2015-8044</cvename>
<cvename>CVE-2015-8046</cvename>
</references>
<dates>
<discovery>2015-11-10</discovery>
<entry>2015-11-14</entry>
</dates>
</vuln>
<vuln vid="f0b9049f-88c4-11e5-aed7-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<!--pcbsd-->
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>46.0.2490.86</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/2015/11/stable-channel-update.html">
<p>[520422] High CVE-2015-1302: Information leak in PDF viewer.
Credit to Rob Wu.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-1302</cvename>
<url>http://googlechromereleases.blogspot.nl/2015/11/stable-channel-update.html</url>
</references>
<dates>
<discovery>2015-11-10</discovery>
<entry>2015-11-11</entry>
</dates>
</vuln>
<vuln vid="851a0eea-88aa-11e5-90e7-b499baebfeaf">
<topic>MySQL - Multiple vulnerabilities</topic>
<affects>
<package>
<name>mariadb-client</name>
<range><lt>5.3.13</lt></range>
</package>
<package>
<name>mariadb-server</name>
<range><lt>5.3.13</lt></range>
</package>
<package>
<name>mariadb55-client</name>
<range><lt>5.5.46</lt></range>
</package>
<package>
<name>mariadb55-server</name>
<range><lt>5.5.46</lt></range>
</package>
<package>
<name>mariadb100-client</name>
<range><lt>10.0.22</lt></range>
</package>
<package>
<name>mariadb100-server</name>
<range><lt>10.0.22</lt></range>
</package>
<package>
<name>mysql55-client</name>
<range><lt>5.5.46</lt></range>
</package>
<package>
<name>mysql55-server</name>
<range><lt>5.5.46</lt></range>
</package>
<package>
<name>mysql56-client</name>
<range><lt>5.6.27</lt></range>
</package>
<package>
<name>mysql56-server</name>
<range><lt>5.6.27</lt></range>
</package>
<package>
<name>percona55-client</name>
<range><lt>5.5.46</lt></range>
</package>
<package>
<name>percona55-server</name>
<range><lt>5.5.46</lt></range>
</package>
<package>
<name>percona56-client</name>
<range><lt>5.6.27</lt></range>
</package>
<package>
<name>percona56-server</name>
<range><lt>5.6.27</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Oracle reports:</p>
<blockquote cite="http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html">
<p>Critical Patch Update: MySQL Server, version(s) 5.5.45 and prior, 5.6.26 and prior</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html</url>
<cvename>CVE-2015-4802</cvename>
<cvename>CVE-2015-4807</cvename>
<cvename>CVE-2015-4815</cvename>
<cvename>CVE-2015-4826</cvename>
<cvename>CVE-2015-4830</cvename>
<cvename>CVE-2015-4836</cvename>
<cvename>CVE-2015-4858</cvename>
<cvename>CVE-2015-4861</cvename>
<cvename>CVE-2015-4870</cvename>
<cvename>CVE-2015-4913</cvename>
<cvename>CVE-2015-4792</cvename>
<url>https://mariadb.com/kb/en/mariadb/mariadb-5546-release-notes/</url>
<url>https://mariadb.com/kb/en/mariadb/mariadb-10022-release-notes/</url>
<url>https://www.percona.com/doc/percona-server/5.5/release-notes/Percona-Server-5.5.46-37.5.html</url>
<url>https://www.percona.com/doc/percona-server/5.6/release-notes/Percona-Server-5.6.27-75.0.html</url>
</references>
<dates>
<discovery>2015-11-10</discovery>
<entry>2015-11-11</entry>
</dates>
</vuln>
<vuln vid="b665668a-91db-4f13-8113-9e4b5b0e47f7">
<topic>jenkins -- remote code execution via unsafe deserialization</topic>
<affects>
<package>
<name>jenkins</name>
<range><lt>1.638</lt></range>
</package>
<package>
<name>jenkins-lts</name>
<range><lt>1.625.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jenkins Developers report:</p>
<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11">
<p>Unsafe deserialization allows unauthenticated remote attackers to
run arbitrary code on the Jenkins master.</p>
</blockquote>
</body>
</description>
<references>
<url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11</url>
<url>https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli</url>
<url>http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#thefix</url>
</references>
<dates>
<discovery>2015-11-06</discovery>
<entry>2015-11-11</entry>
</dates>
</vuln>
<vuln vid="71af4ded-8864-11e5-af1b-001999f8d30b">
<topic>owncloudclient -- Improper validation of certificates when using self-signed certificates</topic>
<affects>
<package>
<name>owncloudclient</name>
<range><lt>2.0.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>owncloud.org reports:</p>
<blockquote cite="https://owncloud.org/security/advisory/?id=oc-sa-2015-016">
<p>The ownCloud Desktop Client was vulnerable against MITM attacks until version 2.0.0 in combination with self-signed certificates.</p>
</blockquote>
</body>
</description>
<references>
<url>https://owncloud.org/security/advisory/?id=oc-sa-2015-016</url>
<cvename>CVE-2015-7298</cvename>
</references>
<dates>
<discovery>2015-09-21</discovery>
<entry>2015-11-11</entry>
</dates>
</vuln>
<vuln vid="c0e76d33-8821-11e5-ab94-002590263bf5">
<topic>xen-tools -- populate-on-demand balloon size inaccuracy can crash guests</topic>
<affects>
<package>
<name>xen-tools</name>
<range><ge>3.4</ge><lt>4.5.1_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-153.html">
<p>Guests configured with PoD might be unstable, especially under
load. In an affected guest, an unprivileged guest user might be
able to cause a guest crash, perhaps simply by applying load so
as to cause heavy memory pressure within the guest.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7972</cvename>
<url>http://xenbits.xen.org/xsa/advisory-153.html</url>
</references>
<dates>
<discovery>2015-10-29</discovery>
<entry>2015-11-11</entry>
</dates>
</vuln>
<vuln vid="e4848ca4-8820-11e5-ab94-002590263bf5">
<topic>xen-kernel -- some pmu and profiling hypercalls log without rate limiting</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><ge>3.2</ge><lt>4.5.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-152.html">
<p>HYPERCALL_xenoprof_op and HYPERVISOR_xenpmu_op log some errors and
attempts at invalid operations. These log messages are not
rate-limited, even though they can be triggered by guests.</p>
<p>A malicious guest could cause repeated logging to the hypervisor
console, leading to a Denial of Service attack.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7971</cvename>
<url>http://xenbits.xen.org/xsa/advisory-152.html</url>
</references>
<dates>
<discovery>2015-10-29</discovery>
<entry>2015-11-11</entry>
</dates>
</vuln>
<vuln vid="e3792855-881f-11e5-ab94-002590263bf5">
<topic>xen-kernel -- leak of per-domain profiling-related vcpu pointer array</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><ge>4.0</ge><lt>4.5.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-151.html">
<p>A domain's xenoprofile state contains an array of per-vcpu
information... This array is leaked on domain teardown. This memory
leak could -- over time -- exhaust the host's memory.</p>
<p>The following parties can mount a denial of service attack
affecting the whole system:</p>
<ul>
<li>A malicious guest administrator via XENOPROF_get_buffer.</li>
<li>A domain given suitable privilege over another domain via
XENOPROF_set_passive (this would usually be a domain being
used to profile another domain, eg with the xenoprof tool).</li>
</ul>
<p>The ability to also restart or create suitable domains is also
required to fully exploit the issue. Without this the leak is
limited to a small multiple of the maximum number of vcpus for the
domain.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7969</cvename>
<url>http://xenbits.xen.org/xsa/advisory-151.html</url>
</references>
<dates>
<discovery>2015-10-29</discovery>
<entry>2015-11-11</entry>
</dates>
</vuln>
<vuln vid="83350009-881e-11e5-ab94-002590263bf5">
<topic>xen-kernel -- Long latency populate-on-demand operation is not preemptible</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><ge>3.4</ge><lt>4.5.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-150.html">
<p>When running an HVM domain in Populate-on-Demand mode, Xen would
sometimes search the domain for memory to reclaim, in response to
demands for population of other pages in the same domain. This
search runs without preemption. The guest can, by suitable
arrangement of its memory contents, create a situation where this
search is a time-consuming linear scan of the guest's address
space.</p>
<p>A malicious HVM guest administrator can cause a denial of service.
Specifically, prevent use of a physical CPU for a significant
period.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7970</cvename>
<url>http://xenbits.xen.org/xsa/advisory-150.html</url>
</references>
<dates>
<discovery>2015-10-29</discovery>
<entry>2015-11-11</entry>
</dates>
</vuln>
<vuln vid="fc1f8795-881d-11e5-ab94-002590263bf5">
<topic>xen-kernel -- leak of main per-domain vcpu pointer array</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><lt>4.5.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-149.html">
<p>A domain's primary array of vcpu pointers can be allocated by a
toolstack exactly once in the lifetime of a domain via the
XEN_DOMCTL_max_vcpus hypercall. This array is leaked on domain
teardown. This memory leak could -- over time -- exhaust the host's
memory.</p>
<p>A domain given partial management control via XEN_DOMCTL_max_vcpus
can mount a denial of service attack affecting the whole system. The
ability to also restart or create suitable domains is also required
to fully exploit the issue. Without this the leak is limited to a
small multiple of the maximum number of vcpus for the domain. The
maximum leak is 64kbytes per domain (re)boot (less on ARM).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7969</cvename>
<url>http://xenbits.xen.org/xsa/advisory-149.html</url>
</references>
<dates>
<discovery>2015-10-29</discovery>
<entry>2015-11-11</entry>
</dates>
</vuln>
<vuln vid="3d9f6260-881d-11e5-ab94-002590263bf5">
<topic>xen-kernel -- Uncontrolled creation of large page mappings by PV guests</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><ge>3.4</ge><lt>4.5.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-148.html">
<p>The code to validate level 2 page table entries is bypassed when
certain conditions are satisfied. This means that a PV guest can
create writable mappings using super page mappings. Such writable
mappings can violate Xen intended invariants for pages which Xen is
supposed to keep read-only. This is possible even if the
"allowsuperpage" command line option is not used.</p>
<p>Malicious PV guest administrators can escalate privilege so as to
control the whole system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7835</cvename>
<url>http://xenbits.xen.org/xsa/advisory-148.html</url>
</references>
<dates>
<discovery>2015-10-29</discovery>
<entry>2015-11-11</entry>
</dates>
</vuln>
<vuln vid="301b04d7-881c-11e5-ab94-002590263bf5">
<topic>xen-tools -- libxl fails to honour readonly flag on disks with qemu-xen</topic>
<affects>
<package>
<name>xen-tools</name>
<range><ge>4.1</ge><lt>4.5.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-142.html">
<p>Callers of libxl can specify that a disk should be read-only to the
guest. However, there is no code in libxl to pass this information
to qemu-xen (the upstream-based qemu); and indeed there is no way in
qemu to make a disk read-only.</p>
<p>The vulnerability is exploitable only via devices emulated by the
device model, not the parallel PV devices for supporting PVHVM.
Normally the PVHVM device unplug protocol renders the emulated
devices inaccessible early in boot.</p>
<p>Malicious guest administrators or (in some situations) users may be
able to write to supposedly read-only disk images.</p>
<p>CDROM devices (that is, devices specified to be presented to the
guest as CDROMs, regardless of the nature of the backing storage on
the host) are not affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7311</cvename>
<url>http://xenbits.xen.org/xsa/advisory-142.html</url>
</references>
<dates>
<discovery>2015-09-22</discovery>
<entry>2015-11-11</entry>
</dates>
</vuln>
<vuln vid="2f7f4db2-8819-11e5-ab94-002590263bf5">
<topic>p5-HTML-Scrubber -- XSS vulnerability</topic>
<affects>
<package>
<name>p5-HTML-Scrubber</name>
<range><lt>0.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE reports:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5667">
<p>Cross-site scripting (XSS) vulnerability in the HTML-Scrubber
module before 0.15 for Perl, when the comment feature is enabled,
allows remote attackers to inject arbitrary web script or HTML via
a crafted comment.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5667</cvename>
<url>https://metacpan.org/release/HTML-Scrubber</url>
<url>http://jvndb.jvn.jp/jvndb/JVNDB-2015-000171</url>
<url>http://jvn.jp/en/jp/JVN53973084/index.html</url>
</references>
<dates>
<discovery>2015-10-10</discovery>
<entry>2015-11-11</entry>
</dates>
</vuln>
<vuln vid="6ca7eddd-d436-486a-b169-b948436bcf14">
<topic>libvpx -- buffer overflow in vp9_init_context_buffers</topic>
<affects>
<package>
<name>libvpx</name>
<range><lt>1.4.0.488_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="https://www.mozilla.org/security/advisories/mfsa2015-101/">
<p>Security researcher Khalil Zhani reported that a
maliciously crafted vp9 format video could be used to
trigger a buffer overflow while parsing the file. This leads
to a potentially exploitable crash due to a flaw in the
libvpx library.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4506</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2015-101/</url>
</references>
<dates>
<discovery>2015-09-22</discovery>
<entry>2015-11-10</entry>
</dates>
</vuln>
<vuln vid="56665ccb-8723-11e5-9b13-14dae9d210b8">
<topic>powerdns -- Denial of Service</topic>
<affects>
<package>
<name>powerdns</name>
<range><ge>3.4.4</ge><lt>3.4.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PowerDNS reports:</p>
<blockquote cite="https://doc.powerdns.com/md/security/powerdns-advisory-2015-03/">
<p>A bug was found using afl-fuzz in our packet parsing code.
This bug, when exploited, causes an assertion error and consequent
termination of the the pdns_server process, causing a Denial of Service.</p>
</blockquote>
</body>
</description>
<references>
<url>https://doc.powerdns.com/md/security/powerdns-advisory-2015-03/</url>
<cvename>CVE-2015-5311</cvename>
</references>
<dates>
<discovery>2015-11-03</discovery>
<entry>2015-11-09</entry>
</dates>
</vuln>
<vuln vid="0cb0afd9-86b8-11e5-bf60-080027ef73ec">
<topic>PuTTY -- memory corruption in terminal emulator's erase character handling</topic>
<affects>
<package>
<name>putty</name>
<range><ge>0.54</ge><lt>0.66</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ben Harris reports:</p>
<blockquote cite="http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-ech-overflow.html">
<p>Versions of PuTTY and pterm between 0.54 and 0.65 inclusive have a
potentially memory-corrupting integer overflow in the handling of
the ECH (erase characters) control sequence in the terminal
emulator.</p>
<p>To exploit a vulnerability in the terminal emulator, an attacker
must be able to insert a carefully crafted escape sequence into the
terminal stream. For a PuTTY SSH session, this must be before
encryption, so the attacker likely needs access to the server you're
connecting to. For instance, an attacker on a multi-user machine
that you connect to could trick you into running cat on a file they
control containing a malicious escape sequence. (Unix write(1) is
not a vector for this, if implemented correctly.)</p>
<p>Only PuTTY, PuTTYtel, and pterm are affected; other PuTTY tools do
not include the terminal emulator, so cannot be exploited this
way.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-ech-overflow.html</url>
<cvename>CVE-2015-5309</cvename>
</references>
<dates>
<discovery>2015-11-06</discovery>
<entry>2015-11-09</entry>
</dates>
</vuln>
<vuln vid="18b3c61b-83de-11e5-905b-ac9e174be3af">
<topic>OpenOffice 4.1.1 -- multiple vulnerabilities</topic>
<affects>
<package>
<name>apache-openoffice</name>
<range><lt>4.1.2</lt></range>
</package>
<package>
<name>apache-openoffice-devel</name>
<range><lt>4.2.1705368,3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache OpenOffice Project reports:</p>
<blockquote cite="http://www.openoffice.org/security/cves/CVE-2015-4551.html">
<p>A vulnerability in OpenOffice settings of OpenDocument Format
files and templates allows silent access to files that are
readable from an user account, over-riding the user's default
configuration settings. Once these files are imported into a
maliciously-crafted document, the data can be silently hidden
in the document and possibly exported to an external party
without being observed. </p>
</blockquote>
<p>The Apache OpenOffice Project reports:</p>
<blockquote cite="http://www.openoffice.org/security/cves/CVE-2015-5212.html">
<p>A crafted ODF document can be used to create a buffer that is
too small for the amount of data loaded into it, allowing an
attacker to cause denial of service (memory corruption and
application crash) and possible execution of arbitrary code.</p>
</blockquote>
<p>The Apache OpenOffice Project reports:</p>
<blockquote cite="http://www.openoffice.org/security/cves/CVE-2015-5213.html">
<p>A crafted Microsoft Word DOC file can be used to specify a
document buffer that is too small for the amount of data
provided for it. Failure to detect the discrepancy allows an
attacker to cause denial of service (memory corruption and
application crash) and possible execution of arbitrary code.</p>
</blockquote>
<p>The Apache OpenOffice Project reports:</p>
<blockquote cite="http://www.openoffice.org/security/cves/CVE-2015-5214.html">
<p>A crafted Microsoft Word DOC can contain invalid bookmark
positions leading to memory corruption when the document is
loaded or bookmarks are manipulated. The defect allows an
attacker to cause denial of service (memory corruption and
application crash) and possible execution of arbitrary code.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4551</cvename>
<url>http://www.openoffice.org/security/cves/CVE-2015-4551.html</url>
<cvename>CVE-2015-5212</cvename>
<url>http://www.openoffice.org/security/cves/CVE-2015-5212.html</url>
<cvename>CVE-2015-5213</cvename>
<url>http://www.openoffice.org/security/cves/CVE-2015-5213.html</url>
<cvename>CVE-2015-5214</cvename>
<url>http://www.openoffice.org/security/cves/CVE-2015-5214.html</url>
</references>
<dates>
<discovery>2015-11-04</discovery>
<entry>2015-11-05</entry>
<modified>2015-11-05</modified>
</dates>
</vuln>
<vuln vid="698403a7-803d-11e5-ab94-002590263bf5">
<topic>codeigniter -- multiple vulnerabilities</topic>
<affects>
<package>
<name>codeigniter</name>
<range><lt>2.2.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The CodeIgniter changelog reports:</p>
<blockquote cite="https://codeigniter.com/userguide2/changelog.html">
<p>Fixed an XSS attack vector in Security Library method
xss_clean().</p>
<p>Changed Config Library method base_url() to fallback to
``$_SERVER['SERVER_ADDR']`` in order to avoid Host header
injections.</p>
<p>Changed CAPTCHA Helper to try to use the operating system's PRNG
first.</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/203403</freebsdpr>
<url>https://codeigniter.com/userguide2/changelog.html</url>
</references>
<dates>
<discovery>2015-10-31</discovery>
<entry>2015-11-01</entry>
</dates>
</vuln>
<vuln vid="017a493f-7db6-11e5-a762-14dae9d210b8">
<topic>openafs -- information disclosure</topic>
<affects>
<package>
<name>openafs</name>
<range><lt>1.6.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenAFS development team reports:</p>
<blockquote cite="http://openafs.org/pages/security/OPENAFS-SA-2015-007.txt">
<p>When constructing an Rx acknowledgment (ACK) packet, Andrew-derived Rx
implementations do not initialize three octets of data that are padding
in the C language structure and were inadvertently included in the wire
protocol (CVE-2015-7762). Additionally, OpenAFS Rx in versions 1.5.75
through 1.5.78, 1.6.0 through 1.6.14, and 1.7.0 through 1.7.32 include
a variable-length padding at the end of the ACK packet, in an attempt to
detect the path MTU, but only four octets of the additional padding are
initialized (CVE-2015-7763).</p>
</blockquote>
</body>
</description>
<references>
<url>http://openafs.org/pages/security/OPENAFS-SA-2015-007.txt</url>
<cvename>CVE-2015-7762</cvename>
<cvename>CVE-2015-7763</cvename>
</references>
<dates>
<discovery>2015-10-28</discovery>
<entry>2015-10-28</entry>
</dates>
</vuln>
<vuln vid="4b9393b8-7c0c-11e5-a010-080027ddead3">
<topic>xscreensaver - lock bypass</topic>
<affects>
<package>
<name>xscreensaver</name>
<name>xscreensaver-gnome</name>
<name>xscreensaver-gnome-hacks</name>
<range><lt>5.34</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>RedHat bugzilla reports:</p>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=1274452">
<p>In dual screen configurations, unplugging one screen will cause
xscreensaver to crash, leaving the screen unlocked.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.jwz.org/xscreensaver/changelog.html</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1274452</url>
<cvename>CVE-2015-8025</cvename>
</references>
<dates>
<discovery>2015-10-24</discovery>
<entry>2015-10-27</entry>
<modified>2015-11-04</modified>
</dates>
</vuln>
<vuln vid="2a4a112a-7c1b-11e5-bd77-0800275369e2">
<topic>lldpd -- Buffer overflow/Denial of service</topic>
<affects>
<package>
<name>lldpd</name>
<range><ge>0.5.6</ge><lt>0.7.19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The lldpd developer Vincent Bernat reports:</p>
<blockquote cite="https://github.com/vincentbernat/lldpd/raw/0.7.19/NEWS">
<p>A buffer overflow may allow arbitrary code execution
only if hardening was disabled.</p>
</blockquote>
<blockquote cite="https://github.com/vincentbernat/lldpd/commit/793526f8884455f43daecd0a2c46772388417a00">
<p>Malformed packets should not make lldpd crash. Ensure we can
handle them by not using assert() in this part.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8011</cvename>
<cvename>CVE-2015-8012</cvename>
<url>https://github.com/vincentbernat/lldpd/raw/0.7.19/NEWS</url>
<url>http://www.openwall.com/lists/oss-security/2015/10/30/2</url>
</references>
<dates>
<discovery>2015-10-04</discovery>
<entry>2015-10-26</entry>
<modified>2015-11-10</modified>
</dates>
</vuln>
<vuln vid="24e4d383-7b3e-11e5-a250-68b599b52a02">
<topic>wireshark -- Pcapng file parser crash</topic>
<affects>
<package>
<name>wireshark</name>
<name>wireshark-lite</name>
<name>wireshark-qt5</name>
<name>tshark</name>
<name>tshark-lite</name>
<range><lt>1.12.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Wireshark development team reports:</p>
<blockquote cite="https://www.wireshark.org/docs/relnotes/wireshark-1.12.8.html">
<p>The following vulnerability has been fixed.</p>
<ul>
<li><p>wnpa-sec-2015-30</p>
<p>Pcapng file parser crash. (Bug 11455)</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://www.wireshark.org/docs/relnotes/wireshark-1.12.8.html</url>
<cvename>CVE-2015-7830</cvename>
</references>
<dates>
<discovery>2015-10-14</discovery>
<entry>2015-10-25</entry>
</dates>
</vuln>
<vuln vid="0ebc6e78-7ac6-11e5-b35a-002590263bf5">
<topic>Joomla! -- Core - SQL Injection/ACL Violation vulnerabilities</topic>
<affects>
<package>
<name>joomla3</name>
<range><ge>3.2.0</ge><lt>3.4.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The JSST and the Joomla! Security Center report:</p>
<blockquote cite="http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.html">
<h2>[20151001] - Core - SQL Injection</h2>
<p>Inadequate filtering of request data leads to a SQL Injection
vulnerability.</p>
</blockquote>
<blockquote cite="http://developer.joomla.org/security-centre/629-20151002-core-acl-violations.html">
<h2>[20151002] - Core - ACL Violations</h2>
<p>Inadequate ACL checks in com_contenthistory provide potential read
access to data which should be access restricted.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7297</cvename>
<cvename>CVE-2015-7857</cvename>
<cvename>CVE-2015-7858</cvename>
<cvename>CVE-2015-7859</cvename>
<url>http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.html</url>
<url>http://developer.joomla.org/security-centre/629-20151002-core-acl-violations.html</url>
<url>https://www.joomla.org/announcements/release-news/5634-joomla-3-4-5-released.html</url>
</references>
<dates>
<discovery>2015-10-22</discovery>
<entry>2015-10-25</entry>
</dates>
</vuln>
<vuln vid="03e54e42-7ac6-11e5-b35a-002590263bf5">
<topic>Joomla! -- Core - ACL Violation vulnerabilities</topic>
<affects>
<package>
<name>joomla3</name>
<range><ge>3.0.0</ge><lt>3.4.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The JSST and the Joomla! Security Center report:</p>
<blockquote cite="http://developer.joomla.org/security-centre/630-20151003-core-acl-violations.html">
<h2>[20151003] - Core - ACL Violations</h2>
<p>Inadequate ACL checks in com_content provide potential read access
to data which should be access restricted.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7899</cvename>
<url>http://developer.joomla.org/security-centre/630-20151003-core-acl-violations.html</url>
<url>https://www.joomla.org/announcements/release-news/5634-joomla-3-4-5-released.html</url>
</references>
<dates>
<discovery>2015-10-22</discovery>
<entry>2015-10-25</entry>
</dates>
</vuln>
<vuln vid="f8c37915-7ac5-11e5-b35a-002590263bf5">
<topic>Joomla! -- Core - XSS Vulnerability</topic>
<affects>
<package>
<name>joomla3</name>
<range><ge>3.4.0</ge><lt>3.4.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The JSST and the Joomla! Security Center report:</p>
<blockquote cite="http://developer.joomla.org/security-centre/626-20150908-core-xss-vulnerability.html">
<h2>[20150908] - Core - XSS Vulnerability</h2>
<p>Inadequate escaping leads to XSS vulnerability in login module.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-6939</cvename>
<url>http://developer.joomla.org/security-centre/626-20150908-core-xss-vulnerability.html</url>
<url>https://www.joomla.org/announcements/release-news/5628-joomla-3-4-4-released.html</url>
</references>
<dates>
<discovery>2015-09-08</discovery>
<entry>2015-10-25</entry>
</dates>
</vuln>
<vuln vid="ec2d1cfd-7ac5-11e5-b35a-002590263bf5">
<topic>Joomla! -- Core - CSRF Protection vulnerabilities</topic>
<affects>
<package>
<name>joomla3</name>
<range><ge>3.2.0</ge><lt>3.4.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The JSST and the Joomla! Security Center report:</p>
<blockquote cite="http://developer.joomla.org/security-centre/618-20150602-core-remote-code-execution.html">
<h2>[20150602] - Core - CSRF Protection</h2>
<p>Lack of CSRF checks potentially enabled uploading malicious code.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5397</cvename>
<url>http://developer.joomla.org/security-centre/618-20150602-core-remote-code-execution.html</url>
<url>https://www.joomla.org/announcements/release-news/5589-joomla-3-4-2-released.html</url>
</references>
<dates>
<discovery>2015-06-30</discovery>
<entry>2015-10-25</entry>
</dates>
</vuln>
<vuln vid="deaba148-7ac5-11e5-b35a-002590263bf5">
<topic>Joomla! -- Core - Open Redirect vulnerability</topic>
<affects>
<package>
<name>joomla3</name>
<range><ge>3.0.0</ge><lt>3.4.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The JSST and the Joomla! Security Center report:</p>
<blockquote cite="http://developer.joomla.org/security-centre/617-20150601-core-open-redirect.html">
<h2>[20150601] - Core - Open Redirect</h2>
<p>Inadequate checking of the return value allowed to redirect to an
external page.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5608</cvename>
<url>http://developer.joomla.org/security-centre/617-20150601-core-open-redirect.html</url>
<url>https://www.joomla.org/announcements/release-news/5589-joomla-3-4-2-released.html</url>
</references>
<dates>
<discovery>2015-06-30</discovery>
<entry>2015-10-25</entry>
</dates>
</vuln>
<vuln vid="cec4d01a-7ac5-11e5-b35a-002590263bf5">
<topic>Joomla! -- Core - Remote File Execution/Denial of Service vulnerabilities</topic>
<affects>
<package>
<name>joomla3</name>
<range><lt>3.2.6</lt></range>
<range><ge>3.3.0</ge><lt>3.3.5</lt></range>
</package>
<package>
<name>joomla2</name>
<range><ge>2.5.4</ge><lt>2.5.26</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The JSST and the Joomla! Security Center report:</p>
<blockquote cite="http://developer.joomla.org/security-centre/595-20140903-core-remote-file-inclusion.html">
<h2>[20140903] - Core - Remote File Inclusion</h2>
<p>Inadequate checking allowed the potential for remote files to be
executed.</p>
</blockquote>
<blockquote cite="http://developer.joomla.org/security-centre/596-20140904-core-denial-of-service.html">
<h2>[20140904] - Core - Denial of Service</h2>
<p>Inadequate checking allowed the potential for a denial of service
attack.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-7228</cvename>
<cvename>CVE-2014-7229</cvename>
<url>http://developer.joomla.org/security-centre/595-20140903-core-remote-file-inclusion.html</url>
<url>http://developer.joomla.org/security-centre/596-20140904-core-denial-of-service.html</url>
<url>https://www.joomla.org/announcements/release-news/5567-joomla-3-3-5-released.html</url>
<url>https://www.joomla.org/announcements/release-news/5566-joomla-2-5-26-released.html</url>
</references>
<dates>
<discovery>2014-09-30</discovery>
<entry>2015-10-25</entry>
</dates>
</vuln>
<vuln vid="beb3d5fc-7ac5-11e5-b35a-002590263bf5">
<topic>Joomla! -- Core - Unauthorized Login vulnerability</topic>
<affects>
<package>
<name>joomla3</name>
<range><lt>3.2.5</lt></range>
<range><ge>3.3.0</ge><lt>3.3.4</lt></range>
</package>
<package>
<name>joomla2</name>
<range><lt>2.5.25</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The JSST and the Joomla! Security Center report:</p>
<blockquote cite="http://developer.joomla.org/security-centre/594-20140902-core-unauthorised-logins.html">
<h2>[20140902] - Core - Unauthorized Logins</h2>
<p>Inadequate checking allowed unauthorized logins via LDAP
authentication.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-6632</cvename>
<url>http://developer.joomla.org/security-centre/594-20140902-core-unauthorised-logins.html</url>
<url>https://www.joomla.org/announcements/release-news/5564-joomla-3-3-4-released.html</url>
<url>https://www.joomla.org/announcements/release-news/5563-joomla-2-5-25-released.html</url>
</references>
<dates>
<discovery>2014-09-23</discovery>
<entry>2015-10-25</entry>
</dates>
</vuln>
<vuln vid="adbb32d9-7ac5-11e5-b35a-002590263bf5">
<topic>Joomla! -- Core - XSS Vulnerability</topic>
<affects>
<package>
<name>joomla3</name>
<range><ge>3.2.0</ge><lt>3.2.5</lt></range>
<range><ge>3.3.0</ge><lt>3.3.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The JSST and the Joomla! Security Center report:</p>
<blockquote cite="http://developer.joomla.org/security-centre/593-20140901-core-xss-vulnerability.html">
<h2>[20140901] - Core - XSS Vulnerability</h2>
<p>Inadequate escaping leads to XSS vulnerability in com_media.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-6631</cvename>
<url>http://developer.joomla.org/security-centre/593-20140901-core-xss-vulnerability.html</url>
<url>https://www.joomla.org/announcements/release-news/5564-joomla-3-3-4-released.html</url>
</references>
<dates>
<discovery>2014-09-23</discovery>
<entry>2015-10-25</entry>
</dates>
</vuln>
<vuln vid="75f39413-7a00-11e5-a2a1-002590263bf5">
<topic>drupal -- open redirect vulnerability</topic>
<affects>
<package>
<name>drupal7</name>
<range><lt>7.41</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal development team reports:</p>
<blockquote cite="https://www.drupal.org/SA-CORE-2015-004">
<p>The Overlay module in Drupal core displays administrative pages
as a layer over the current page (using JavaScript), rather than
replacing the page in the browser window. The Overlay module does
not sufficiently validate URLs prior to displaying their contents,
leading to an open redirect vulnerability.</p>
<p>This vulnerability is mitigated by the fact that it can only be
used against site users who have the "Access the administrative
overlay" permission, and that the Overlay module must be enabled.
</p>
<p>An incomplete fix for this issue was released as part of
SA-CORE-2015-002.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7943</cvename>
<url>https://www.drupal.org/SA-CORE-2015-004</url>
<url>http://www.openwall.com/lists/oss-security/2015/10/23/6</url>
</references>
<dates>
<discovery>2015-10-21</discovery>
<entry>2015-10-24</entry>
</dates>
</vuln>
<vuln vid="08d11134-79c5-11e5-8987-6805ca0b3d42">
<topic>phpMyAdmin -- Content spoofing vulnerability</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><ge>4.4.0</ge><lt>4.4.15.1</lt></range>
<range><ge>4.5.0</ge><lt>4.5.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2015-5/">
<p>This vulnerability allows an attacker to perform a
content spoofing attack using the phpMyAdmin's redirection
mechanism to external sites.</p>
<p>We consider this vulnerability to be non critical since
the spoofed content is escaped and no HTML injection is
possible.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.phpmyadmin.net/security/PMASA-2015-5/</url>
<cvename>CVE-2015-7873</cvename>
</references>
<dates>
<discovery>2015-10-23</discovery>
<entry>2015-10-23</entry>
</dates>
</vuln>
<vuln vid="b973a763-7936-11e5-a2a1-002590263bf5">
<topic>mediawiki -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mediawiki123</name>
<range><lt>1.23.11</lt></range>
</package>
<package>
<name>mediawiki124</name>
<range><lt>1.24.4</lt></range>
</package>
<package>
<name>mediawiki125</name>
<range><lt>1.25.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MediaWiki reports:</p>
<blockquote cite="https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-October/000181.html">
<p>Wikipedia user RobinHood70 reported two issues in the chunked
upload API. The API failed to correctly stop adding new chunks to
the upload when the reported size was exceeded (T91203), allowing
a malicious users to upload add an infinite number of chunks for a
single file upload. Additionally, a malicious user could upload
chunks of 1 byte for very large files, potentially creating a very
large number of files on the server's filesystem (T91205).</p>
<p>Internal review discovered that it is not possible to throttle file
uploads.</p>
<p>Internal review discovered a missing authorization check when
removing suppression from a revision. This allowed users with the
'viewsuppressed' user right but not the appropriate
'suppressrevision' user right to unsuppress revisions.</p>
<p>Richard Stanway from teamliquid.net reported that thumbnails of PNG
files generated with ImageMagick contained the local file path in
the image metadata.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8001</cvename>
<cvename>CVE-2015-8002</cvename>
<cvename>CVE-2015-8003</cvename>
<cvename>CVE-2015-8004</cvename>
<cvename>CVE-2015-8005</cvename>
<cvename>CVE-2015-8006</cvename>
<cvename>CVE-2015-8007</cvename>
<cvename>CVE-2015-8008</cvename>
<cvename>CVE-2015-8009</cvename>
<url>https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-October/000181.html</url>
<url>https://phabricator.wikimedia.org/T91203</url>
<url>https://phabricator.wikimedia.org/T91205</url>
<url>https://phabricator.wikimedia.org/T91850</url>
<url>https://phabricator.wikimedia.org/T95589</url>
<url>https://phabricator.wikimedia.org/T108616</url>
<url>http://www.openwall.com/lists/oss-security/2015/10/29/14</url>
</references>
<dates>
<discovery>2015-10-16</discovery>
<entry>2015-10-23</entry>
<modified>2015-12-24</modified>
</dates>
</vuln>
<vuln vid="c4a18a12-77fc-11e5-a687-206a8a720317">
<topic>ntp -- 13 low- and medium-severity vulnerabilities</topic>
<affects>
<package>
<name>ntp</name>
<range><lt>4.2.8p4</lt></range>
</package>
<package>
<name>ntp-devel</name>
<range><lt>4.3.76</lt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>10.2</ge><lt>10.2_7</lt></range>
<range><ge>10.1</ge><lt>10.1_24</lt></range>
<range><ge>9.3</ge><lt>9.3_30</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ntp.org reports:</p>
<blockquote cite="http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities">
<p>NTF's NTP Project has been notified of the following 13 low-
and medium-severity vulnerabilities that are fixed in
ntp-4.2.8p4, released on Wednesday, 21 October 2015:</p>
<ul>
<li>Bug 2941 CVE-2015-7871 NAK to the Future: Symmetric
association authentication bypass via crypto-NAK
(Cisco ASIG)</li>
<li>Bug 2922 CVE-2015-7855 decodenetnum() will ASSERT botch
instead of returning FAIL on some bogus values (IDA)</li>
<li>Bug 2921 CVE-2015-7854 Password Length Memory Corruption
Vulnerability. (Cisco TALOS)</li>
<li>Bug 2920 CVE-2015-7853 Invalid length data provided by a
custom refclock driver could cause a buffer overflow.
(Cisco TALOS)</li>
<li>Bug 2919 CVE-2015-7852 ntpq atoascii() Memory Corruption
Vulnerability. (Cisco TALOS)</li>
<li>Bug 2918 CVE-2015-7851 saveconfig Directory Traversal
Vulnerability. (OpenVMS) (Cisco TALOS)</li>
<li>Bug 2917 CVE-2015-7850 remote config logfile-keyfile.
(Cisco TALOS)</li>
<li>Bug 2916 CVE-2015-7849 trusted key use-after-free.
(Cisco TALOS)</li>
<li>Bug 2913 CVE-2015-7848 mode 7 loop counter underrun.
(Cisco TALOS)</li>
<li>Bug 2909 CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC.
(Tenable)</li>
<li>Bug 2902 : CVE-2015-7703 configuration directives "pidfile"
and "driftfile" should only be allowed locally. (RedHat)</li>
<li>Bug 2901 : CVE-2015-7704, CVE-2015-7705 Clients that
receive a KoD should validate the origin timestamp field.
(Boston University)</li>
<li>Bug 2899 : CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
Incomplete autokey data packet length checks. (Tenable)</li>
</ul>
<p>The only generally-exploitable bug in the above list is the
crypto-NAK bug, which has a CVSS2 score of 6.4.</p>
<p>Additionally, three bugs that have already been fixed in
ntp-4.2.8 but were not fixed in ntp-4.2.6 as it was EOL'd
have a security component, but are all below 1.8 CVSS score,
so we're reporting them here:</p>
<ul>
<li>Bug 2382 : Peer precision < -31 gives division by zero</li>
<li>Bug 1774 : Segfaults if cryptostats enabled when built
without OpenSSL</li>
<li>Bug 1593 : ntpd abort in free() with logconfig syntax error</li>
</ul>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-15:25.ntp</freebsdsa>
<cvename>CVE-2015-7691</cvename>
<cvename>CVE-2015-7692</cvename>
<cvename>CVE-2015-7701</cvename>
<cvename>CVE-2015-7702</cvename>
<cvename>CVE-2015-7703</cvename>
<cvename>CVE-2015-7704</cvename>
<cvename>CVE-2015-7705</cvename>
<cvename>CVE-2015-7848</cvename>
<cvename>CVE-2015-7849</cvename>
<cvename>CVE-2015-7850</cvename>
<cvename>CVE-2015-7851</cvename>
<cvename>CVE-2015-7852</cvename>
<cvename>CVE-2015-7853</cvename>
<cvename>CVE-2015-7854</cvename>
<cvename>CVE-2015-7855</cvename>
<cvename>CVE-2015-7871</cvename>
<url>http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities</url>
</references>
<dates>
<discovery>2015-10-21</discovery>
<entry>2015-10-21</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="95602550-76cf-11e5-a2a1-002590263bf5">
<topic>codeigniter -- multiple XSS vulnerabilities</topic>
<affects>
<package>
<name>codeigniter</name>
<range><lt>2.2.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The CodeIgniter changelog reports:</p>
<blockquote cite="https://codeigniter.com/userguide2/changelog.html">
<p>Fixed a number of XSS attack vectors in Security Library method
xss_clean (thanks to Frans Rosén from Detectify.</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/203403</freebsdpr>
<url>https://codeigniter.com/userguide2/changelog.html</url>
</references>
<dates>
<discovery>2015-10-08</discovery>
<entry>2015-10-20</entry>
</dates>
</vuln>
<vuln vid="7f645ee5-7681-11e5-8519-005056ac623e">
<topic>Git -- Execute arbitrary code</topic>
<affects>
<package>
<name>git</name>
<range><lt>2.6.1</lt></range>
</package>
<package>
<name>git-gui</name>
<range><lt>2.6.1</lt></range>
</package>
<package>
<name>git-lite</name>
<range><lt>2.6.1</lt></range>
</package>
<package>
<name>git-subversion</name>
<range><lt>2.6.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Git release notes:</p>
<blockquote cite="https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.1.txt">
<p>Some protocols (like git-remote-ext) can execute arbitrary code
found in the URL. The URLs that submodules use may come from
arbitrary sources (e.g., .gitmodules files in a remote
repository), and can hurt those who blindly enable recursive
fetch. Restrict the allowed protocols to well known and safe
ones.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7545</cvename>
<url>https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.1.txt</url>
<url>http://www.openwall.com/lists/oss-security/2015/12/11/7</url>
</references>
<dates>
<discovery>2015-09-23</discovery>
<entry>2015-10-19</entry>
<modified>2015-12-12</modified>
</dates>
</vuln>
<vuln vid="3934cc60-f0fa-4eca-be09-c8bd7ae42871">
<topic>Salt -- multiple vulnerabilities</topic>
<affects>
<package>
<name>py27-salt</name>
<range><lt>2015.8.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Salt release notes:</p>
<blockquote cite="https://docs.saltstack.com/en/latest/topics/releases/2015.8.1.html">
<p>CVE-2015-6918 - Git modules leaking HTTPS auth credentials to debug log</p>
<p>Updated the Git state and execution modules to no longer display HTTPS basic
authentication credentials in loglevel debug output on the Salt master. These
credentials are now replaced with REDACTED in the debug output. Thanks to
Andreas Stieger for bringing this to our attention.</p>
<p>CVE-2015-6941 - win_useradd module and salt-cloud display passwords in debug
log</p>
<p>Updated the win_useradd module return data to no longer include the password
of the newly created user. The password is now replaced with the string
XXX-REDACTED-XXX. Updated the Salt Cloud debug output to no longer display
win_password and sudo_password authentication credentials. Also updated the
Linode driver to no longer display authentication credentials in debug logs.
These credentials are now replaced with REDACTED in the debug output.</p>
</blockquote>
</body>
</description>
<references>
<url>https://docs.saltstack.com/en/latest/topics/releases/2015.8.1.html</url>
<cvename>CVE-2015-6918</cvename>
<cvename>CVE-2015-6941</cvename>
</references>
<dates>
<discovery>2015-10-16</discovery>
<entry>2015-10-17</entry>
</dates>
</vuln>
<vuln vid="79c68ef7-c8ae-4ade-91b4-4b8221b7c72a">
<topic>firefox -- Cross-origin restriction bypass using Fetch</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>41.0.2,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>41.0.2,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Firefox Developers report:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2015-115/">
<p>Security researcher Abdulrahman Alqabandi reported that the fetch()
API did not correctly implement the Cross-Origin Resource Sharing
(CORS) specification, allowing a malicious page to access private
data from other origins. Mozilla developer Ben Kelly independently reported the
same issue.
</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2015-115/</url>
<cvename>CVE-2015-7184</cvename>
</references>
<dates>
<discovery>2015-10-15</discovery>
<entry>2015-10-16</entry>
</dates>
</vuln>
<vuln vid="84147b46-e876-486d-b746-339ee45a8bb9">
<topic>flash -- remote code execution</topic>
<affects>
<package>
<name>linux-c6-flashplugin</name>
<name>linux-f10-flashplugin</name>
<name>linux-c6_64-flashplugin</name>
<range><lt>11.2r202.540</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb15-27.html">
<p>These updates resolve type confusion vulnerabilities that
could lead to code execution (CVE-2015-7645, CVE-2015-7647,
CVE-2015-7648).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7645</cvename>
<cvename>CVE-2015-7647</cvename>
<cvename>CVE-2015-7648</cvename>
<url>https://helpx.adobe.com/security/products/flash-player/apsb15-27.html</url>
</references>
<dates>
<discovery>2015-10-16</discovery>
<entry>2015-10-16</entry>
</dates>
</vuln>
<vuln vid="e75a96df-73ca-11e5-9b45-b499baebfeaf">
<topic>LibreSSL -- Memory leak and buffer overflow</topic>
<affects>
<package>
<name>libressl</name>
<range><lt>2.2.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Qualys reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/10/16/1">
<p>During the code review of OpenSMTPD a memory leak and buffer overflow
(an off-by-one, usually stack-based) were discovered in LibreSSL's
OBJ_obj2txt() function. This function is called automatically during
a TLS handshake (both client-side, unless an anonymous mode is used,
and server-side, if client authentication is requested).</p>
</blockquote>
</body>
</description>
<references>
<url>http://marc.info/?l=openbsd-announce&m=144495690528446</url>
<cvename>CVE-2015-5333</cvename>
<cvename>CVE-2015-5334</cvename>
</references>
<dates>
<discovery>2015-10-15</discovery>
<entry>2015-10-16</entry>
<modified>2015-10-26</modified>
</dates>
</vuln>
<vuln vid="07a1a76c-734b-11e5-ae81-14dae9d210b8">
<topic>mbedTLS/PolarSSL -- DoS and possible remote code execution</topic>
<affects>
<package>
<name>polarssl</name>
<range><ge>1.2.0</ge><lt>1.2.17</lt></range>
</package>
<package>
<name>polarssl13</name>
<range><ge>1.3.0</ge><lt>1.3.14</lt></range>
</package>
<package>
<name>mbedtls</name>
<range><lt>2.1.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ARM Limited reports:</p>
<blockquote cite="https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01">
<p>When the client creates its ClientHello message, due to
insufficient bounds checking it can overflow the heap-based buffer
containing the message while writing some extensions. Two extensions in
particular could be used by a remote attacker to trigger the overflow:
the session ticket extension and the server name indication (SNI)
extension.</p>
</blockquote>
</body>
</description>
<references>
<url>https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01</url>
<cvename>CVE-2015-5291</cvename>
</references>
<dates>
<discovery>2015-10-05</discovery>
<entry>2015-10-15</entry>
</dates>
</vuln>
<vuln vid="ea1d2530-72ce-11e5-a2a1-002590263bf5">
<topic>magento -- multiple vulnerabilities</topic>
<affects>
<package>
<name>magento</name>
<range><lt>1.9.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Magento, Inc. reports:</p>
<blockquote cite="https://www.magentocommerce.com/download">
<p>SUPEE-6482 - This patch addresses two issues related to APIs and
two cross-site scripting risks.</p>
<p>SUPEE-6285 - This patch provides protection against several types
of security-related issues, including information leaks, request
forgeries, and cross-site scripting.</p>
<p>SUPEE-5994 - This patch addresses multiple security
vulnerabilities in Magento Community Edition software, including
issues that can put customer information at risk.</p>
<p>SUPEE-5344 - Addresses a potential remote code execution
exploit.</p>
<p>SUPEE-1533 - Addresses two potential remote code execution
exploits.</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/201709</freebsdpr>
<url>https://www.magentocommerce.com/download</url>
<url>http://merch.docs.magento.com/ce/user_guide/Magento_Community_Edition_User_Guide.html#magento/release-notes-ce-1.9.2.html</url>
<url>http://merch.docs.magento.com/ce/user_guide/Magento_Community_Edition_User_Guide.html#magento/release-notes-ce-1.9.2.1.html</url>
</references>
<dates>
<discovery>2014-10-03</discovery>
<entry>2015-10-14</entry>
</dates>
</vuln>
<vuln vid="705b759c-7293-11e5-a371-14dae9d210b8">
<topic>pear-twig -- remote code execution</topic>
<affects>
<package>
<name>pear-twig-twig</name>
<range><lt>1.20.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Fabien Potencier reports:</p>
<blockquote cite="http://symfony.com/blog/security-release-twig-1-20-0">
<p>End users can craft valid Twig code that allows them to
execute arbitrary code (RCEs) via the _self variable, which is always
available, even in sandboxed templates.</p>
</blockquote>
</body>
</description>
<references>
<url>http://symfony.com/blog/security-release-twig-1-20-0</url>
<cvename>CVE-2015-7809</cvename>
</references>
<dates>
<discovery>2015-08-12</discovery>
<entry>2015-10-14</entry>
</dates>
</vuln>
<vuln vid="06fefd2f-728f-11e5-a371-14dae9d210b8">
<topic>miniupnpc -- buffer overflow</topic>
<affects>
<package>
<name>miniupnpc</name>
<range><ge>1.9.1</ge><lt>1.9.20150917</lt></range>
<range><lt>1.9_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Talos reports:</p>
<blockquote cite="http://talosintel.com/reports/TALOS-2015-0035/">
<p>An exploitable buffer overflow vulnerability exists in the
XML parser functionality of the MiniUPnP library. A specially crafted
XML response can lead to a buffer overflow on the stack resulting in
remote code execution. An attacker can set up a server on the local
network to trigger this vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-6031</cvename>
<url>http://talosintel.com/reports/TALOS-2015-0035/</url>
<url>https://github.com/miniupnp/miniupnp/commit/79cca974a4c2ab1199786732a67ff6d898051b78</url>
</references>
<dates>
<discovery>2015-09-15</discovery>
<entry>2015-10-14</entry>
<modified>2015-10-14</modified>
</dates>
</vuln>
<vuln vid="a63f2c06-726b-11e5-a12b-bcaec565249c">
<topic>flash -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-c6-flashplugin</name>
<name>linux-f10-flashplugin</name>
<name>linux-c6_64-flashplugin</name>
<range><lt>11.2r202.535</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb15-25.html">
<p>These updates resolve a vulnerability that could be exploited
to bypass the same-origin-policy and lead to information
disclosure (CVE-2015-7628).</p>
<p>These updates include a defense-in-depth feature in the Flash
broker API (CVE-2015-5569).</p>
<p>These updates resolve use-after-free vulnerabilities that
could lead to code execution (CVE-2015-7629, CVE-2015-7631,
CVE-2015-7643, CVE-2015-7644).</p>
<p>These updates resolve a buffer overflow vulnerability that
could lead to code execution (CVE-2015-7632).</p>
<p>These updates resolve memory corruption vulnerabilities that
could lead to code execution (CVE-2015-7625, CVE-2015-7626,
CVE-2015-7627, CVE-2015-7630, CVE-2015-7633, CVE-2015-7634).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5569</cvename>
<cvename>CVE-2015-7625</cvename>
<cvename>CVE-2015-7626</cvename>
<cvename>CVE-2015-7627</cvename>
<cvename>CVE-2015-7628</cvename>
<cvename>CVE-2015-7629</cvename>
<cvename>CVE-2015-7630</cvename>
<cvename>CVE-2015-7631</cvename>
<cvename>CVE-2015-7632</cvename>
<cvename>CVE-2015-7633</cvename>
<cvename>CVE-2015-7634</cvename>
<cvename>CVE-2015-7643</cvename>
<cvename>CVE-2015-7644</cvename>
<url>https://helpx.adobe.com/security/products/flash-player/apsb15-25.html</url>
</references>
<dates>
<discovery>2015-10-13</discovery>
<entry>2015-10-14</entry>
</dates>
</vuln>
<vuln vid="8301c04d-71df-11e5-9fcb-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<!--pcbsd-->
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>46.0.2490.71</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/2015/10/stable-channel-update.html">
<p>24 security fixes in this release, including:</p>
<ul>
<li>[519558] High CVE-2015-6755: Cross-origin bypass in Blink.
Credit to Mariusz Mlynski.</li>
<li>[507316] High CVE-2015-6756: Use-after-free in PDFium. Credit
to anonymous.</li>
<li>[529520] High CVE-2015-6757: Use-after-free in ServiceWorker.
Credit to Collin Payne.</li>
<li>[522131] High CVE-2015-6758: Bad-cast in PDFium. Credit to Atte
Kettunen of OUSPG.</li>
<li>[514076] Medium CVE-2015-6759: Information leakage in
LocalStorage. Credit to Muneaki Nishimura (nishimunea).</li>
<li>[519642] Medium CVE-2015-6760: Improper error handling in
libANGLE. Credit to lastland.net.</li>
<li>[447860,532967] Medium CVE-2015-6761: Memory corruption in
FFMpeg. Credit to Aki Helin of OUSPG and anonymous.</li>
<li>[512678] Low CVE-2015-6762: CORS bypass via CSS fonts. Credit
to Muneaki Nishimura (nishimunea).</li>
<li> [542517] CVE-2015-6763: Various fixes from internal audits,
fuzzing and other initiatives.</li>
<li>Multiple vulnerabilities in V8 fixed at the tip of the 4.6
branch (currently 4.6.85.23).</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-6755</cvename>
<cvename>CVE-2015-6756</cvename>
<cvename>CVE-2015-6757</cvename>
<cvename>CVE-2015-6758</cvename>
<cvename>CVE-2015-6759</cvename>
<cvename>CVE-2015-6760</cvename>
<cvename>CVE-2015-6761</cvename>
<cvename>CVE-2015-6762</cvename>
<cvename>CVE-2015-6763</cvename>
<url>http://googlechromereleases.blogspot.nl/2015/10/stable-channel-update.html</url>
</references>
<dates>
<discovery>2015-10-13</discovery>
<entry>2015-10-13</entry>
</dates>
</vuln>
<vuln vid="00dadbf0-6f61-11e5-a2a1-002590263bf5">
<topic>p5-UI-Dialog -- shell command execution vulnerability</topic>
<affects>
<package>
<name>p5-UI-Dialog</name>
<range><lt>1.09_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Matthijs Kooijman reports:</p>
<blockquote cite="https://rt.cpan.org/Public/Bug/Display.html?id=107364">
<p>It seems that the whiptail, cdialog and kdialog backends apply
some improper escaping in their shell commands, causing special
characters present in menu item titles to be interpreted by the
shell. This includes the backtick evaluation operator, so this
constitutes a security issue, allowing execution of arbitrary
commands if an attacker has control over the text displayed in
a menu.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-7315</cvename>
<freebsdpr>ports/203667</freebsdpr>
<url>https://rt.cpan.org/Public/Bug/Display.html?id=107364</url>
<url>https://bugs.debian.org/496448</url>
<url>https://github.com/kckrinke/UI-Dialog/commit/6adc44cc636c615d76297d86835e1a997681eb61</url>
</references>
<dates>
<discovery>2008-08-24</discovery>
<entry>2015-10-10</entry>
</dates>
</vuln>
<vuln vid="290351c9-6f5c-11e5-a2a1-002590263bf5">
<topic>devel/ipython -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ipython</name>
<range><lt>3.2.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Matthias Bussonnier reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/02/3">
<p>Summary: Local folder name was used in HTML templates without
escaping, allowing XSS in said pages by carefully crafting folder
name and URL to access it.</p>
<p>URI with issues:</p>
<ul>
<li>GET /tree/**</li>
</ul>
</blockquote>
<p>Benjamin RK reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/16/3">
<p>Vulnerability: A maliciously forged file opened for editing can
execute javascript, specifically by being redirected to /files/ due
to a failure to treat the file as plain text.</p>
<p>URI with issues:</p>
<ul>
<li>GET /edit/**</li>
</ul>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/203668</freebsdpr>
<cvename>CVE-2015-6938</cvename>
<cvename>CVE-2015-7337</cvename>
<url>http://www.openwall.com/lists/oss-security/2015/09/02/3</url>
<url>https://github.com/ipython/ipython/commit/3ab41641cf6fce3860c73d5cf4645aa12e1e5892</url>
<url>http://www.openwall.com/lists/oss-security/2015/09/16/3</url>
<url>https://github.com/ipython/ipython/commit/0a8096adf165e2465550bd5893d7e352544e5967</url>
</references>
<dates>
<discovery>2015-09-01</discovery>
<entry>2015-10-10</entry>
</dates>
</vuln>
<vuln vid="a0182578-6e00-11e5-a90c-0026551a22dc">
<topic>PostgreSQL -- minor security problems.</topic>
<affects>
<package>
<name>postgresql90-server</name>
<range><ge>9.0.0</ge><lt>9.0.22</lt></range>
</package>
<package>
<name>postgresql91-server</name>
<range><ge>9.1.0</ge><lt>9.1.18</lt></range>
</package>
<package>
<name>postgresql92-server</name>
<range><ge>9.2.0</ge><lt>9.2.13</lt></range>
</package>
<package>
<name>postgresql93-server</name>
<range><ge>9.3.0</ge><lt>9.3.9</lt></range>
</package>
<package>
<name>postgresql94-server</name>
<range><ge>9.4.0</ge><lt>9.4.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PostgreSQL project reports:</p>
<blockquote cite="http://www.postgresql.org/about/news/1615/">
<p>
Two security issues have been fixed in this release which affect
users of specific PostgreSQL features.
</p>
<ul>
<li>CVE-2015-5289 json or jsonb input values constructed from
arbitrary user input can crash the PostgreSQL server and cause a denial of
service.
</li>
<li>CVE-2015-5288: The crypt() function included with the optional pgCrypto
extension could be exploited to read a few additional bytes of memory.
No working exploit for this issue has been developed.
</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5289</cvename>
<cvename>CVE-2015-5288</cvename>
</references>
<dates>
<discovery>2015-10-08</discovery>
<entry>2015-10-08</entry>
</dates>
</vuln>
<vuln vid="d3324fdb-6bf0-11e5-bc5e-00505699053e">
<topic>ZendFramework1 -- SQL injection vulnerability</topic>
<affects>
<package>
<name>ZendFramework1</name>
<range><lt>1.12.16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Zend Framework developers report:</p>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2015-08">
<p>The PDO adapters of Zend Framework 1 do not filter null bytes values
in SQL statements. A PDO adapter can treat null bytes in a query as a
string terminator, allowing an attacker to add arbitrary SQL
following a null byte, and thus create a SQL injection.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7695</cvename>
<url>http://www.openwall.com/lists/oss-security/2015/09/30/6</url>
<url>http://framework.zend.com/security/advisory/ZF2015-08</url>
</references>
<dates>
<discovery>2015-09-15</discovery>
<entry>2015-10-06</entry>
<modified>2015-10-12</modified>
</dates>
</vuln>
<vuln vid="42852f72-6bd3-11e5-9909-002590263bf5">
<topic>OpenSMTPD -- multiple vulnerabilities</topic>
<affects>
<package>
<name>opensmtpd</name>
<range><lt>5.7.3,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenSMTPD developers report:</p>
<blockquote cite="https://www.opensmtpd.org/announces/release-5.7.3.txt">
<p>fix an mda buffer truncation bug which allows a user to create
forward files that pass session checks but fail delivery later down
the chain, within the user mda</p>
<p>fix remote buffer overflow in unprivileged pony process</p>
<p>reworked offline enqueue to better protect against hardlink
attacks</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openwall.com/lists/oss-security/2015/10/04/2</url>
<url>https://www.opensmtpd.org/announces/release-5.7.3.txt</url>
</references>
<dates>
<discovery>2015-10-04</discovery>
<entry>2015-10-06</entry>
</dates>
</vuln>
<vuln vid="5d280761-6bcf-11e5-9909-002590263bf5">
<topic>mbedTLS/PolarSSL -- multiple vulnerabilities</topic>
<affects>
<package>
<name>polarssl</name>
<range><ge>1.2.0</ge><lt>1.2.16</lt></range>
</package>
<package>
<name>polarssl13</name>
<range><ge>1.3.0</ge><lt>1.3.13</lt></range>
</package>
<package>
<name>mbedtls</name>
<range><lt>2.1.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ARM Limited reports:</p>
<blockquote cite="https://tls.mbed.org/tech-updates/releases/mbedtls-2.1.1-and-1.3.13-and-polarssl-1.2.16-released">
<p>Florian Weimar from Red Hat published on Lenstra's RSA-CRT attach
for PKCS#1 v1.5 signatures. These releases include countermeasures
against that attack.</p>
<p>Fabian Foerg of Gotham Digital Science found a possible client-side
NULL pointer dereference, using the AFL Fuzzer. This dereference can
only occur when misusing the API, although a fix has still been
implemented.</p>
</blockquote>
</body>
</description>
<references>
<url>https://tls.mbed.org/tech-updates/releases/mbedtls-2.1.1-and-1.3.13-and-polarssl-1.2.16-released</url>
</references>
<dates>
<discovery>2015-09-18</discovery>
<entry>2015-10-06</entry>
</dates>
</vuln>
<vuln vid="953aaa57-6bce-11e5-9909-002590263bf5">
<topic>mbedTLS/PolarSSL -- multiple vulnerabilities</topic>
<affects>
<package>
<name>polarssl</name>
<range><ge>1.2.0</ge><lt>1.2.15</lt></range>
</package>
<package>
<name>polarssl13</name>
<range><ge>1.3.0</ge><lt>1.3.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ARM Limited reports:</p>
<blockquote cite="https://tls.mbed.org/tech-updates/releases/polarssl-1.2.15-and-mbedtls-1.3.12-released">
<p>In order to strengthen the minimum requirements for connections and
to protect against the Logjam attack, the minimum size of
Diffie-Hellman parameters accepted by the client has been increased
to 1024 bits.</p>
<p>In addition the default size for the Diffie-Hellman parameters on
the server are increased to 2048 bits. This can be changed with
ssl_set_dh_params() in case this is necessary.</p>
</blockquote>
</body>
</description>
<references>
<url>https://tls.mbed.org/tech-updates/releases/polarssl-1.2.15-and-mbedtls-1.3.12-released</url>
</references>
<dates>
<discovery>2015-08-11</discovery>
<entry>2015-10-06</entry>
</dates>
</vuln>
<vuln vid="9272a5b0-6b40-11e5-bd7f-bcaec565249c">
<topic>gdk-pixbuf2 -- head overflow and DoS</topic>
<affects>
<package>
<name>gdk-pixbuf2</name>
<range><lt>2.32.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/10/02/9">
<p>We found a heap overflow and a DoS in the gdk-pixbuf
implementation triggered by the scaling of tga file.</p>
</blockquote>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/10/02/10">
<p>We found a heap overflow in the gdk-pixbuf implementation
triggered by the scaling of gif file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7673</cvename>
<cvename>CVE-2015-7674</cvename>
<url>https://mail.gnome.org/archives/ftp-release-list/2015-September/msg00201.html</url>
<url>https://mail.gnome.org/archives/ftp-release-list/2015-September/msg00287.html</url>
<url>http://www.openwall.com/lists/oss-security/2015/10/02/9</url>
<url>http://www.openwall.com/lists/oss-security/2015/10/02/10</url>
</references>
<dates>
<discovery>2015-10-02</discovery>
<entry>2015-10-05</entry>
</dates>
</vuln>
<vuln vid="6b3374d4-6b0b-11e5-9909-002590263bf5">
<topic>plone -- multiple vulnerabilities</topic>
<affects>
<package>
<name>plone</name>
<range><lt>4.3.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Plone.org reports:</p>
<blockquote cite="https://plone.org/products/plone/security/advisories/20150910-announcement">
<p>Versions Affected: All current Plone versions.</p>
<p>Versions Not Affected: None.</p>
<p>Nature of vulnerability: Allows creation of members by anonymous
users on sites that have self-registration enabled, allowing bypass
of CAPTCHA and similar protections against scripted attacks.</p>
<p>The patch can be added to buildouts as Products.PloneHotfix20150910
(available from PyPI) or downloaded from Plone.org.</p>
<p>Immediate Measures You Should Take: Disable self-registration until
you have applied the patch.</p>
</blockquote>
<blockquote cite="https://plone.org/security/20150910/non-persistent-xss-in-plone">
<p>Plone's URL checking infrastructure includes a method for checking
if URLs valid and located in the Plone site. By passing HTML into
this specially crafted url, XSS can be achieved.</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/203255</freebsdpr>
<url>https://plone.org/products/plone-hotfix/releases/20150910</url>
<url>https://plone.org/products/plone/security/advisories/20150910-announcement</url>
<url>https://plone.org/security/20150910/non-persistent-xss-in-plone</url>
<url>https://github.com/plone/Products.CMFPlone/commit/3da710a2cd68587f0bf34f2e7ea1167d6eeee087</url>
</references>
<dates>
<discovery>2015-09-10</discovery>
<entry>2015-10-05</entry>
</dates>
</vuln>
<vuln vid="c1da8b75-6aef-11e5-9909-002590263bf5">
<topic>php -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php5-phar</name>
<range><le>5.4.45</le></range>
</package>
<package>
<name>php55-phar</name>
<range><lt>5.5.30</lt></range>
</package>
<package>
<name>php56-phar</name>
<range><lt>5.6.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PHP reports:</p>
<blockquote cite="http://php.net/ChangeLog-5.php#5.5.30">
<p>Phar:</p>
<ul>
<li>Fixed bug #69720 (Null pointer dereference in
phar_get_fp_offset()).</li>
<li>Fixed bug #70433 (Uninitialized pointer in phar_make_dirstream
when zip entry filename is "/").</li>
</ul>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/203541</freebsdpr>
<cvename>CVE-2015-7803</cvename>
<cvename>CVE-2015-7804</cvename>
<url>http://php.net/ChangeLog-5.php#5.5.30</url>
<url>http://php.net/ChangeLog-5.php#5.6.14</url>
</references>
<dates>
<discovery>2015-10-01</discovery>
<entry>2015-10-04</entry>
<modified>2015-10-12</modified>
</dates>
</vuln>
<vuln vid="ee7bdf7f-11bb-4eea-b054-c692ab848c20">
<topic>OpenSMTPD -- multiple vulnerabilities</topic>
<affects>
<package>
<name>opensmtpd</name>
<range><lt>5.7.2,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenSMTPD developers report:</p>
<blockquote cite="https://www.opensmtpd.org/announces/release-5.7.2.txt">
<p>an oversight in the portable version of fgetln() that allows
attackers to read and write out-of-bounds memory</p>
<p>multiple denial-of-service vulnerabilities that allow local users
to kill or hang OpenSMTPD</p>
<p>a stack-based buffer overflow that allows local users to crash
OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd
user</p>
<p>a hardlink attack (or race-conditioned symlink attack) that allows
local users to unset the chflags() of arbitrary files</p>
<p>a hardlink attack that allows local users to read the first line of
arbitrary files (for example, root's hash from /etc/master.passwd)
</p>
<p>a denial-of-service vulnerability that allows remote attackers to
fill OpenSMTPD's queue or mailbox hard-disk partition</p>
<p>an out-of-bounds memory read that allows remote attackers to crash
OpenSMTPD, or leak information and defeat the ASLR protection</p>
<p>a use-after-free vulnerability that allows remote attackers to
crash OpenSMTPD, or execute arbitrary code as the non-chrooted
_smtpd user</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.opensmtpd.org/announces/release-5.7.2.txt</url>
<cvename>CVE-2015-7687</cvename>
</references>
<dates>
<discovery>2015-10-02</discovery>
<entry>2015-10-04</entry>
<modified>2015-10-06</modified>
</dates>
</vuln>
<vuln vid="be3069c9-67e7-11e5-9909-002590263bf5">
<topic>james -- multiple vulnerabilities</topic>
<affects>
<package>
<name>james</name>
<range><lt>2.3.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache James Project reports:</p>
<blockquote cite="http://james.apache.org/download.cgi#Apache_James_Server">
<p>This release has many enhancements and bug fixes over the previous
release. See the Release Notes for a detailed list of changes. Some
of the earlier defects could turn a James mail server into an Open
Relay and allow files to be written on disk. All users of James
Server are urged to upgrade to version v2.3.2.1 as soon as
possible.</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/203461</freebsdpr>
<certvu>988628</certvu>
<cvename>CVE-2015-7611</cvename>
<url>http://james.apache.org/download.cgi#Apache_James_Server</url>
<url>https://blogs.apache.org/james/entry/apache_james_server_2_3</url>
</references>
<dates>
<discovery>2015-09-30</discovery>
<entry>2015-10-01</entry>
<modified>2015-10-04</modified>
</dates>
</vuln>
<vuln vid="1e7f0c11-673a-11e5-98c8-60a44c524f57">
<topic>otrs -- Scheduler Process ID File Access</topic>
<affects>
<package>
<name>otrs</name>
<range><gt>3.2.*</gt><lt>3.2.18</lt></range>
<range><gt>3.3.*</gt><lt>3.3.15</lt></range>
<range><gt>4.0.*</gt><lt>4.0.13</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OTRS project reports:</p>
<blockquote cite="https://www.otrs.com/security-advisory-2015-02-scheduler-process-id-file-access/">
<p>An attacker with valid LOCAL credentials could access and
manipulate the process ID file for bin/otrs.schduler.pl from the
CLI.</p>
<p>The Proc::Daemon module 0.14 for Perl uses world-writable
permissions for a file that stores a process ID, which allows local
users to have an unspecified impact by modifying this file.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.otrs.com/security-advisory-2015-02-scheduler-process-id-file-access/</url>
<cvename>CVE-2015-6842</cvename>
<cvename>CVE-2013-7135</cvename>
</references>
<dates>
<discovery>2015-09-17</discovery>
<entry>2015-09-30</entry>
</dates>
</vuln>
<vuln vid="4e3e8a50-65c1-11e5-948e-bcaec565249c">
<topic>flash -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-c6-flashplugin</name>
<name>linux-f10-flashplugin</name>
<name>linux-c6_64-flashplugin</name>
<range><lt>11.2r202.521</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb15-23.html">
<p>These updates resolve a type confusion vulnerability that could
lead to code execution (CVE-2015-5573).</p>
<p>These updates resolve use-after-free vulnerabilities that could
lead to code execution (CVE-2015-5570, CVE-2015-5574, CVE-2015-5581, CVE-2015-5584, CVE-2015-6682).</p>
<p>These updates resolve buffer overflow vulnerabilities that could
lead to code execution (CVE-2015-6676, CVE-2015-6678).</p>
<p>These updates resolve memory corruption vulnerabilities that
could lead to code execution (CVE-2015-5575, CVE-2015-5577,
CVE-2015-5578, CVE-2015-5580, CVE-2015-5582, CVE-2015-5588,
CVE-2015-6677).</p>
<p>These updates include additional validation checks to ensure
that Flash Player rejects malicious content from vulnerable
JSONP callback APIs (CVE-2015-5571).</p>
<p>These updates resolve a memory leak vulnerability
(CVE-2015-5576).</p>
<p>These updates include further hardening to a mitigation to
defend against vector length corruptions (CVE-2015-5568).</p>
<p>These updates resolve stack corruption vulnerabilities that
could lead to code execution (CVE-2015-5567, CVE-2015-5579).</p>
<p>These updates resolve a stack overflow vulnerability that could
lead to code execution (CVE-2015-5587).</p>
<p>These updates resolve a security bypass vulnerability that could
lead to information disclosure (CVE-2015-5572).</p>
<p>These updates resolve a vulnerability that could be exploited to
bypass the same-origin-policy and lead to information disclosure
(CVE-2015-6679).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5567</cvename>
<cvename>CVE-2015-5568</cvename>
<cvename>CVE-2015-5570</cvename>
<cvename>CVE-2015-5571</cvename>
<cvename>CVE-2015-5572</cvename>
<cvename>CVE-2015-5573</cvename>
<cvename>CVE-2015-5574</cvename>
<cvename>CVE-2015-5575</cvename>
<cvename>CVE-2015-5576</cvename>
<cvename>CVE-2015-5577</cvename>
<cvename>CVE-2015-5578</cvename>
<cvename>CVE-2015-5588</cvename>
<cvename>CVE-2015-6676</cvename>
<cvename>CVE-2015-6677</cvename>
<cvename>CVE-2015-6678</cvename>
<cvename>CVE-2015-6679</cvename>
<cvename>CVE-2015-6682</cvename>
<url>https://helpx.adobe.com/security/products/flash-player/apsb15-23.html</url>
</references>
<dates>
<discovery>2015-09-21</discovery>
<entry>2015-09-28</entry>
</dates>
</vuln>
<vuln vid="5114cd11-6571-11e5-9909-002590263bf5">
<topic>codeigniter -- SQL injection vulnerability</topic>
<affects>
<package>
<name>codeigniter</name>
<range><lt>2.2.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The CodeIgniter changelog reports:</p>
<blockquote cite="https://codeigniter.com/userguide2/changelog.html">
<p>Security: Fixed an SQL injection vulnerability in Active Record
method offset().</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/203401</freebsdpr>
<url>https://codeigniter.com/userguide2/changelog.html</url>
</references>
<dates>
<discovery>2015-08-20</discovery>
<entry>2015-09-28</entry>
</dates>
</vuln>
<vuln vid="01bce4c6-6571-11e5-9909-002590263bf5">
<topic>codeigniter -- mysql database driver vulnerability</topic>
<affects>
<package>
<name>codeigniter</name>
<range><lt>2.2.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The CodeIgniter changelog reports:</p>
<blockquote cite="https://codeigniter.com/userguide2/changelog.html">
<p>Security: Removed a fallback to mysql_escape_string() in the mysql
database driver (escape_str() method) when there's no active database
connection.</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/203401</freebsdpr>
<url>https://codeigniter.com/userguide2/changelog.html</url>
</references>
<dates>
<discovery>2015-07-15</discovery>
<entry>2015-09-28</entry>
</dates>
</vuln>
<vuln vid="c21f4e61-6570-11e5-9909-002590263bf5">
<topic>codeigniter -- multiple vulnerabilities</topic>
<affects>
<package>
<name>codeigniter</name>
<range><lt>2.2.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The CodeIgniter changelog reports:</p>
<blockquote cite="https://codeigniter.com/userguide2/changelog.html">
<p>Security: Added HTTP "Host" header character validation to prevent
cache poisoning attacks when base_url auto-detection is used.</p>
<p>Security: Added FSCommand and seekSegmentTime to the "evil
attributes" list in CI_Security::xss_clean().</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/203401</freebsdpr>
<url>https://codeigniter.com/userguide2/changelog.html</url>
</references>
<dates>
<discovery>2015-04-15</discovery>
<entry>2015-09-28</entry>
</dates>
</vuln>
<vuln vid="f838dcb4-656f-11e5-9909-002590263bf5">
<topic>codeigniter -- multiple vulnerabilities</topic>
<affects>
<package>
<name>codeigniter</name>
<range><lt>2.2.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The CodeIgniter changelog reports:</p>
<blockquote cite="https://codeigniter.com/userguide2/changelog.html">
<p>Security: The xor_encode() method in the Encrypt Class has been
removed. The Encrypt Class now requires the Mcrypt extension to be
installed.</p>
<p>Security: The Session Library now uses HMAC authentication instead
of a simple MD5 checksum.</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/203401</freebsdpr>
<url>https://codeigniter.com/userguide2/changelog.html</url>
</references>
<dates>
<discovery>2014-06-05</discovery>
<entry>2015-09-28</entry>
</dates>
</vuln>
<vuln vid="b7d785ea-656d-11e5-9909-002590263bf5">
<topic>codeigniter -- SQL injection vulnerability</topic>
<affects>
<package>
<name>codeigniter</name>
<range><lt>2.0.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The CodeIgniter changelog reports:</p>
<blockquote cite="https://codeigniter.com/userguide2/changelog.html">
<p>An improvement was made to the MySQL and MySQLi drivers to prevent
exposing a potential vector for SQL injection on sites using
multi-byte character sets in the database client connection.</p>
<p>An incompatibility in PHP versions < 5.2.3 and MySQL > 5.0.7
with mysql_set_charset() creates a situation where using multi-byte
character sets on these environments may potentially expose a SQL
injection attack vector. Latin-1, UTF-8, and other "low ASCII"
character sets are unaffected on all environments.</p>
<p>If you are running or considering running a multi-byte character
set for your database connection, please pay close attention to the
server environment you are deploying on to ensure you are not
vulnerable.</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/156486</freebsdpr>
<url>https://codeigniter.com/userguide2/changelog.html</url>
</references>
<dates>
<discovery>2011-08-20</discovery>
<entry>2015-09-28</entry>
</dates>
</vuln>
<vuln vid="0e425bb7-64f2-11e5-b2fd-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>45.0.2454.101</lt></range>
</package>
<package>
<!-- pcbsd -->
<name>chromium-npapi</name>
<range><lt>45.0.2454.101</lt></range>
</package>
<package>
<!-- pcbsd -->
<name>chromium-pulse</name>
<range><lt>45.0.2454.101</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/2015/09/stable-channel-update_24.html">
<p>Two vulnerabilities were fixed in this release:</p>
<ul>
<li>[530301] High CVE-2015-1303: Cross-origin bypass in DOM. Credit
to Mariusz Mlynski.</li>
<li>[531891] High CVE-2015-1304: Cross-origin bypass in V8. Credit
to Mariusz Mlynski.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-1303</cvename>
<cvename>CVE-2015-1304</cvename>
<url>http://googlechromereleases.blogspot.nl/2015/09/stable-channel-update_24.html</url>
</references>
<dates>
<discovery>2015-09-24</discovery>
<entry>2015-09-27</entry>
</dates>
</vuln>
<vuln vid="9770d6ac-614d-11e5-b379-14dae9d210b8">
<topic>libssh2 -- denial of service vulnerability</topic>
<affects>
<package>
<name>libssh2</name>
<range><lt>1.5.0,2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mariusz Ziulek reports:</p>
<blockquote cite="http://www.libssh2.org/adv_20150311.html">
<p>A malicious attacker could man in the middle a real server
and cause libssh2 using clients to crash (denial of service) or
otherwise read and use completely unintended memory areas in this
process.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.libssh2.org/adv_20150311.html</url>
<url>https://trac.libssh2.org/ticket/294</url>
<cvename>CVE-2015-1782</cvename>
</references>
<dates>
<discovery>2015-01-25</discovery>
<entry>2015-09-22</entry>
<modified>2015-09-22</modified>
</dates>
</vuln>
<vuln vid="2d56c7f4-b354-428f-8f48-38150c607a05">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>41.0,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>41.0,1</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.38</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.38</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><lt>38.3.0,1</lt></range>
</package>
<package>
<name>libxul</name>
<range><lt>38.3.0</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><lt>38.3.0</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>38.3.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/">
<p>MFSA 2015-96 Miscellaneous memory safety hazards (rv:41.0
/ rv:38.3)</p>
<p>MFSA 2015-97 Memory leak in mozTCPSocket to servers</p>
<p>MFSA 2015-98 Out of bounds read in QCMS library with ICC
V4 profile attributes</p>
<p>MFSA 2015-99 Site attribute spoofing on Android by
pasting URL with unknown scheme</p>
<p>MFSA 2015-100 Arbitrary file manipulation by local user
through Mozilla updater</p>
<p>MFSA 2015-101 Buffer overflow in libvpx while parsing vp9
format video</p>
<p>MFSA 2015-102 Crash when using debugger with SavedStacks
in JavaScript</p>
<p>MFSA 2015-103 URL spoofing in reader mode</p>
<p>MFSA 2015-104 Use-after-free with shared workers and
IndexedDB</p>
<p>MFSA 2015-105 Buffer overflow while decoding WebM
video</p>
<p>MFSA 2015-106 Use-after-free while manipulating HTML
media content</p>
<p>MFSA 2015-107 Out-of-bounds read during 2D canvas display
on Linux 16-bit color depth systems</p>
<p>MFSA 2015-108 Scripted proxies can access inner
window</p>
<p>MFSA 2015-109 JavaScript immutable property enforcement
can be bypassed</p>
<p>MFSA 2015-110 Dragging and dropping images exposes final
URL after redirects</p>
<p>MFSA 2015-111 Errors in the handling of CORS preflight
request headers</p>
<p>MFSA 2015-112 Vulnerabilities found through code
inspection</p>
<p>MFSA 2015-113 Memory safety errors in libGLES in the
ANGLE graphics library</p>
<p>MFSA 2015-114 Information disclosure via the High
Resolution Time API</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4476</cvename>
<cvename>CVE-2015-4500</cvename>
<cvename>CVE-2015-4501</cvename>
<cvename>CVE-2015-4502</cvename>
<cvename>CVE-2015-4503</cvename>
<cvename>CVE-2015-4504</cvename>
<cvename>CVE-2015-4505</cvename>
<cvename>CVE-2015-4506</cvename>
<cvename>CVE-2015-4507</cvename>
<cvename>CVE-2015-4508</cvename>
<cvename>CVE-2015-4509</cvename>
<cvename>CVE-2015-4510</cvename>
<cvename>CVE-2015-4512</cvename>
<cvename>CVE-2015-4516</cvename>
<cvename>CVE-2015-4517</cvename>
<cvename>CVE-2015-4519</cvename>
<cvename>CVE-2015-4520</cvename>
<cvename>CVE-2015-4521</cvename>
<cvename>CVE-2015-4522</cvename>
<cvename>CVE-2015-7174</cvename>
<cvename>CVE-2015-7175</cvename>
<cvename>CVE-2015-7176</cvename>
<cvename>CVE-2015-7177</cvename>
<cvename>CVE-2015-7178</cvename>
<cvename>CVE-2015-7179</cvename>
<cvename>CVE-2015-7180</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2015-96/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-97/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-98/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-99/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-100/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-101/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-102/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-103/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-104/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-105/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-106/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-107/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-108/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-109/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-110/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-111/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-112/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-113/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-114/</url>
</references>
<dates>
<discovery>2015-09-22</discovery>
<entry>2015-09-22</entry>
</dates>
</vuln>
<vuln vid="3d950687-b4c9-4a86-8478-c56743547af8">
<topic>ffmpeg -- multiple vulnerabilities</topic>
<affects>
<package>
<name>libav</name>
<!-- no known fixed version -->
<range><ge>0</ge></range>
</package>
<package>
<name>gstreamer1-libav</name>
<!-- gst-libav-1.4.5 has libav-10.5 -->
<range><lt>1.5.90</lt></range>
</package>
<package>
<name>gstreamer-ffmpeg</name>
<!-- gst-ffmpeg-0.10.13 has libav-0.7.2 (0.7.7 in freebsd port) -->
<!-- no known fixed version -->
<range><ge>0</ge></range>
</package>
<package>
<name>handbrake</name>
<!-- handbrake prior to 1.2.0 has libav-10.1 -->
<!-- backend library has been switched from libav to ffmpeg since 1.2.0 -->
<range><lt>1.2.0</lt></range>
</package>
<package>
<name>ffmpeg</name>
<range><lt>2.7.2,1</lt></range>
</package>
<package>
<name>ffmpeg26</name>
<range><lt>2.6.4</lt></range>
</package>
<package>
<name>ffmpeg25</name>
<range><lt>2.5.8</lt></range>
</package>
<package>
<name>ffmpeg24</name>
<range><lt>2.4.11</lt></range>
</package>
<package>
<name>ffmpeg-devel</name>
<name>ffmpeg23</name>
<name>ffmpeg2</name>
<name>ffmpeg1</name>
<name>ffmpeg-011</name>
<name>ffmpeg0</name>
<!-- no known fixed version -->
<range><ge>0</ge></range>
</package>
<package>
<name>avidemux</name>
<name>avidemux2</name>
<name>avidemux26</name>
<!-- avidemux-2.6.10 has ffmpeg-2.6.1 -->
<range><lt>2.6.11</lt></range>
</package>
<package>
<name>kodi</name>
<!-- kodi-14.2 has ffmpeg-2.4.6 -->
<range><lt>15.1</lt></range>
</package>
<package>
<name>mplayer</name>
<name>mencoder</name>
<!-- mplayer-1.1.r20150403 has ffmpeg-2.7.0+ (snapshot, c299fbb) -->
<range><lt>1.1.r20150822</lt></range>
</package>
<package>
<name>mythtv</name>
<name>mythtv-frontend</name>
<!-- mythtv-0.27.0.20140121 has ffmpeg-1.2.2+ (snapshot, f9c8726) -->
<range><le>0.27.5,1</le></range>
</package>
<package>
<name>plexhometheater</name>
<!-- plexhometheater-1.4.1 has ffmpeg-0.10.2 fork -->
<!-- no known fixed version -->
<range><ge>0</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NVD reports:</p>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6818">
<p>The decode_ihdr_chunk function in libavcodec/pngdec.c in
FFmpeg before 2.7.2 does not enforce uniqueness of the IHDR
(aka image header) chunk in a PNG image, which allows remote
attackers to cause a denial of service (out-of-bounds array
access) or possibly have unspecified other impact via a
crafted image with two or more of these chunks.</p>
</blockquote>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6819">
<p>Multiple integer underflows in the ff_mjpeg_decode_frame
function in libavcodec/mjpegdec.c in FFmpeg before 2.7.2
allow remote attackers to cause a denial of service
(out-of-bounds array access) or possibly have unspecified
other impact via crafted MJPEG data.</p>
</blockquote>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6820">
<p>The ff_sbr_apply function in libavcodec/aacsbr.c in
FFmpeg before 2.7.2 does not check for a matching AAC frame
syntax element before proceeding with Spectral Band
Replication calculations, which allows remote attackers to
cause a denial of service (out-of-bounds array access) or
possibly have unspecified other impact via crafted AAC
data.</p>
</blockquote>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6821">
<p>The ff_mpv_common_init function in libavcodec/mpegvideo.c
in FFmpeg before 2.7.2 does not properly maintain the
encoding context, which allows remote attackers to cause a
denial of service (invalid pointer access) or possibly have
unspecified other impact via crafted MPEG data.</p>
</blockquote>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6822">
<p>The destroy_buffers function in libavcodec/sanm.c in
FFmpeg before 2.7.2 does not properly maintain height and
width values in the video context, which allows remote
attackers to cause a denial of service (segmentation
violation and application crash) or possibly have
unspecified other impact via crafted LucasArts Smush video
data.</p>
</blockquote>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6823">
<p>The allocate_buffers function in libavcodec/alac.c in
FFmpeg before 2.7.2 does not initialize certain context
data, which allows remote attackers to cause a denial of
service (segmentation violation) or possibly have
unspecified other impact via crafted Apple Lossless Audio
Codec (ALAC) data.</p>
</blockquote>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6824">
<p>The sws_init_context function in libswscale/utils.c in
FFmpeg before 2.7.2 does not initialize certain pixbuf data
structures, which allows remote attackers to cause a denial
of service (segmentation violation) or possibly have
unspecified other impact via crafted video data.</p>
</blockquote>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6825">
<p>The ff_frame_thread_init function in
libavcodec/pthread_frame.c in FFmpeg before 2.7.2 mishandles
certain memory-allocation failures, which allows remote
attackers to cause a denial of service (invalid pointer
access) or possibly have unspecified other impact via a
crafted file, as demonstrated by an AVI file.</p>
</blockquote>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6826">
<p>The ff_rv34_decode_init_thread_copy function in
libavcodec/rv34.c in FFmpeg before 2.7.2 does not initialize
certain structure members, which allows remote attackers to
cause a denial of service (invalid pointer access) or
possibly have unspecified other impact via crafted (1) RV30
or (2) RV40 RealVideo data.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-6818</cvename>
<cvename>CVE-2015-6819</cvename>
<cvename>CVE-2015-6820</cvename>
<cvename>CVE-2015-6821</cvename>
<cvename>CVE-2015-6822</cvename>
<cvename>CVE-2015-6823</cvename>
<cvename>CVE-2015-6824</cvename>
<cvename>CVE-2015-6825</cvename>
<cvename>CVE-2015-6826</cvename>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=47f4e2d8960ca756ca153ab8e3e93d80449b8c91</url>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=84afc6b70d24fc0bf686e43138c96cf60a9445fe</url>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=79a98294da6cd85f8c86b34764c5e0c43b09eea3</url>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=b160fc290cf49b516c5b6ee0730fd9da7fc623b1</url>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=39bbdebb1ed8eb9c9b0cd6db85afde6ba89d86e4</url>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f7068bf277a37479aecde2832208d820682b35e6</url>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=a5d44d5c220e12ca0cb7a4eceb0f74759cb13111</url>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f1a38264f20382731cf2cc75fdd98f4c9a84a626</url>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=3197c0aa87a3b7190e17d49e6fbc7b554e4b3f0a</url>
<url>https://ffmpeg.org/security.html</url>
</references>
<dates>
<discovery>2015-09-05</discovery>
<entry>2015-09-20</entry>
<modified>2018-03-25</modified>
</dates>
</vuln>
<vuln vid="c2fcbec2-5daa-11e5-9909-002590263bf5">
<topic>moodle -- multiple vulnerabilities</topic>
<affects>
<package>
<name>moodle27</name>
<range><lt>2.7.10</lt></range>
</package>
<package>
<name>moodle28</name>
<range><lt>2.8.8</lt></range>
</package>
<package>
<name>moodle29</name>
<range><lt>2.9.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Moodle Release Notes report:</p>
<blockquote cite="https://docs.moodle.org/dev/Moodle_2.7.10_release_notes">
<p>MSA-15-0030: Students can re-attempt answering questions in the
lesson (CVE-2015-5264)</p>
<p>MSA-15-0031: Teacher in forum can still post to "all participants"
and groups they are not members of (CVE-2015-5272 - 2.7.10 only)</p>
<p>MSA-15-0032: Users can delete files uploaded by other users in wiki
(CVE-2015-5265)</p>
<p>MSA-15-0033: Meta course synchronization enrolls suspended students
as managers for a short period of time (CVE-2015-5266)</p>
<p>MSA-15-0034: Vulnerability in password recovery mechanism
(CVE-2015-5267)</p>
<p>MSA-15-0035: Rating component does not check separate groups
(CVE-2015-5268)</p>
<p>MSA-15-0036: XSS in grouping description (CVE-2015-5269)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5264</cvename>
<cvename>CVE-2015-5272</cvename>
<cvename>CVE-2015-5265</cvename>
<cvename>CVE-2015-5266</cvename>
<cvename>CVE-2015-5267</cvename>
<cvename>CVE-2015-5268</cvename>
<cvename>CVE-2015-5269</cvename>
<url>http://www.openwall.com/lists/oss-security/2015/09/21/1</url>
<url>https://docs.moodle.org/dev/Moodle_2.7.10_release_notes</url>
<url>https://docs.moodle.org/dev/Moodle_2.8.8_release_notes</url>
<url>https://docs.moodle.org/dev/Moodle_2.9.2_release_notes</url>
</references>
<dates>
<discovery>2015-09-14</discovery>
<entry>2015-09-18</entry>
<modified>2015-09-24</modified>
</dates>
</vuln>
<vuln vid="d3a98c2d-5da1-11e5-9909-002590263bf5">
<topic>squid -- TLS/SSL parser denial of service vulnerability</topic>
<affects>
<package>
<name>squid</name>
<range><ge>3.5.0.1</ge><lt>3.5.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Amos Jeffries, release manager of the Squid-3 series, reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/18/1">
<p>Vulnerable versions are 3.5.0.1 to 3.5.8 (inclusive), which are
built with OpenSSL and configured for "SSL-Bump" decryption.</p>
<p>Integer overflows can lead to invalid pointer math reading from
random memory on some CPU architectures. In the best case this leads
to wrong TLS extensions being used for the client, worst-case a
crash of the proxy terminating all active transactions.</p>
<p>Incorrect message size checks and assumptions about the existence
of TLS extensions in the SSL/TLS handshake message can lead to very
high CPU consumption (up to and including 'infinite loop'
behaviour).</p>
<p>The above can be triggered remotely. Though there is one layer of
authorization applied before this processing to check that the
client is allowed to use the proxy, that check is generally weak. MS
Skype on Windows XP is known to trigger some of these.</p>
</blockquote>
<p>The FreeBSD port does not use SSL by default and is not vulnerable
in the default configuration.</p>
</body>
</description>
<references>
<freebsdpr>ports/203186</freebsdpr>
<url>http://www.squid-cache.org/Advisories/SQUID-2015_3.txt</url>
<url>http://www.openwall.com/lists/oss-security/2015/09/18/1</url>
</references>
<dates>
<discovery>2015-09-18</discovery>
<entry>2015-09-18</entry>
<modified>2016-02-18</modified>
</dates>
</vuln>
<vuln vid="b55ecf12-5d98-11e5-9909-002590263bf5">
<topic>remind -- buffer overflow with malicious reminder file input</topic>
<affects>
<package>
<name>remind</name>
<range><lt>3.1.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dianne Skoll reports:</p>
<blockquote cite="http://lists.roaringpenguin.com/pipermail/remind-fans/2015/003172.html">
<p>BUG FIX: Fix a buffer overflow found by Alexander Keller.</p>
</blockquote>
<p>The bug can be manifested by an extended DUMP command using a system
variable (that is a special variable whose name begins with '$')</p>
</body>
</description>
<references>
<cvename>CVE-2015-5957</cvename>
<freebsdpr>ports/202942</freebsdpr>
<url>http://lists.roaringpenguin.com/pipermail/remind-fans/2015/003172.html</url>
<url>http://www.openwall.com/lists/oss-security/2015/08/07/1</url>
</references>
<dates>
<discovery>2015-07-27</discovery>
<entry>2015-09-18</entry>
</dates>
</vuln>
<vuln vid="d45ad7ae-5d56-11e5-9ad8-14dae9d210b8">
<topic>shutter -- arbitrary code execution</topic>
<affects>
<package>
<name>shutter</name>
<range><ge>0.80</ge><lt>0.93.1_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Luke Farone reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2015/q3/541">
<p>In the "Shutter" screenshot application, I discovered that using the
"Show in folder" menu option while viewing a file with a
specially-crafted path allows for arbitrary code execution with the
permissions of the user running Shutter.</p>
</blockquote>
</body>
</description>
<references>
<url>http://seclists.org/oss-sec/2015/q3/541</url>
<url>https://bugs.launchpad.net/shutter/+bug/1495163</url>
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798862</url>
<cvename>CVE-2015-0854</cvename>
</references>
<dates>
<discovery>2015-09-13</discovery>
<entry>2015-09-17</entry>
</dates>
</vuln>
<vuln vid="a233d51f-5d4c-11e5-9ad8-14dae9d210b8">
<topic>openjpeg -- use-after-free vulnerability</topic>
<affects>
<package>
<name>openjpeg</name>
<range><lt>2.1.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Feist Josselin reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2015/q3/550">
<p>Use-after-free was found in openjpeg. The vuln is fixed in
version 2.1.1 and was located in opj_j2k_write_mco function.</p>
</blockquote>
</body>
</description>
<references>
<url>http://seclists.org/oss-sec/2015/q3/550</url>
<url>https://github.com/uclouvain/openjpeg/issues/563</url>
</references>
<dates>
<discovery>2015-08-14</discovery>
<entry>2015-09-17</entry>
</dates>
</vuln>
<vuln vid="bab05188-5d4b-11e5-9ad8-14dae9d210b8">
<topic>optipng -- use-after-free vulnerability</topic>
<affects>
<package>
<name>optipng</name>
<range><le>0.6.5</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gustavo Grieco reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2015/q3/556">
<p>We found a use-after-free causing an invalid/double free in
optipng 0.6.4.</p>
</blockquote>
</body>
</description>
<references>
<url>http://seclists.org/oss-sec/2015/q3/556</url>
<cvename>CVE-2015-7801</cvename>
</references>
<dates>
<discovery>2015-09-16</discovery>
<entry>2015-09-17</entry>
<modified>2015-10-14</modified>
</dates>
</vuln>
<vuln vid="3c259621-5d4a-11e5-9ad8-14dae9d210b8">
<topic>openslp -- denial of service vulnerability</topic>
<affects>
<package>
<name>openslp</name>
<range><lt>2.0.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Qinghao Tang reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2015/q3/559">
<p>The function ParseExtension() in openslp 1.2.1 contains
vulnerability: an attacker can cause a denial of service
(infinite loop) via a packet with crafted "nextoffset"
value and "extid" value.</p>
</blockquote>
</body>
</description>
<references>
<url>http://seclists.org/oss-sec/2015/q3/559</url>
<cvename>CVE-2015-5155</cvename>
</references>
<dates>
<discovery>2015-09-16</discovery>
<entry>2015-09-17</entry>
</dates>
</vuln>
<vuln vid="8f5c9dd6-5cac-11e5-9ad8-14dae9d210b8">
<topic>p7zip -- directory traversal vulnerability</topic>
<affects>
<package>
<name>p7zip</name>
<range><lt>9.38.1_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Alexander Cherepanov reports:</p>
<blockquote cite="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774660">
<p>7z (and 7zr) is susceptible to a directory traversal vulnerability.
While extracting an archive, it will extract symlinks and then follow
them if they are referenced in further entries. This can be exploited by
a rogue archive to write files outside the current directory.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774660</url>
<url>http://www.openwall.com/lists/oss-security/2015/01/11/2</url>
<url>http://sourceforge.net/p/p7zip/bugs/147/</url>
<cvename>CVE-2015-1038</cvename>
</references>
<dates>
<discovery>2015-01-05</discovery>
<entry>2015-09-16</entry>
</dates>
</vuln>
<vuln vid="31ea7f73-5c55-11e5-8607-74d02b9a84d5">
<topic>h2o -- directory traversal vulnerability</topic>
<affects>
<package>
<name>h2o</name>
<range><lt>1.4.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Yakuzo reports:</p>
<blockquote cite="https://h2o.examp1e.net/vulnerabilities.html">
<p>H2O (up to version 1.4.4 / 1.5.0-beta1) contains a flaw in its URL
normalization logic.</p>
<p>When file.dir directive is used, this flaw
allows a remote attacker to retrieve arbitrary files that exist
outside the directory specified by the directive.</p>
<p>H2O version 1.4.5 and version 1.5.0-beta2 have been released
to address this vulnerability.</p>
<p>Users are advised to upgrade their servers immediately.</p>
<p>The vulnerability was reported by: Yusuke OSUMI.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5638</cvename>
<url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5638</url>
</references>
<dates>
<discovery>2015-09-14</discovery>
<entry>2015-09-16</entry>
</dates>
</vuln>
<vuln vid="f4ce64c2-5bd4-11e5-9040-3c970e169bc2">
<topic>wordpress -- multiple vulnerabilities</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>4.3.1,1</lt></range>
</package>
<package>
<name>de-wordpress</name>
<name>ja-wordpress</name>
<name>ru-wordpress</name>
<name>zh-wordpress-zh_CN</name>
<name>zh-wordpress-zh_TW</name>
<range><lt>4.3.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Samuel Sidler reports:</p>
<blockquote cite="https://wordpress.org/news/2015/09/wordpress-4-3-1/">
<p>WordPress 4.3.1 is now available. This is a security
release for all previous versions and we strongly
encourage you to update your sites immediately.</p>
<ul>
<li>WordPress versions 4.3 and earlier are vulnerable
to a cross-site scripting vulnerability when processing
shortcode tags (CVE-2015-5714). Reported by Shahar Tal
and Netanel Rubin of <a href="http://checkpoint.com/">Check Point</a>.</li>
<li>A separate cross-site scripting vulnerability was found
in the user list table. Reported by Ben Bidner of the
WordPress security team.</li>
<li>Finally, in certain cases, users without proper
permissions could publish private posts and make
them sticky (CVE-2015-5715). Reported by Shahar Tal
and Netanel Rubin of <a href="http://checkpoint.com/">Check Point</a>.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5714</cvename>
<cvename>CVE-2015-5715</cvename>
<cvename>CVE-2015-7989</cvename>
<url>http://www.openwall.com/lists/oss-security/2015/10/28/1</url>
<url>https://wordpress.org/news/2015/09/wordpress-4-3-1/</url>
</references>
<dates>
<discovery>2015-09-15</discovery>
<entry>2015-09-15</entry>
<modified>2015-10-29</modified>
</dates>
</vuln>
<vuln vid="ea893f06-5a92-11e5-98c0-20cf30e32f6d">
<topic>Bugzilla security issues</topic>
<affects>
<package>
<name>bugzilla44</name>
<range><lt>4.4.10</lt></range>
</package>
<package>
<name>bugzilla50</name>
<range><lt>5.0.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Bugzilla Security Advisory</p>
<blockquote cite="https://www.bugzilla.org/security/4.2.14/">
<p>Login names (usually an email address) longer than 127
characters are silently truncated in MySQL which could
cause the domain name of the email address to be
corrupted. An attacker could use this vulnerability to
create an account with an email address different from the
one originally requested. The login name could then be
automatically added to groups based on the group's regular
expression setting.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4499</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=1202447</url>
</references>
<dates>
<discovery>2015-09-10</discovery>
<entry>2015-09-14</entry>
</dates>
</vuln>
<vuln vid="4910d161-58a4-11e5-9ad8-14dae9d210b8">
<topic>openldap -- denial of service vulnerability</topic>
<affects>
<package>
<name>openldap-server</name>
<range><lt>2.4.42_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Denis Andzakovic reports:</p>
<blockquote cite="http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8240">
<p>By sending a crafted packet, an attacker may cause the
OpenLDAP server to reach an assert(9 9 statement, crashing the daemon.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8240</url>
<url>http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=6fe51a9ab04fd28bbc171da3cf12f1c1040d6629</url>
<cvename>CVE-2015-6908</cvename>
</references>
<dates>
<discovery>2015-09-09</discovery>
<entry>2015-09-12</entry>
<modified>2015-09-13</modified>
</dates>
</vuln>
<vuln vid="a35f415d-572a-11e5-b0a4-f8b156b6dcc8">
<topic>vorbis-tools, opus-tools -- multiple vulnerabilities</topic>
<affects>
<package>
<name>vorbis-tools</name>
<range><lt>1.4.0_10,3</lt></range>
</package>
<package>
<name>opus-tools</name>
<range><lt>0.1.9_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Paris Zoumpouloglou reports:</p>
<blockquote cite="https://trac.xiph.org/ticket/2136">
<p>I discovered an integer overflow issue in oggenc,
related to the number of channels in the input WAV file.
The issue triggers an out-of-bounds memory access which
causes oggenc to crash.</p>
</blockquote>
<p>Paris Zoumpouloglou reports:</p>
<blockquote cite="https://trac.xiph.org/ticket/2136">
<p>A crafted WAV file with number of channels set to 0
will cause oggenc to crash due to a division by zero
issue.</p>
</blockquote>
<p>pengsu reports:</p>
<blockquote cite="https://trac.xiph.org/ticket/2212">
<p>I discovered an buffer overflow issue in oggenc/audio.c
when it tries to open invalid aiff file.</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/202941</freebsdpr>
<url>https://trac.xiph.org/ticket/2136</url>
<cvename>CVE-2014-9639</cvename>
<url>https://trac.xiph.org/ticket/2137</url>
<cvename>CVE-2014-9638</cvename>
<url>https://trac.xiph.org/ticket/2212</url>
<cvename>CVE-2015-6749</cvename>
</references>
<dates>
<discovery>2015-08-08</discovery>
<entry>2015-09-09</entry>
<modified>2015-09-09</modified>
</dates>
</vuln>
<vuln vid="d76961da-56f6-11e5-934b-002590263bf5">
<topic>pgbouncer -- failed auth_query lookup leads to connection as auth_user</topic>
<affects>
<package>
<name>pgbouncer</name>
<range><eq>1.6.0</eq></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PgBouncer reports:</p>
<blockquote cite="http://pgbouncer.github.io/2015/09/pgbouncer-1-6-1/">
<p>New auth_user functionality introduced in 1.6 allows login as
auth_user when client presents unknown username. It's quite likely
auth_user is superuser. Affects only setups that have enabled
auth_user in their config.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-6817</cvename>
<url>https://pgbouncer.github.io/2015/09/pgbouncer-1-6-1/</url>
<url>https://github.com/pgbouncer/pgbouncer/issues/69</url>
<url>http://www.openwall.com/lists/oss-security/2015/09/04/3</url>
</references>
<dates>
<discovery>2015-09-03</discovery>
<entry>2015-09-09</entry>
</dates>
</vuln>
<vuln vid="3904f759-5659-11e5-a207-6805ca0b3d42">
<topic>phpMyAdmin -- reCaptcha bypass</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><ge>4.4.0</ge><lt>4.4.14.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2015-4/">
<p>This vulnerability allows to complete the reCaptcha test
and subsequently perform a brute force attack to guess user
credentials without having to complete further reCaptcha
tests.</p>
<p>We consider this vulnerability to be non critical since
reCaptcha is an additional opt-in security measure.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.phpmyadmin.net/security/PMASA-2015-4/</url>
<cvename>CVE-2015-6830</cvename>
</references>
<dates>
<discovery>2015-09-08</discovery>
<entry>2015-09-08</entry>
</dates>
</vuln>
<vuln vid="3d675519-5654-11e5-9ad8-14dae9d210b8">
<topic>php -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php5</name>
<name>php5-soap</name>
<name>php5-xsl</name>
<range><lt>5.4.45</lt></range>
</package>
<package>
<name>php55</name>
<name>php55-soap</name>
<name>php55-xsl</name>
<range><lt>5.5.29</lt></range>
</package>
<package>
<name>php56</name>
<name>php56-soap</name>
<name>php56-xsl</name>
<range><lt>5.6.13</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PHP reports:</p>
<blockquote cite="http://php.net/ChangeLog-5.php#5.4.45">
<ul><li>Core:
<ul>
<li>Fixed bug #70172 (Use After Free Vulnerability in unserialize()).</li>
<li>Fixed bug #70219 (Use after free vulnerability in session deserializer).</li>
</ul></li>
<li>EXIF:
<ul>
<li>Fixed bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes).</li>
</ul></li>
<li>hash:
<ul>
<li>Fixed bug #70312 (HAVAL gives wrong hashes in specific cases).</li>
</ul></li>
<li>PCRE:
<ul>
<li>Fixed bug #70345 (Multiple vulnerabilities related to PCRE functions).</li>
</ul></li>
<li>SOAP:
<ul>
<li>Fixed bug #70388 (SOAP serialize_function_call() type confusion / RCE).</li>
</ul></li>
<li>SPL:
<ul>
<li>Fixed bug #70365 (Use-after-free vulnerability in unserialize() with SplObjectStorage).</li>
<li>Fixed bug #70366 (Use-after-free vulnerability in unserialize() with SplDoublyLinkedList).</li>
</ul></li>
<li>XSLT:
<ul>
<li>Fixed bug #69782 (NULL pointer dereference).</li>
</ul></li>
<li>ZIP:
<ul>
<li>Fixed bug #70350 (ZipArchive::extractTo allows for directory traversal when creating directories).</li>
</ul></li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://php.net/ChangeLog-5.php#5.4.45</url>
<url>http://php.net/ChangeLog-5.php#5.5.29</url>
<url>http://php.net/ChangeLog-5.php#5.6.13</url>
<cvename>CVE-2015-6834</cvename>
<cvename>CVE-2015-6835</cvename>
<cvename>CVE-2015-6836</cvename>
<cvename>CVE-2015-6837</cvename>
<cvename>CVE-2015-6838</cvename>
</references>
<dates>
<discovery>2015-09-03</discovery>
<entry>2015-09-08</entry>
<modified>2015-09-08</modified>
</dates>
</vuln>
<vuln vid="d68df01b-564e-11e5-9ad8-14dae9d210b8">
<topic>ganglia-webfrontend -- auth bypass</topic>
<affects>
<package>
<name>ganglia-webfrontend</name>
<range><lt>3.7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ivan Novikov reports:</p>
<blockquote cite="https://github.com/ganglia/ganglia-web/issues/267">
<p>It's easy to bypass auth by using boolean serialization...</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/ganglia/ganglia-web/issues/267</url>
<cvename>CVE-2015-6816</cvename>
</references>
<dates>
<discovery>2015-09-04</discovery>
<entry>2015-09-08</entry>
<modified>2015-09-08</modified>
</dates>
</vuln>
<vuln vid="9bdd8eb5-564a-11e5-9ad8-14dae9d210b8">
<topic>wireshark -- multiple vulnerabilities</topic>
<affects>
<package>
<name>wireshark</name>
<name>wireshark-lite</name>
<name>wireshark-qt5</name>
<name>tshark</name>
<name>tshark-lite</name>
<range><lt>1.12.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Wireshark development team reports:</p>
<blockquote cite="https://www.wireshark.org/docs/relnotes/wireshark-1.12.7.html">
<p>The following vulnerabilities have been fixed.</p>
<ul>
<li><p>wnpa-sec-2015-21</p>
<p>Protocol tree crash. (Bug 11309)</p></li>
<li><p>wnpa-sec-2015-22</p>
<p>Memory manager crash. (Bug 11373)</p></li>
<li><p>wnpa-sec-2015-23</p>
<p>Dissector table crash. (Bug 11381)</p></li>
<li><p>wnpa-sec-2015-24</p>
<p>ZigBee crash. (Bug 11389)</p></li>
<li><p>wnpa-sec-2015-25</p>
<p>GSM RLC/MAC infinite loop. (Bug 11358)</p></li>
<li><p>wnpa-sec-2015-26</p>
<p>WaveAgent crash. (Bug 11358)</p></li>
<li><p>wnpa-sec-2015-27</p>
<p>OpenFlow infinite loop. (Bug 11358)</p></li>
<li><p>wnpa-sec-2015-28</p>
<p>Ptvcursor crash. (Bug 11358)</p></li>
<li><p>wnpa-sec-2015-29</p>
<p>WCCP crash. (Bug 11358)</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://www.wireshark.org/docs/relnotes/wireshark-1.12.7.html</url>
<cvename>CVE-2015-6241</cvename>
<cvename>CVE-2015-6242</cvename>
<cvename>CVE-2015-6243</cvename>
<cvename>CVE-2015-6244</cvename>
<cvename>CVE-2015-6245</cvename>
<cvename>CVE-2015-6246</cvename>
<cvename>CVE-2015-6247</cvename>
<cvename>CVE-2015-6248</cvename>
<cvename>CVE-2015-6249</cvename>
</references>
<dates>
<discovery>2015-08-12</discovery>
<entry>2015-09-08</entry>
<modified>2015-09-08</modified>
</dates>
</vuln>
<vuln vid="98092444-5645-11e5-9ad8-14dae9d210b8">
<topic>screen -- stack overflow</topic>
<affects>
<package>
<name>screen</name>
<range><lt>4.3.1_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Kuang-che Wu reports:</p>
<blockquote cite="https://savannah.gnu.org/bugs/?45713">
<p>screen will recursively call MScrollV to depth n/256. This
is time consuming and will overflow stack if n is huge.</p>
</blockquote>
</body>
</description>
<references>
<url>https://savannah.gnu.org/bugs/?45713</url>
<cvename>CVE-2015-6806</cvename>
</references>
<dates>
<discovery>2015-08-07</discovery>
<entry>2015-09-08</entry>
</dates>
</vuln>
<vuln vid="b5e654c3-5644-11e5-9ad8-14dae9d210b8">
<topic>libvncserver -- memory corruption</topic>
<affects>
<package>
<name>libvncserver</name>
<range><lt>0.9.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Petr Pisar reports:</p>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=706087">
<p>libvncserver/tight.c:rfbTightCleanup() frees a buffer without zeroing freed pointer.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=706087</url>
<url>https://github.com/LibVNC/libvncserver/commit/804335f9d296440bb708ca844f5d89b58b50b0c6</url>
</references>
<dates>
<discovery>2011-05-19</discovery>
<entry>2015-09-08</entry>
</dates>
</vuln>
<vuln vid="ed0ecad5-531d-11e5-9850-bcaec565249c">
<topic>gdk-pixbuf2 -- integer overflows</topic>
<affects>
<package>
<name>gdk-pixbuf2</name>
<range><lt>2.31.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Matthias Clasen reports:</p>
<blockquote cite="https://mail.gnome.org/archives/ftp-release-list/2015-September/msg00013.html">
<p>Fix several integer overflows.</p>
</blockquote>
</body>
</description>
<references>
<url>https://mail.gnome.org/archives/ftp-release-list/2015-September/msg00013.html</url>
</references>
<dates>
<discovery>2015-09-01</discovery>
<entry>2015-09-04</entry>
</dates>
</vuln>
<vuln vid="2c5e7e23-5248-11e5-9ad8-14dae9d210b8">
<topic>bind -- denial of service vulnerability</topic>
<affects>
<package>
<name>bind99</name>
<range><ge>9.9.7</ge><lt>9.9.7P3</lt></range>
</package>
<package>
<name>bind910</name>
<range><lt>9.10.2P4</lt></range>
</package>
<package>
<name>bind910-base</name>
<name>bind99-base</name>
<range><gt>0</gt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://www.isc.org/blogs/cve-2015-5986-an-incorrect-boundary-check-can-trigger-a-require-assertion-failure-in-openpgpkey_61-c/">
<p>An incorrect boundary check in openpgpkey_61.c can cause
named to terminate due to a REQUIRE assertion failure. This defect can
be deliberately exploited by an attacker who can provide a maliciously
constructed response in answer to a query.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.isc.org/blogs/cve-2015-5986-an-incorrect-boundary-check-can-trigger-a-require-assertion-failure-in-openpgpkey_61-c/</url>
<cvename>CVE-2015-5986</cvename>
</references>
<dates>
<discovery>2015-08-19</discovery>
<entry>2015-09-03</entry>
</dates>
</vuln>
<vuln vid="eaf3b255-5245-11e5-9ad8-14dae9d210b8">
<topic>bind -- denial of service vulnerability</topic>
<affects>
<package>
<name>bind99</name>
<range><lt>9.9.7P3</lt></range>
</package>
<package>
<name>bind910</name>
<range><ge>9.10.2</ge><lt>9.10.2P4</lt></range>
</package>
<package>
<name>bind910-base</name>
<name>bind99-base</name>
<range><gt>0</gt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>9.3</ge><lt>9.3_25</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://www.isc.org/blogs/cve-2015-5722-parsing-malformed-keys-may-cause-bind-to-exit-due-to-a-failed-assertion-in-buffer-c/">
<p>Parsing a malformed DNSSEC key can cause a validating
resolver to exit due to a failed assertion in buffer.c. It is possible
for a remote attacker to deliberately trigger this condition, for
example by using a query which requires a response from a zone
containing a deliberately malformed key.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.isc.org/blogs/cve-2015-5722-parsing-malformed-keys-may-cause-bind-to-exit-due-to-a-failed-assertion-in-buffer-c/</url>
<cvename>CVE-2015-5722</cvename>
<freebsdsa>SA-15:23.bind</freebsdsa>
</references>
<dates>
<discovery>2015-08-19</discovery>
<entry>2015-09-03</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="a9350df8-5157-11e5-b5c1-e8e0b747a45a">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>45.0.2454.85</lt></range>
</package>
<package>
<!--pcbsd-->
<name>chromium-npapi</name>
<range><lt>45.0.2454.85</lt></range>
</package>
<package>
<!--pcbsd-->
<name>chromium-pulse</name>
<range><lt>45.0.2454.85</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl">
<p>29 security fixes in this release, including:</p>
<ul>
<li>[516377] High CVE-2015-1291: Cross-origin bypass in DOM. Credit
to anonymous.</li>
<li>[522791] High CVE-2015-1292: Cross-origin bypass in
ServiceWorker. Credit to Mariusz Mlynski.</li>
<li>[524074] High CVE-2015-1293: Cross-origin bypass in DOM. Credit
to Mariusz Mlynski.</li>
<li>[492263] High CVE-2015-1294: Use-after-free in Skia. Credit
to cloudfuzzer.</li>
<li>[502562] High CVE-2015-1295: Use-after-free in Printing. Credit
to anonymous.</li>
<li>[421332] High CVE-2015-1296: Character spoofing in omnibox.
Credit to zcorpan.</li>
<li>[510802] Medium CVE-2015-1297: Permission scoping error in
Webrequest. Credit to Alexander Kashev.</li>
<li>[518827] Medium CVE-2015-1298: URL validation error in
extensions. Credit to Rob Wu.</li>
<li>[416362] Medium CVE-2015-1299: Use-after-free in Blink. Credit
to taro.suzuki.dev.</li>
<li>[511616] Medium CVE-2015-1300: Information leak in Blink. Credit
to cgvwzq.</li>
<li>[526825] CVE-2015-1301: Various fixes from internal audits,
fuzzing and other initiatives.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-1291</cvename>
<cvename>CVE-2015-1292</cvename>
<cvename>CVE-2015-1293</cvename>
<cvename>CVE-2015-1294</cvename>
<cvename>CVE-2015-1295</cvename>
<cvename>CVE-2015-1296</cvename>
<cvename>CVE-2015-1297</cvename>
<cvename>CVE-2015-1298</cvename>
<cvename>CVE-2015-1299</cvename>
<cvename>CVE-2015-1300</cvename>
<cvename>CVE-2015-1301</cvename>
<url>http://googlechromereleases.blogspot.nl</url>
</references>
<dates>
<discovery>2015-09-01</discovery>
<entry>2015-09-02</entry>
</dates>
</vuln>
<vuln vid="55c43f5b-5190-11e5-9ad8-14dae9d210b8">
<topic>powerdns -- denial of service</topic>
<affects>
<package>
<name>powerdns</name>
<range><ge>3.4.0</ge><lt>3.4.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PowerDNS reports:</p>
<blockquote cite="https://doc.powerdns.com/md/security/powerdns-advisory-2015-02/">
<p>A bug was found in our DNS packet parsing/generation code,
which, when exploited, can cause individual threads (disabling service)
or whole processes (allowing a supervisor to restart them) to crash with
just one or a few query packets.</p>
</blockquote>
</body>
</description>
<references>
<url>https://doc.powerdns.com/md/security/powerdns-advisory-2015-02/</url>
<cvename>CVE-2015-5230</cvename>
</references>
<dates>
<discovery>2015-09-02</discovery>
<entry>2015-09-02</entry>
</dates>
</vuln>
<vuln vid="fc1f6658-4f53-11e5-934b-002590263bf5">
<topic>ghostscript -- denial of service (crash) via crafted Postscript files</topic>
<affects>
<package>
<name>ghostscript7</name>
<name>ghostscript7-nox11</name>
<name>ghostscript7-base</name>
<name>ghostscript7-x11</name>
<range><lt>7.07_32</lt></range>
</package>
<package>
<name>ghostscript8</name>
<name>ghostscript8-nox11</name>
<name>ghostscript8-base</name>
<name>ghostscript8-x11</name>
<range><lt>8.71_19</lt></range>
</package>
<package>
<name>ghostscript9</name>
<name>ghostscript9-nox11</name>
<name>ghostscript9-base</name>
<name>ghostscript9-x11</name>
<range><lt>9.06_11</lt></range>
</package>
<package>
<name>ghostscript9-agpl</name>
<name>ghostscript9-agpl-nox11</name>
<range><lt>9.15_2</lt></range>
</package>
<package>
<name>ghostscript9-agpl-base</name>
<name>ghostscript9-agpl-x11</name>
<range><lt>9.16_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3228">
<p>Integer overflow in the gs_heap_alloc_bytes function in
base/gsmalloc.c in Ghostscript 9.15 and earlier allows remote
attackers to cause a denial of service (crash) via a crafted
Postscript (ps) file, as demonstrated by using the ps2pdf command,
which triggers an out-of-bounds read or write.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3228</cvename>
<url>http://bugs.ghostscript.com/show_bug.cgi?id=696041</url>
<url>http://bugs.ghostscript.com/show_bug.cgi?id=696070</url>
<url>http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0c0b0859</url>
</references>
<dates>
<discovery>2015-06-17</discovery>
<entry>2015-09-01</entry>
<modified>2015-09-02</modified>
</dates>
</vuln>
<vuln vid="80c66af0-d1c5-449e-bd31-63b12525ff88">
<topic>ffmpeg -- out-of-bounds array access</topic>
<affects>
<package>
<name>libav</name>
<range><ge>11.0</ge><lt>11.4</lt></range>
<range><lt>10.7</lt></range>
</package>
<package>
<name>gstreamer1-libav</name>
<!-- gst-libav-1.4.5 has libav-10.5 -->
<range><lt>1.5.1</lt></range>
</package>
<package>
<name>handbrake</name>
<!-- handbrake prior to 1.2.0 has libav-10.1 -->
<!-- backend library has been switched from libav to ffmpeg since 1.2.0 -->
<range><lt>1.2.0</lt></range>
</package>
<package>
<name>ffmpeg</name>
<range><ge>2.2.0,1</ge><lt>2.2.15,1</lt></range>
<range><lt>2.0.7,1</lt></range>
</package>
<package>
<name>ffmpeg26</name>
<range><lt>2.6.2</lt></range>
</package>
<package>
<name>ffmpeg25</name>
<range><lt>2.5.6</lt></range>
</package>
<package>
<name>ffmpeg24</name>
<range><lt>2.4.8</lt></range>
</package>
<package>
<name>ffmpeg23</name>
<!-- just in case: f7e1367 wasn't cherry-picked -->
<!-- no known fixed version -->
<range><ge>0</ge></range>
</package>
<package>
<name>ffmpeg1</name>
<!-- just in case: f7e1367 wasn't cherry-picked -->
<!-- no known fixed version -->
<range><ge>0</ge></range>
</package>
<package>
<name>avidemux</name>
<name>avidemux26</name>
<!-- avidemux-2.6.10 has ffmpeg-2.6.1 -->
<range><lt>2.6.11</lt></range>
</package>
<package>
<name>kodi</name>
<!-- kodi-14.2 has ffmpeg-2.4.6 -->
<range><lt>15.1</lt></range>
</package>
<package>
<name>mplayer</name>
<name>mencoder</name>
<!-- mplayer-1.1.r20141223 has ffmpeg-2.5.1+ (snapshot, 03b84f2) -->
<range><lt>1.1.r20150403</lt></range>
</package>
<package>
<name>mythtv</name>
<name>mythtv-frontend</name>
<!-- mythtv-0.27.0.20140121 has ffmpeg-1.2.2+ (snapshot, f9c8726) -->
<range><le>0.27.5,1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NVD reports:</p>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3395">
<p>The msrle_decode_pal4 function in msrledec.c in Libav
before 10.7 and 11.x before 11.4 and FFmpeg before 2.0.7,
2.2.x before 2.2.15, 2.4.x before 2.4.8, 2.5.x before 2.5.6,
and 2.6.x before 2.6.2 allows remote attackers to have
unspecified impact via a crafted image, related to a pixel
pointer, which triggers an out-of-bounds array access.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3395</cvename>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f7e1367f58263593e6cee3c282f7277d7ee9d553</url>
<url>https://git.libav.org/?p=libav.git;a=commit;h=5ecabd3c54b7c802522dc338838c9a4c2dc42948</url>
<url>https://ffmpeg.org/security.html</url>
<url>https://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v11.4</url>
</references>
<dates>
<discovery>2015-04-12</discovery>
<entry>2015-09-01</entry>
<modified>2018-03-25</modified>
</dates>
</vuln>
<vuln vid="da434a78-e342-4d9a-87e2-7497e5f117ba">
<topic>ffmpeg -- use-after-free</topic>
<affects>
<package>
<name>libav</name>
<range><ge>11.0</ge><lt>11.4</lt></range>
<range><lt>10.7</lt></range>
</package>
<package>
<name>gstreamer1-libav</name>
<!-- gst-libav-1.4.5 has libav-10.5 -->
<range><lt>1.5.0</lt></range>
</package>
<package>
<name>handbrake</name>
<!-- handbrake prior to 1.2.0 has libav-10.1 -->
<!-- backend library has been switched from libav to ffmpeg since 1.2.0 -->
<range><lt>1.2.0</lt></range>
</package>
<package>
<name>ffmpeg</name>
<range><ge>2.2.0,1</ge><lt>2.2.12,1</lt></range>
<range><ge>2.1.0,1</ge><lt>2.1.7,1</lt></range>
<range><lt>2.0.7,1</lt></range>
</package>
<package>
<name>ffmpeg25</name>
<range><lt>2.5.2</lt></range>
</package>
<package>
<name>ffmpeg24</name>
<range><lt>2.4.5</lt></range>
</package>
<package>
<name>ffmpeg23</name>
<range><lt>2.3.6</lt></range>
</package>
<package>
<name>ffmpeg1</name>
<range><lt>1.2.11</lt></range>
</package>
<package>
<name>mythtv</name>
<name>mythtv-frontend</name>
<!-- mythtv-0.27.0.20140121 has ffmpeg-1.2.2+ (snapshot, f9c8726) -->
<range><le>0.27.5,1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NVD reports:</p>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3417">
<p>Use-after-free vulnerability in the ff_h264_free_tables
function in libavcodec/h264.c in FFmpeg before 2.3.6 allows
remote attackers to cause a denial of service or possibly
have unspecified other impact via crafted H.264 data in an
MP4 file, as demonstrated by an HTML VIDEO element that
references H.264 data.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3417</cvename>
<!-- ffmpeg and libav fixes are different -->
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=e8714f6f93d1a32f4e4655209960afcf4c185214</url>
<url>https://git.libav.org/?p=libav.git;a=commitdiff;h=3b69f245dbe6e2016659a45c4bfe284f6c5ac57e</url>
<url>https://ffmpeg.org/security.html</url>
<url>https://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v11.4</url>
</references>
<dates>
<discovery>2014-12-19</discovery>
<entry>2015-09-01</entry>
<modified>2018-03-25</modified>
</dates>
</vuln>
<vuln vid="5300711b-4e61-11e5-9ad8-14dae9d210b8">
<topic>graphviz -- format string vulnerability</topic>
<affects>
<package>
<name>graphviz</name>
<range><lt>2.38.0_7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Joshua Rogers reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2014/q4/784">
<p>A format string vulnerability has been found in `graphviz'.</p>
</blockquote>
</body>
</description>
<references>
<url>http://seclists.org/oss-sec/2014/q4/784</url>
<url>https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081</url>
</references>
<dates>
<discovery>2014-11-24</discovery>
<entry>2015-08-29</entry>
</dates>
</vuln>
<vuln vid="237a201c-888b-487f-84d3-7d92266381d6">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>40.0.3,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>40.0.3,1</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><lt>38.2.1,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/">
<p>MFSA 2015-95 Add-on notification bypass through data URLs</p>
<p>MFSA 2015-94 Use-after-free when resizing canvas element
during restyling</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4497</cvename>
<cvename>CVE-2015-4498</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2015-94/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-95/</url>
</references>
<dates>
<discovery>2015-08-27</discovery>
<entry>2015-08-28</entry>
</dates>
</vuln>
<vuln vid="4464212e-4acd-11e5-934b-002590263bf5">
<topic>go -- multiple vulnerabilities</topic>
<affects>
<package>
<name>go</name>
<range><lt>1.4.3,1</lt></range>
</package>
<package>
<name>go14</name>
<range><lt>1.4.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jason Buberel, Go Product Manager, reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2015/q3/237">
<p>CVE-2015-5739 - "Content Length" treated as valid header</p>
<p>CVE-2015-5740 - Double content-length headers does not return 400
error</p>
<p>CVE-2015-5741 - Additional hardening, not sending Content-Length
w/Transfer-Encoding, Closing connections</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5739</cvename>
<cvename>CVE-2015-5740</cvename>
<cvename>CVE-2015-5741</cvename>
<url>https://github.com/golang/go/commit/117ddcb83d7f42d6aa72241240af99ded81118e9</url>
<url>https://github.com/golang/go/commit/143822585e32449860e624cace9d2e521deee62e</url>
<url>https://github.com/golang/go/commit/300d9a21583e7cf0149a778a0611e76ff7c6680f</url>
<url>http://seclists.org/oss-sec/2015/q3/237</url>
</references>
<dates>
<discovery>2015-07-29</discovery>
<entry>2015-08-25</entry>
</dates>
</vuln>
<vuln vid="40497e81-fee3-4e54-9d5f-175a5c633b73">
<topic>libtremor -- memory corruption</topic>
<affects>
<package>
<name>libtremor</name>
<range><lt>1.2.0.s20120120</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2012-07/">
<p>Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative the possibility of memory
corruption during the decoding of Ogg Vorbis files. This can
cause a crash during decoding and has the potential for
remote code execution.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0444</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=719612</url>
<url>https://git.xiph.org/?p=tremor.git;a=commitdiff;h=3daa274</url>
</references>
<dates>
<discovery>2012-01-31</discovery>
<entry>2015-08-25</entry>
<modified>2015-08-25</modified>
</dates>
</vuln>
<vuln vid="3dac84c9-bce1-4199-9784-d68af1eb7b2e">
<topic>libtremor -- multiple vulnerabilities</topic>
<affects>
<package>
<name>libtremor</name>
<range><lt>1.2.0.s20101013</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The RedHat Project reports:</p>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=438125">
<p>Will Drewry of the Google Security Team reported multiple
issues in OGG Vorbis and Tremor libraries, that could cause
application using those libraries to crash (NULL pointer
dereference or divide by zero), enter an infinite loop or
cause heap overflow caused by integer overflow.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-1418</cvename>
<cvename>CVE-2008-1419</cvename>
<cvename>CVE-2008-1420</cvename>
<cvename>CVE-2008-1423</cvename>
<cvename>CVE-2008-2009</cvename>
<url>http://redpig.dataspill.org/2008/05/multiple-vulnerabilities-in-ogg-tremor.html</url>
<url>https://git.xiph.org/?p=tremor.git;a=commitdiff;h=7e94eea</url>
<url>https://git.xiph.org/?p=tremor.git;a=commitdiff;h=1d1f93e</url>
<url>https://git.xiph.org/?p=tremor.git;a=commitdiff;h=159efc4</url>
</references>
<dates>
<discovery>2008-03-19</discovery>
<entry>2015-08-25</entry>
<modified>2015-08-25</modified>
</dates>
</vuln>
<vuln vid="6900e6f1-4a79-11e5-9ad8-14dae9d210b8">
<topic>pcre -- heap overflow vulnerability</topic>
<affects>
<package>
<name>pcre</name>
<range><lt>8.37_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Guanxing Wen reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2015/q3/295">
<p>PCRE library is prone to a vulnerability which leads to
Heap Overflow.
During the compilation of a malformed regular expression, more data is
written on the malloced block than the expected size output by
compile_regex().
The Heap Overflow vulnerability is caused by the following regular
expression.</p>
<p>/(?J:(?|(:(?|(?'R')(\z(?|(?'R')(\k'R')|((?'R')))k'R')|((?'R')))H'Ak'Rf)|s(?'R')))/</p>
<p>A dry run of this particular regular expression with pcretest will
reports "double free or corruption (!prev)".
But it is actually a heap overflow problem.
The overflow only affects pcre 8.x branch, pcre2 branch is not affected.</p>
</blockquote>
</body>
</description>
<references>
<url>http://seclists.org/oss-sec/2015/q3/295</url>
<url>https://bugs.exim.org/show_bug.cgi?id=1672</url>
</references>
<dates>
<discovery>2015-08-21</discovery>
<entry>2015-08-24</entry>
</dates>
</vuln>
<vuln vid="9393213d-489b-11e5-b8c7-d050996490d0">
<topic>drupal -- multiple vulnerabilities</topic>
<affects>
<package>
<name>drupal6</name>
<range><lt>6.37</lt></range>
</package>
<package>
<name>drupal7</name>
<range><lt>7.39</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal development team reports:</p>
<blockquote cite="https://www.drupal.org/SA-CORE-2015-003">
<p>This security advisory fixes multiple vulnerabilities.
See below for a list.</p>
<h3>Cross-site Scripting - Ajax system - Drupal 7</h3>
<p>A vulnerability was found that allows a malicious
user to perform a cross-site scripting attack by
invoking Drupal.ajax() on a whitelisted HTML element.</p>
<p>This vulnerability is mitigated on sites that do not
allow untrusted users to enter HTML.</p>
<h3>Cross-site Scripting - Autocomplete system - Drupal 6 and 7</h3>
<p>A cross-site scripting vulnerability was found in
the autocomplete functionality of forms. The
requested URL is not sufficiently sanitized.</p>
<p>This vulnerability is mitigated by the fact that
the malicious user must be allowed to upload files.</p>
<h3>SQL Injection - Database API - Drupal 7</h3>
<p>A vulnerability was found in the SQL comment
filtering system which could allow a user with
elevated permissions to inject malicious code in
SQL comments.</p>
<p>This vulnerability is mitigated by the fact that
only one contributed module that the security team
found uses the comment filtering system in a way
that would trigger the vulnerability. That module
requires you to have a very high level of access
in order to perform the attack.</p>
<h3>Cross-site Request Forgery - Form API - Drupal 6 and 7</h3>
<p>A vulnerability was discovered in Drupal's form API
that could allow file upload value callbacks to run
with untrusted input, due to form token validation
not being performed early enough. This vulnerability
could allow a malicious user to upload files to the
site under another user's account.</p>
<p>This vulnerability is mitigated by the fact that
the uploaded files would be temporary, and Drupal
normally deletes temporary files automatically
after 6 hours.</p>
<h3>Information Disclosure in Menu Links - Access system - Drupal 6 and 7</h3>
<p>Users without the "access content" permission
can see the titles of nodes that they do not have
access to, if the nodes are added to a menu on the
site that the users have access to.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.drupal.org/SA-CORE-2015-003</url>
</references>
<dates>
<discovery>2015-08-19</discovery>
<entry>2015-08-22</entry>
</dates>
</vuln>
<vuln vid="2920c449-4850-11e5-825f-c80aa9043978">
<topic>OpenSSH -- PAM vulnerabilities</topic>
<affects>
<package>
<name>openssh-portable</name>
<range><lt>7.0.p1,1</lt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>10.2</ge><lt>10.2_2</lt></range>
<range><ge>10.1</ge><lt>10.1_19</lt></range>
<range><ge>9.3</ge><lt>9.3_24</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://www.openssh.com/txt/release-7.0">
<p>OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-writable.
Local attackers may be able to write arbitrary messages to
logged-in users, including terminal escape sequences. Reported
by Nikolay Edigaryev.</p>
<p>Fixed a privilege separation
weakness related to PAM support. Attackers who could successfully
compromise the pre-authentication process for remote code
execution and who had valid credentials on the host could
impersonate other users.</p>
<p>Fixed a use-after-free bug
related to PAM support that was reachable by attackers who could
compromise the pre-authentication process for remote code
execution.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openssh.com/txt/release-7.0</url>
<cvename>CVE-2015-6563</cvename>
<cvename>CVE-2015-6564</cvename>
<cvename>CVE-2015-6565</cvename>
<freebsdsa>SA-15:22.openssh</freebsdsa>
</references>
<dates>
<discovery>2015-08-11</discovery>
<entry>2015-08-21</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="27fed73e-484f-11e5-825f-c80aa9043978">
<topic>OpenSSH -- PermitRootLogin may allow password connections with 'without-password'</topic>
<affects>
<package>
<name>openssh-portable</name>
<range><eq>7.0.p1,1</eq></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://www.openssh.com/txt/release-7.1">
<p>OpenSSH 7.0 contained a logic error in PermitRootLogin=
prohibit-password/without-password that could, depending on
compile-time configuration, permit password authentication to
root while preventing other forms of authentication. This problem
was reported by Mantas Mikulenas.
</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openssh.com/txt/release-7.1</url>
</references>
<dates>
<discovery>2015-08-20</discovery>
<entry>2015-08-21</entry>
</dates>
</vuln>
<vuln vid="2fe40238-480f-11e5-adde-14dae9d210b8">
<topic>tarsnap -- buffer overflow and local DoS</topic>
<affects>
<package>
<name>tarsnap</name>
<range><lt>1.0.36</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Colin Percival reports:</p>
<blockquote cite="http://mail.tarsnap.com/tarsnap-announce/msg00032.html">
<p>1. SECURITY FIX: When constructing paths of objects being archived, a buffer
could overflow by one byte upon encountering 1024, 2048, 4096, etc. byte
paths. Theoretically this could be exploited by an unprivileged user whose
files are being archived; I do not believe it is exploitable in practice,
but I am offering a $1000 bounty for the first person who can prove me wrong:
http://www.daemonology.net/blog/2015-08-21-tarsnap-1000-exploit-bounty.html</p>
<p>2. SECURITY FIX: An attacker with a machine's write keys, or with read keys
and control of the tarsnap service, could make tarsnap allocate a large
amount of memory upon listing archives or reading an archive the attacker
created; on 32-bit machines, tarsnap can be caused to crash under the
aforementioned conditions.</p>
</blockquote>
</body>
</description>
<references>
<url>http://mail.tarsnap.com/tarsnap-announce/msg00032.html</url>
<url>http://www.daemonology.net/blog/2015-08-21-tarsnap-1000-exploit-bounty.html</url>
</references>
<dates>
<discovery>2015-08-21</discovery>
<entry>2015-08-21</entry>
</dates>
</vuln>
<vuln vid="a0a4e24c-4760-11e5-9391-3c970e169bc2">
<topic>vlc -- arbitrary pointer dereference vulnerability</topic>
<affects>
<package>
<name>vlc</name>
<range><lt>2.2.1_5,4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>oCERT reports:</p>
<blockquote cite="https://www.ocert.org/advisories/ocert-2015-009.html">
<p>The stable VLC version suffers from an arbitrary pointer
dereference vulnerability.</p>
<p>The vulnerability affects the 3GP file format parser,
insufficient restrictions on a writable buffer can be
exploited to execute arbitrary code via the heap memory.
A specific 3GP file can be crafted to trigger the
vulnerability.</p>
<p>Credit: vulnerability reported by Loren Maggiore of
Trail of Bits.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5949</cvename>
<url>https://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=ce91452460a75d7424b165c4dc8db98114c3cbd9;hp=9e12195d3e4316278af1fa4bcb6a705ff27456fd</url>
<url>https://www.ocert.org/advisories/ocert-2015-009.html</url>
</references>
<dates>
<discovery>2015-08-20</discovery>
<entry>2015-08-20</entry>
</dates>
</vuln>
<vuln vid="9a71953a-474a-11e5-adde-14dae9d210b8">
<topic>libpgf -- use-after-free</topic>
<affects>
<package>
<name>libpgf</name>
<range><le>6.14.12</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Pengsu Cheng reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2015/q3/404">
<p>An use-after-free issue in Decoder.cpp was reported to
upstream. The problem is due to lack of validation of ColorTableSize.</p>
</blockquote>
</body>
</description>
<references>
<url>http://seclists.org/oss-sec/2015/q3/404</url>
<url>https://sourceforge.net/p/libpgf/code/147/</url>
<url>https://sourceforge.net/p/libpgf/code/148/</url>
<cvename>CVE-2015-6673</cvename>
</references>
<dates>
<discovery>2015-08-08</discovery>
<entry>2015-08-20</entry>
<modified>2015-08-26</modified>
</dates>
</vuln>
<vuln vid="f5b8b670-465c-11e5-a49d-bcaec565249c">
<topic>gdk-pixbuf2 -- heap overflow and DoS</topic>
<affects>
<package>
<name>gdk-pixbuf2</name>
<range><lt>2.31.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gustavo Grieco reports:</p>
<blockquote cite="https://bugzilla.gnome.org/show_bug.cgi?id=752297">
<p>We found a heap overflow and a DoS in the gdk-pixbuf
implementation triggered by the scaling of a malformed bmp.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4491</cvename>
<url>https://bugzilla.gnome.org/show_bug.cgi?id=752297</url>
</references>
<dates>
<discovery>2015-07-12</discovery>
<entry>2015-08-19</entry>
</dates>
</vuln>
<vuln vid="b0e54dc1-45d2-11e5-adde-14dae9d210b8">
<topic>django -- multiple vulnerabilities</topic>
<affects>
<package>
<name>py27-django</name>
<name>py32-django</name>
<name>py33-django</name>
<name>py34-django</name>
<range><lt>1.8.4</lt></range>
</package>
<package>
<name>py27-django17</name>
<name>py32-django17</name>
<name>py33-django17</name>
<name>py34-django17</name>
<range><lt>1.7.10</lt></range>
</package>
<package>
<name>py27-django14</name>
<name>py32-django14</name>
<name>py33-django14</name>
<name>py34-django14</name>
<range><lt>1.4.22</lt></range>
</package>
<package>
<name>py27-django-devel</name>
<name>py32-django-devel</name>
<name>py33-django-devel</name>
<name>py34-django-devel</name>
<range><le>20150709,1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Tim Graham reports:</p>
<blockquote cite="https://www.djangoproject.com/weblog/2015/aug/18/security-releases/">
<p>Denial-of-service possibility in logout() view by filling
session store</p>
<p>Previously, a session could be created when anonymously
accessing the django.contrib.auth.views.logout view
(provided it wasn't decorated with django.contrib.auth.decorators.login_required
as done in the admin). This could allow an attacker to
easily create many new session records by sending repeated
requests, potentially filling up the session store or
causing other users' session records to be evicted.</p>
<p>The django.contrib.sessions.middleware.SessionMiddleware
has been modified to no longer create empty session records.</p>
<p>This portion of the fix has been assigned CVE-2015-5963.</p>
<p>Additionally, on the 1.4 and 1.7 series only, the
contrib.sessions.backends.base.SessionBase.flush() and
cache_db.SessionStore.flush() methods have been modified
to avoid creating a new empty session. Maintainers of
third-party session backends should check if the same
vulnerability is present in their backend and correct
it if so.</p>
<p>This portion of the fix has been assigned CVE-2015-5964.
Anyone reporting a similar vulnerability in a third-party
session backend should not use this CVE ID.</p>
<p>Thanks Lin Hua Cheng for reporting the issue.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.djangoproject.com/weblog/2015/aug/18/security-releases/</url>
<cvename>CVE-2015-5963</cvename>
<cvename>CVE-2015-5964</cvename>
</references>
<dates>
<discovery>2015-08-18</discovery>
<entry>2015-08-18</entry>
</dates>
</vuln>
<vuln vid="0ecc1f55-45d0-11e5-adde-14dae9d210b8">
<topic>unreal -- denial of service</topic>
<affects>
<package>
<name>Unreal</name>
<range><ge>3.2.10</ge><lt>3.2.10.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Unreal reports:</p>
<blockquote cite="https://www.unrealircd.org/txt/unrealsecadvisory.20150816.txt">
<p>Summary: If SASL support is enabled in UnrealIRCd (this is
not the default) and is also enabled in your services
package then a malicious user with a services account can cause
UnrealIRCd to crash.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.unrealircd.org/txt/unrealsecadvisory.20150816.txt</url>
<url>http://seclists.org/oss-sec/2015/q3/367</url>
</references>
<dates>
<discovery>2015-08-13</discovery>
<entry>2015-08-18</entry>
</dates>
</vuln>
<vuln vid="f1692469-45ce-11e5-adde-14dae9d210b8">
<topic>jasper -- multiple vulnerabilities</topic>
<affects>
<package>
<name>jasper</name>
<range><lt>1.900.1_16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Martin Prpic reports:</p>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=1254242#c0">
<p>A double free flaw was found in the way JasPer's
jasper_image_stop_load() function parsed certain JPEG 2000 image files.
A specially crafted file could cause an application using JasPer to
crash.</p>
</blockquote>
<p>Feist Josselin reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2015/q3/408">
<p>A new use-after-free was found in Jasper JPEG-200. The
use-after-free appears in the function mif_process_cmpt of the
src/libjasper/mif/mif_cod.c file.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1254242#c0</url>
<url>http://seclists.org/oss-sec/2015/q3/366</url>
<url>http://seclists.org/oss-sec/2015/q3/408</url>
<cvename>CVE-2015-5203</cvename>
<cvename>CVE-2015-5221</cvename>
</references>
<dates>
<discovery>2015-08-17</discovery>
<entry>2015-08-18</entry>
<modified>2016-02-24</modified>
</dates>
</vuln>
<vuln vid="a59e263a-45cd-11e5-adde-14dae9d210b8">
<topic>freexl -- integer overflow</topic>
<affects>
<package>
<name>freexl</name>
<range><lt>1.0.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Stefan Cornelius reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/07/06/7">
<p>There's an integer overflow in the allocate_cells() function
when trying to allocate the memory for worksheet with specially
crafted row/column dimensions. This can be exploited to cause a
heap memory corruption. The most likely outcome of this is a crash
when trying to initialize the cells later in the function.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openwall.com/lists/oss-security/2015/07/06/7</url>
</references>
<dates>
<discovery>2015-07-06</discovery>
<entry>2015-08-18</entry>
</dates>
</vuln>
<vuln vid="ac98d090-45cc-11e5-adde-14dae9d210b8">
<topic>freexl -- multiple vulnerabilities</topic>
<affects>
<package>
<name>freexl</name>
<range><lt>1.0.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jodie Cunningham reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/03/25/1">
<p>#1: A flaw was found in the way FreeXL reads sectors from
the input file. A specially crafted file could possibly
result in stack corruption near freexl.c:3752.</p>
<p>#2: A flaw was found in the function allocate_cells(). A
specially crafted file with invalid workbook dimensions
could possibly result in stack corruption near freexl.c:1074</p>
<p>#3: A flaw was found in the way FreeXL handles a premature EOF. A
specially crafted input file could possibly result in stack corruption
near freexl.c:1131</p>
<p>#4: FreeXL 1.0.0g did not properly check requests for workbook memory
allocation. A specially crafted input file could cause a Denial of
Service, or possibly write onto the stack.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openwall.com/lists/oss-security/2015/03/25/1</url>
<cvename>CVE-2015-2776</cvename>
</references>
<dates>
<discovery>2015-03-24</discovery>
<entry>2015-08-18</entry>
</dates>
</vuln>
<vuln vid="47aa4343-44fa-11e5-9daa-14dae9d210b8">
<topic>mod_jk -- information disclosure</topic>
<affects>
<package>
<name>ap22-mod_jk</name>
<name>ap24-mod_jk</name>
<range><lt>1.2.41,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NIST reports:</p>
<blockquote cite="http://www.cvedetails.com/cve/CVE-2014-8111/">
<p>Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores
JkUnmount rules for subtrees of previous JkMount rules, which allows
remote attackers to access otherwise restricted artifacts via
unspecified vectors. </p>
</blockquote>
</body>
</description>
<references>
<url>https://www.mail-archive.com/users@tomcat.apache.org/msg118949.html</url>
<url>http://readlist.com/lists/tomcat.apache.org/users/27/135512.html</url>
<url>http://www.cvedetails.com/cve/CVE-2014-8111/</url>
<cvename>CVE-2014-8111</cvename>
</references>
<dates>
<discovery>2015-01-15</discovery>
<entry>2015-08-17</entry>
</dates>
</vuln>
<vuln vid="f06f20dc-4347-11e5-93ad-002590263bf5">
<topic>qemu, xen-tools -- QEMU leak of uninitialized heap memory in rtl8139 device model</topic>
<affects>
<package>
<name>qemu</name>
<name>qemu-devel</name>
<range><le>0.11.1_20</le></range>
<range><ge>0.12</ge><le>2.3.0_2</le></range>
</package>
<package>
<name>qemu-sbruno</name>
<name>qemu-user-static</name>
<range><lt>2.4.50.g20150814</lt></range>
</package>
<package>
<name>xen-tools</name>
<range><lt>4.5.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-140.html">
<p>The QEMU model of the RTL8139 network card did not sufficiently
validate inputs in the C+ mode offload emulation. This results in
uninitialized memory from the QEMU process's heap being leaked to
the domain as well as to the network.</p>
<p>A guest may be able to read sensitive host-level data relating to
itself which resides in the QEMU process.</p>
<p>Such information may include things such as information relating to
real devices backing emulated devices or passwords which the host
administrator does not intend to share with the guest admin.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5165</cvename>
<url>http://xenbits.xen.org/xsa/advisory-140.html</url>
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=2a3612ccc1fa9cea77bd193afbfe21c77e7e91ef</url>
</references>
<dates>
<discovery>2015-08-03</discovery>
<entry>2015-08-17</entry>
<modified>2015-08-19</modified>
</dates>
</vuln>
<vuln vid="ee99899d-4347-11e5-93ad-002590263bf5">
<topic>qemu, xen-tools -- use-after-free in QEMU/Xen block unplug protocol</topic>
<affects>
<package>
<name>qemu</name>
<name>qemu-devel</name>
<range><le>0.11.1_20</le></range>
<range><ge>0.12</ge><le>2.3.0_2</le></range>
</package>
<package>
<name>qemu-sbruno</name>
<name>qemu-user-static</name>
<range><lt>2.4.50.g20150814</lt></range>
</package>
<package>
<name>xen-tools</name>
<range><lt>4.5.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-139.html">
<p>When unplugging an emulated block device the device was not fully
unplugged, meaning a second unplug attempt would attempt to unplug
the device a second time using a previously freed pointer.</p>
<p>An HVM guest which has access to an emulated IDE disk device may be
able to exploit this vulnerability in order to take over the qemu
process elevating its privilege to that of the qemu process.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5166</cvename>
<url>http://xenbits.xen.org/xsa/advisory-139.html</url>
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=260425ab405ea76c44dd59744d05176d4f579a52</url>
</references>
<dates>
<discovery>2015-08-03</discovery>
<entry>2015-08-17</entry>
<modified>2015-08-19</modified>
</dates>
</vuln>
<vuln vid="787ef75e-44da-11e5-93ad-002590263bf5">
<topic>php5 -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php5</name>
<name>php5-openssl</name>
<name>php5-phar</name>
<name>php5-soap</name>
<range><lt>5.4.44</lt></range>
</package>
<package>
<name>php55</name>
<name>php55-openssl</name>
<name>php55-phar</name>
<name>php55-soap</name>
<range><lt>5.5.28</lt></range>
</package>
<package>
<name>php56</name>
<name>php56-openssl</name>
<name>php56-phar</name>
<name>php56-soap</name>
<range><lt>5.6.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PHP project reports:</p>
<blockquote cite="http://php.net/ChangeLog-5.php">
<p>Core:</p>
<ul>
<li>Fixed bug #69793 (Remotely triggerable stack exhaustion via
recursive method calls).</li>
<li>Fixed bug #70121 (unserialize() could lead to unexpected methods
execution / NULL pointer deref).</li>
</ul>
<p>OpenSSL:</p>
<ul>
<li>Fixed bug #70014 (openssl_random_pseudo_bytes() is not
cryptographically secure).</li>
</ul>
<p>Phar:</p>
<ul>
<li>Improved fix for bug #69441.</li>
<li>Fixed bug #70019 (Files extracted from archive may be placed
outside of destination directory).</li>
</ul>
<p>SOAP:</p>
<ul>
<li>Fixed bug #70081 (SoapClient info leak / null pointer
dereference via multiple type confusions).</li>
</ul>
<p>SPL:</p>
<ul>
<li>Fixed bug #70068 (Dangling pointer in the unserialization of
ArrayObject items).</li>
<li>Fixed bug #70166 (Use After Free Vulnerability in unserialize()
with SPLArrayObject).</li>
<li>Fixed bug #70168 (Use After Free Vulnerability in unserialize()
with SplObjectStorage).</li>
<li>Fixed bug #70169 (Use After Free Vulnerability in unserialize()
with SplDoublyLinkedList).</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://php.net/ChangeLog-5.php#5.4.44</url>
<url>http://php.net/ChangeLog-5.php#5.5.28</url>
<url>http://php.net/ChangeLog-5.php#5.6.12</url>
<cvename>CVE-2015-6831</cvename>
<cvename>CVE-2015-6832</cvename>
<cvename>CVE-2015-6833</cvename>
</references>
<dates>
<discovery>2015-08-06</discovery>
<entry>2015-08-17</entry>
<modified>2015-09-08</modified>
</dates>
</vuln>
<vuln vid="6241b5df-42a1-11e5-93ad-002590263bf5">
<topic>mediawiki -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mediawiki123</name>
<range><lt>1.23.10</lt></range>
</package>
<package>
<name>mediawiki124</name>
<range><lt>1.24.3</lt></range>
</package>
<package>
<name>mediawiki125</name>
<range><lt>1.25.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MediaWiki reports:</p>
<blockquote cite="https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-August/000179.html">
<p>Internal review discovered that Special:DeletedContributions did
not properly protect the IP of autoblocked users. This fix makes
the functionality of Special:DeletedContributions consistent with
Special:Contributions and Special:BlockList.</p>
<p>Internal review discovered that watchlist anti-csrf tokens were not
being compared in constant time, which could allow various timing
attacks. This could allow an attacker to modify a user's watchlist
via csrf</p>
<p>John Menerick reported that MediaWiki's thumb.php failed to sanitize
various error messages, resulting in xss.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-6727</cvename>
<cvename>CVE-2013-7444</cvename>
<cvename>CVE-2015-6728</cvename>
<cvename>CVE-2015-6729</cvename>
<cvename>CVE-2015-6730</cvename>
<cvename>CVE-2015-6731</cvename>
<cvename>CVE-2015-6733</cvename>
<cvename>CVE-2015-6734</cvename>
<cvename>CVE-2015-6735</cvename>
<cvename>CVE-2015-6736</cvename>
<cvename>CVE-2015-6737</cvename>
<url>https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-August/000179.html</url>
<url>https://phabricator.wikimedia.org/T106893</url>
<url>https://phabricator.wikimedia.org/T94116</url>
<url>https://phabricator.wikimedia.org/T97391</url>
<url>http://www.openwall.com/lists/oss-security/2015/08/27/6</url>
</references>
<dates>
<discovery>2015-08-10</discovery>
<entry>2015-08-14</entry>
<modified>2015-12-24</modified>
</dates>
</vuln>
<vuln vid="0c2c4d84-42a2-11e5-9daa-14dae9d210b8">
<topic>freeradius3 -- insufficient validation on packets</topic>
<affects>
<package>
<name>freeradius3</name>
<range><lt>3.0.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jouni Malinen reports:</p>
<blockquote cite="http://freeradius.org/security.html#eap-pwd-2015">
<p>The EAP-PWD module performed insufficient validation on
packets received from an EAP peer. This module is not enabled in the
default configuration. Administrators must manually enable it for their
server to be vulnerable. Only versions 3.0 up to 3.0.8 are affected.</p>
</blockquote>
</body>
</description>
<references>
<url>http://freeradius.org/security.html#eap-pwd-2015</url>
</references>
<dates>
<discovery>2015-04-04</discovery>
<entry>2015-08-14</entry>
</dates>
</vuln>
<vuln vid="ec6a2a1e-429d-11e5-9daa-14dae9d210b8">
<topic>gnutls -- double free in certificate DN decoding</topic>
<affects>
<package>
<name>gnutls</name>
<range><lt>3.3.17</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>gnutls.org reports:</p>
<blockquote cite="http://www.gnutls.org/security.html#GNUTLS-SA-2015-3">
<p>Kurt Roeckx reported that decoding a specific certificate with very
long DistinguishedName (DN) entries leads to double free, which may
result to a denial of service. Since the DN decoding occurs in almost
all applications using certificates it is recommended to upgrade the
latest GnuTLS version fixing the issue. Recommendation: Upgrade to
GnuTLS 3.4.4, or 3.3.17.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.gnutls.org/security.html#GNUTLS-SA-2015-3</url>
<mlist>http://seclists.org/oss-sec/2015/q3/308</mlist>
<url>https://gitlab.com/gnutls/gnutls/commit/272854367efc130fbd4f1a51840d80c630214e12</url>
<cvename>CVE-2015-6251</cvename>
</references>
<dates>
<discovery>2015-07-20</discovery>
<entry>2015-08-14</entry>
<modified>2015-08-18</modified>
</dates>
</vuln>
<vuln vid="3de36a19-429d-11e5-9daa-14dae9d210b8">
<topic>gnutls -- MD5 downgrade in TLS signatures</topic>
<affects>
<package>
<name>gnutls</name>
<range><lt>3.3.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Karthikeyan Bhargavan reports:</p>
<blockquote cite="http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/8132">
<p>GnuTLS does not by default support MD5 signatures. Indeed the RSA-MD5
signature-hash algorithm needs to be explicitly enabled using the
priority option VERIFY_ALLOW_SIGN_RSA_MD5. In the NORMAL and SECURE
profiles, GnuTLS clients do not offer RSA-MD5 in the signature
algorithms extension. However, we find that all GnuTLS clients still
accept RSA-MD5 in the ServerKeyExchange and GnuTLS servers still
accept RSA-MD5 in the ClientCertificateVerify.</p>
</blockquote>
</body>
</description>
<references>
<mlist>http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/8132</mlist>
<url>http://www.gnutls.org/security.html#GNUTLS-SA-2015-2</url>
<mlist>http://seclists.org/oss-sec/2015/q2/367</mlist>
</references>
<dates>
<discovery>2015-04-25</discovery>
<entry>2015-08-14</entry>
</dates>
</vuln>
<vuln vid="9ee72858-4159-11e5-93ad-002590263bf5">
<topic>froxlor -- database password information leak</topic>
<affects>
<package>
<name>froxlor</name>
<range><lt>0.9.33.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>oss-security-list@demlak.de reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2015/q3/238">
<p>An unauthenticated remote attacker is able to get the database
password via webaccess due to wrong file permissions of the /logs/
folder in froxlor version 0.9.33.1 and earlier. The plain SQL
password and username may be stored in the /logs/sql-error.log file.
This directory is publicly reachable under the default
configuration/setup.</p>
</blockquote>
<p>Note that froxlor 0.9.33.2 prevents future logging of passwords but
does not retroactively remove passwords already logged. Michael
Kaufmann, the Froxlor lead developer reports:</p>
<blockquote cite="http://forum.froxlor.org/index.php/topic/13054-important-bugfix-release-09332/#entry30025">
<p>Removing all .log files from the directory should do the job,
alternatively just use the class.ConfigIO.php from Github</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5959</cvename>
<freebsdpr>ports/202262</freebsdpr>
<url>http://seclists.org/oss-sec/2015/q3/238</url>
<url>https://forum.froxlor.org/index.php/topic/13054-important-bugfix-release-09332/</url>
</references>
<dates>
<discovery>2015-07-29</discovery>
<entry>2015-08-13</entry>
</dates>
</vuln>
<vuln vid="83b38a2c-413e-11e5-bfcf-6805ca0b3d42">
<topic>RT -- two XSS vulnerabilities</topic>
<affects>
<package>
<name>rt42</name>
<range><ge>4.2.0</ge><lt>4.2.12</lt></range>
</package>
<package>
<name>rt40</name>
<range><ge>4.0.0</ge><lt>4.0.24</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Best Practical reports:</p>
<blockquote cite="http://blog.bestpractical.com/2015/08/security-vulnerabilities-in-rt.html">
<p>RT 4.0.0 and above are vulnerable to a cross-site
scripting (XSS) attack via the user and group rights
management pages. This vulnerability is assigned
CVE-2015-5475. It was discovered and reported by Marcin
Kopec at Data Reliance Shared Service Center.</p>
<p>RT 4.2.0 and above are vulnerable to a cross-site
scripting (XSS) attack via the cryptography interface.
This vulnerability could allow an attacker with a
carefully-crafted key to inject JavaScript into RT's user
interface. Installations which use neither GnuPG nor
S/MIME are unaffected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5475</cvename>
<cvename>CVE-2015-6506</cvename>
<url>http://blog.bestpractical.com/2015/08/security-vulnerabilities-in-rt.html</url>
</references>
<dates>
<discovery>2015-08-12</discovery>
<entry>2015-08-12</entry>
<modified>2015-08-18</modified>
</dates>
</vuln>
<vuln vid="09fff0d9-4126-11e5-9f01-14dae9d210b8">
<topic>py-foolscap -- local file inclusion</topic>
<affects>
<package>
<name>py27-foolscap</name>
<name>py32-foolscap</name>
<name>py33-foolscap</name>
<name>py34-foolscap</name>
<range><lt>0.7.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Brian Warner reports:</p>
<blockquote cite="https://github.com/warner/foolscap/blob/a17218e18e01c05a9655863cd507b80561692c14/NEWS">
<p>The "flappserver" feature was found to have a vulnerability in the
service-lookup code which, when combined with an attacker who has the ability
to write files to a location where the flappserver process could read them,
would allow that attacker to obtain control of the flappserver process.</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/warner/foolscap/blob/a17218e18e01c05a9655863cd507b80561692c14/NEWS</url>
<url>http://foolscap.lothar.com/trac/ticket/226</url>
</references>
<dates>
<discovery>2014-09-23</discovery>
<entry>2015-08-12</entry>
</dates>
</vuln>
<vuln vid="42c98cef-62b1-4b8b-9065-f4621e08d526">
<topic>libvpx -- out-of-bounds write</topic>
<affects>
<package>
<name>libvpx</name>
<range><lt>1.4.0</lt></range>
</package>
<package>
<name>firefox</name>
<range><lt>33.0,1</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><lt>31.1.2,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>33.0,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.30</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>31.1.2</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.30</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><lt>31.1.2</lt></range>
</package>
<package>
<name>libxul</name>
<range><lt>31.1.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2014-77/">
<p>Using the Address Sanitizer tool, security researcher
Abhishek Arya (Inferno) of the Google Chrome Security Team
found an out-of-bounds write when buffering WebM format
video containing frames with invalid tile sizes. This can
lead to a potentially exploitable crash during WebM video
playback.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-1578</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2014-77/</url>
<url>https://hg.mozilla.org/releases/mozilla-esr31/rev/6023f0b4f8ba</url>
</references>
<dates>
<discovery>2014-10-14</discovery>
<entry>2015-08-12</entry>
</dates>
</vuln>
<vuln vid="f3778328-d288-4b39-86a4-65877331eaf7">
<topic>Adobe Flash Player -- critical vulnerabilities</topic>
<affects>
<package>
<name>linux-c6-flashplugin</name>
<name>linux-c6_64-flashplugin</name>
<range><lt>11.2r202.508</lt></range>
</package>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>11.2r202.508</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb15-19.html">
<p>Adobe has released security updates for Adobe Flash Player.
These updates address critical vulnerabilities that could
potentially allow an attacker to take control of the affected
system.</p>
<p>These updates resolve type confusion vulnerabilities that could
lead to code execution (CVE-2015-5128, CVE-2015-5554,
CVE-2015-5555, CVE-2015-5558, CVE-2015-5562).</p>
<p>These updates include further hardening to a mitigation
introduced in version 18.0.0.209 to defend against vector
length corruptions (CVE-2015-5125).</p>
<p>These updates resolve use-after-free vulnerabilities that could
lead to code execution (CVE-2015-5550, CVE-2015-5551,
CVE-2015-3107, CVE-2015-5556, CVE-2015-5130, CVE-2015-5134,
CVE-2015-5539, CVE-2015-5540, CVE-2015-5557, CVE-2015-5559,
CVE-2015-5127, CVE-2015-5563, CVE-2015-5561, CVE-2015-5124,
CVE-2015-5564).</p>
<p>These updates resolve heap buffer overflow vulnerabilities
that could lead to code execution (CVE-2015-5129,
CVE-2015-5541).</p>
<p>These updates resolve buffer overflow vulnerabilities that
could lead to code execution (CVE-2015-5131, CVE-2015-5132,
CVE-2015-5133).</p>
<p>These updates resolve memory corruption vulnerabilities that
could lead to code execution (CVE-2015-5544, CVE-2015-5545,
CVE-2015-5546, CVE-2015-5547, CVE-2015-5548, CVE-2015-5549,
CVE-2015-5552, CVE-2015-5553).</p>
<p>These updates resolve an integer overflow vulnerability that
could lead to code execution (CVE-2015-5560).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3107</cvename>
<cvename>CVE-2015-5124</cvename>
<cvename>CVE-2015-5125</cvename>
<cvename>CVE-2015-5127</cvename>
<cvename>CVE-2015-5128</cvename>
<cvename>CVE-2015-5129</cvename>
<cvename>CVE-2015-5130</cvename>
<cvename>CVE-2015-5131</cvename>
<cvename>CVE-2015-5132</cvename>
<cvename>CVE-2015-5133</cvename>
<cvename>CVE-2015-5134</cvename>
<cvename>CVE-2015-5539</cvename>
<cvename>CVE-2015-5540</cvename>
<cvename>CVE-2015-5541</cvename>
<cvename>CVE-2015-5544</cvename>
<cvename>CVE-2015-5545</cvename>
<cvename>CVE-2015-5546</cvename>
<cvename>CVE-2015-5547</cvename>
<cvename>CVE-2015-5548</cvename>
<cvename>CVE-2015-5549</cvename>
<cvename>CVE-2015-5550</cvename>
<cvename>CVE-2015-5551</cvename>
<cvename>CVE-2015-5552</cvename>
<cvename>CVE-2015-5553</cvename>
<cvename>CVE-2015-5554</cvename>
<cvename>CVE-2015-5555</cvename>
<cvename>CVE-2015-5556</cvename>
<cvename>CVE-2015-5557</cvename>
<cvename>CVE-2015-5558</cvename>
<cvename>CVE-2015-5559</cvename>
<cvename>CVE-2015-5560</cvename>
<cvename>CVE-2015-5561</cvename>
<cvename>CVE-2015-5562</cvename>
<cvename>CVE-2015-5563</cvename>
<cvename>CVE-2015-5564</cvename>
<url>https://helpx.adobe.com/security/products/flash-player/apsb15-19.html</url>
</references>
<dates>
<discovery>2015-08-11</discovery>
<entry>2015-08-12</entry>
</dates>
</vuln>
<vuln vid="34e60332-2448-4ed6-93f0-12713749f250">
<topic>libvpx -- multiple buffer overflows</topic>
<affects>
<package>
<name>libvpx</name>
<range><lt>1.4.0.488</lt></range>
</package>
<package>
<name>firefox</name>
<range><lt>40.0,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>40.0,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="https://www.mozilla.org/security/advisories/mfsa2015-89/">
<p>Security researcher Abhishek Arya (Inferno) of the Google
Chrome Security Team used the Address Sanitizer tool to
discover two buffer overflow issues in the Libvpx library
used for WebM video when decoding a malformed WebM video
file. These buffer overflows result in potentially
exploitable crashes.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4485</cvename>
<cvename>CVE-2015-4486</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2015-89/</url>
</references>
<dates>
<discovery>2015-08-11</discovery>
<entry>2015-08-11</entry>
<modified>2015-08-14</modified>
</dates>
</vuln>
<vuln vid="c66a5632-708a-4727-8236-d65b2d5b2739">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>40.0,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>40.0,1</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><ge>2.36</ge><lt>2.37</lt></range>
<!-- seamonkey-2.35 milestone.txt: 38.2.0esrpre -->
<range><lt>2.35</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><ge>2.36</ge><lt>2.37</lt></range>
<!-- seamonkey-2.35 milestone.txt: 38.2.0esrpre -->
<range><lt>2.35</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><lt>38.2.0,1</lt></range>
</package>
<package>
<name>libxul</name>
<range><lt>38.2.0</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><lt>38.2.0</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>38.2.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/">
<p>MFSA 2015-79 Miscellaneous memory safety hazards (rv:40.0
/ rv:38.2)</p>
<p>MFSA 2015-80 Out-of-bounds read with malformed MP3
file</p>
<p>MFSA 2015-81 Use-after-free in MediaStream playback</p>
<p>MFSA 2015-82 Redefinition of non-configurable JavaScript object properties</p>
<p>MFSA 2015-83 Overflow issues in libstagefright</p>
<p>MFSA 2015-84 Arbitrary file overwriting through Mozilla
Maintenance Service with hard links</p>
<p>MFSA 2015-85 Out-of-bounds write with Updater and
malicious MAR file</p>
<p>MFSA 2015-86 Feed protocol with POST bypasses mixed
content protections</p>
<p>MFSA 2015-87 Crash when using shared memory in
JavaScript</p>
<p>MFSA 2015-88 Heap overflow in gdk-pixbuf when scaling
bitmap images</p>
<p>MFSA 2015-90 Vulnerabilities found through code
inspection</p>
<p>MFSA 2015-91 Mozilla Content Security Policy allows for
asterisk wildcards in violation of CSP specification</p>
<p>MFSA 2015-92 Use-after-free in XMLHttpRequest with shared
workers</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4473</cvename>
<cvename>CVE-2015-4474</cvename>
<cvename>CVE-2015-4475</cvename>
<cvename>CVE-2015-4477</cvename>
<cvename>CVE-2015-4478</cvename>
<cvename>CVE-2015-4479</cvename>
<cvename>CVE-2015-4480</cvename>
<cvename>CVE-2015-4481</cvename>
<cvename>CVE-2015-4482</cvename>
<cvename>CVE-2015-4483</cvename>
<cvename>CVE-2015-4484</cvename>
<cvename>CVE-2015-4487</cvename>
<cvename>CVE-2015-4488</cvename>
<cvename>CVE-2015-4489</cvename>
<cvename>CVE-2015-4490</cvename>
<cvename>CVE-2015-4491</cvename>
<cvename>CVE-2015-4492</cvename>
<cvename>CVE-2015-4493</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2015-79/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-80/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-81/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-82/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-83/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-84/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-85/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-86/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-87/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-88/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-90/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-91/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-92/</url>
</references>
<dates>
<discovery>2015-08-11</discovery>
<entry>2015-08-11</entry>
<modified>2015-08-22</modified>
</dates>
</vuln>
<vuln vid="dd7f29cc-3ee9-11e5-93ad-002590263bf5">
<topic>lighttpd -- Log injection vulnerability in mod_auth</topic>
<affects>
<package>
<name>lighttpd</name>
<range><lt>1.4.36</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3200">
<p>mod_auth in lighttpd before 1.4.36 allows remote attackers to
inject arbitrary log entries via a basic HTTP authentication string
without a colon character, as demonstrated by a string containing a
NULL and new line character.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3200</cvename>
<url>http://redmine.lighttpd.net/issues/2646</url>
</references>
<dates>
<discovery>2015-05-25</discovery>
<entry>2015-08-10</entry>
</dates>
</vuln>
<vuln vid="ff0acfb4-3efa-11e5-93ad-002590263bf5">
<topic>pcre -- heap overflow vulnerability in '(?|' situations</topic>
<affects>
<package>
<name>pcre</name>
<range><le>8.37_2</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Venustech ADLAB reports:</p>
<blockquote cite="https://bugs.exim.org/show_bug.cgi?id=1667">
<p>PCRE library is prone to a vulnerability which leads to Heap
Overflow. During the compilation of a malformed regular expression,
more data is written on the malloced block than the expected size
output by compile_regex. Exploits with advanced Heap Fengshui
techniques may allow an attacker to execute arbitrary code in the
context of the user running the affected application.</p>
<p>Latest version of PCRE is prone to a Heap Overflow vulnerability
which could caused by the following regular expression.</p>
<p>/(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R'))))/</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/202209</freebsdpr>
<url>https://bugs.exim.org/show_bug.cgi?id=1667</url>
</references>
<dates>
<discovery>2015-08-05</discovery>
<entry>2015-08-10</entry>
</dates>
</vuln>
<vuln vid="8eee06d4-c21d-4f07-a669-455151ff426f">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>39.0.3,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>39.0.3,1</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><lt>38.1.1,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/">
<p>MFSA 2015-78 Same origin violation and local file
stealing via PDF reader</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4495</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2015-78/</url>
</references>
<dates>
<discovery>2015-08-06</discovery>
<entry>2015-08-07</entry>
</dates>
</vuln>
<vuln vid="ac5ec8e3-3c6c-11e5-b921-00a0986f28c4">
<topic>wordpress -- Multiple vulnerability</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>4.2.4,1</lt></range>
</package>
<package>
<name>de-wordpress</name>
<name>ja-wordpress</name>
<name>ru-wordpress</name>
<name>zh-wordpress-zh_CN</name>
<name>zh-wordpress-zh_TW</name>
<range><lt>4.2.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gary Pendergast reports:</p>
<blockquote cite="https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release/">
<p>WordPress 4.2.4 fixes three cross-site scripting vulnerabilities
and a potential SQL injection that could be used to compromise a
site.</p>
</blockquote>
</body>
</description>
<references>
<url>https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release/</url>
<cvename>CVE-2015-2213</cvename>
<cvename>CVE-2015-5730</cvename>
<cvename>CVE-2015-5731</cvename>
<cvename>CVE-2015-5732</cvename>
<cvename>CVE-2015-5733</cvename>
<cvename>CVE-2015-5734</cvename>
</references>
<dates>
<discovery>2015-08-04</discovery>
<entry>2015-08-06</entry>
<modified>2015-09-15</modified>
</dates>
</vuln>
<vuln vid="57bb5e3d-3c4f-11e5-a4d4-001e8c75030d">
<topic>subversion -- multiple vulnerabilities</topic>
<affects>
<package>
<name>subversion</name>
<range><ge>1.8.0</ge><lt>1.8.14</lt></range>
<range><ge>1.7.0</ge><lt>1.7.21</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Subversion reports:</p>
<blockquote cite="http://svn.haxx.se/dev/archive-2015-08/0024.shtml">
<p>CVE-2015-3184:<br/>
Subversion's mod_authz_svn does not properly restrict anonymous access
in some mixed anonymous/authenticated environments when
using Apache httpd 2.4.</p>
<p>CVE-2015-3187:<br/>
Subversion servers, both httpd and svnserve, will reveal some
paths that should be hidden by path-based authz.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3184</cvename>
<url>http://subversion.apache.org/security/CVE-2015-3184-advisory.txt</url>
<cvename>CVE-2015-3187</cvename>
<url>http://subversion.apache.org/security/CVE-2015-3187-advisory.txt</url>
</references>
<dates>
<discovery>2015-07-27</discovery>
<entry>2015-08-06</entry>
</dates>
</vuln>
<vuln vid="ae8c09cb-32da-11e5-a4a5-002590263bf5">
<topic>elasticsearch -- directory traversal attack via snapshot API</topic>
<affects>
<package>
<name>elasticsearch</name>
<range><ge>1.0.0</ge><lt>1.6.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Elastic reports:</p>
<blockquote cite="https://www.elastic.co/community/security">
<p>Vulnerability Summary: Elasticsearch versions from 1.0.0 to 1.6.0
are vulnerable to a directory traversal attack.</p>
<p>Remediation Summary: Users should upgrade to 1.6.1 or later, or
constrain access to the snapshot API to trusted sources.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5531</cvename>
<freebsdpr>ports/201834</freebsdpr>
<url>https://www.elastic.co/community/security</url>
</references>
<dates>
<discovery>2015-07-16</discovery>
<entry>2015-08-05</entry>
</dates>
</vuln>
<vuln vid="fb3668df-32d7-11e5-a4a5-002590263bf5">
<topic>elasticsearch -- remote code execution via transport protocol</topic>
<affects>
<package>
<name>elasticsearch</name>
<range><lt>1.6.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Elastic reports:</p>
<blockquote cite="https://www.elastic.co/community/security">
<p>Vulnerability Summary: Elasticsearch versions prior to 1.6.1 are
vulnerable to an attack that can result in remote code execution.</p>
<p>Remediation Summary: Users should upgrade to 1.6.1 or 1.7.0.
Alternately, ensure that only trusted applications have access to
the transport protocol port.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5377</cvename>
<freebsdpr>ports/201834</freebsdpr>
<url>https://www.elastic.co/community/security</url>
</references>
<dates>
<discovery>2015-07-16</discovery>
<entry>2015-08-05</entry>
</dates>
</vuln>
<vuln vid="da451130-365d-11e5-a4a5-002590263bf5">
<topic>qemu, xen-tools -- QEMU heap overflow flaw with certain ATAPI commands</topic>
<affects>
<package>
<name>qemu</name>
<name>qemu-devel</name>
<range><le>0.11.1_20</le></range>
<range><ge>0.12</ge><le>2.3.0_2</le></range>
</package>
<package>
<name>qemu-sbruno</name>
<name>qemu-user-static</name>
<range><lt>2.4.50.g20150814</lt></range>
</package>
<package>
<name>xen-tools</name>
<range><lt>4.5.0_9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-138.html">
<p>A heap overflow flaw was found in the way QEMU's IDE subsystem
handled I/O buffer access while processing certain ATAPI
commands.</p>
<p>A privileged guest user in a guest with CDROM drive enabled could
potentially use this flaw to execute arbitrary code on the host
with the privileges of the host's QEMU process corresponding to
the guest.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5154</cvename>
<url>http://xenbits.xen.org/xsa/advisory-138.html</url>
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=e40db4c6d391419c0039fe274c74df32a6ca1a28</url>
</references>
<dates>
<discovery>2015-07-27</discovery>
<entry>2015-08-04</entry>
<modified>2015-08-19</modified>
</dates>
</vuln>
<vuln vid="4622635f-37a1-11e5-9970-14dae9d210b8">
<topic>net-snmp -- snmptrapd crash</topic>
<affects>
<package>
<name>net-snmp</name>
<range><ge>5.7.0</ge><le>5.7.2.1</le></range>
<range><ge>5.6.0</ge><le>5.6.2.1</le></range>
<range><ge>5.5.0</ge><le>5.5.2.1</le></range>
<range><ge>5.4.0</ge><le>5.4.4</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Murray McAllister reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2014/q3/473">
<p>A remote denial-of-service flaw was found in the way
snmptrapd handled certain SNMP traps when started with the
"-OQ" option. If an attacker sent an SNMP trap containing a
variable with a NULL type where an integer variable type was
expected, it would cause snmptrapd to crash.</p>
</blockquote>
</body>
</description>
<references>
<url>http://seclists.org/oss-sec/2014/q3/473</url>
<url>http://sourceforge.net/p/net-snmp/code/ci/7f4a7b891332899cea26e95be0337aae01648742/</url>
<url>https://sourceforge.net/p/net-snmp/official-patches/48/</url>
<cvename>CVE-2014-3565</cvename>
</references>
<dates>
<discovery>2014-07-31</discovery>
<entry>2015-07-31</entry>
</dates>
</vuln>
<vuln vid="381183e8-3798-11e5-9970-14dae9d210b8">
<topic>net-snmp -- snmp_pdu_parse() function incomplete initialization</topic>
<affects>
<package>
<name>net-snmp</name>
<range><le>5.7.3_7</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Qinghao Tang reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2015/q2/116">
<p>Incompletely initialized vulnerability exists in the function
‘snmp_pdu_parse()’ of ‘snmp_api.c', and remote attackers can cause memory
leak, DOS and possible command executions by sending malicious packets.</p>
</blockquote>
</body>
</description>
<references>
<url>http://seclists.org/oss-sec/2015/q2/116</url>
<url>http://sourceforge.net/p/net-snmp/code/ci/f23bcd3ac6ddee5d0a48f9703007ccc738914791/</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1212408</url>
<cvename>CVE-2015-5621</cvename>
</references>
<dates>
<discovery>2015-04-11</discovery>
<entry>2015-07-31</entry>
</dates>
</vuln>
<vuln vid="731cdeaa-3564-11e5-9970-14dae9d210b8">
<topic>bind -- denial of service vulnerability</topic>
<affects>
<package>
<name>bind910</name>
<range><lt>9.10.2P3</lt></range>
</package>
<package>
<name>bind99</name>
<range><lt>9.9.7P2</lt></range>
</package>
<package>
<name>bind910-base</name>
<name>bind99-base</name>
<range><gt>0</gt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>9.3</ge><lt>9.3_21</lt></range>
<range><ge>8.4</ge><lt>8.4_35</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://kb.isc.org/article/AA-01272/">
<p>An error in the handling of TKEY queries can be exploited
by an attacker for use as a denial-of-service vector, as a constructed
packet can use the defect to trigger a REQUIRE assertion failure,
causing BIND to exit.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-15:17.bind</freebsdsa>
<cvename>CVE-2015-5477</cvename>
<url>https://kb.isc.org/article/AA-01272/</url>
</references>
<dates>
<discovery>2015-07-21</discovery>
<entry>2015-07-28</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="5b74a5bc-348f-11e5-ba05-c80aa9043978">
<topic>OpenSSH -- MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices</topic>
<affects>
<package>
<name>openssh-portable</name>
<range><lt>6.9.p1_2,1</lt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>10.1</ge><lt>10.1_16</lt></range>
<range><ge>9.3</ge><lt>9.3_21</lt></range>
<range><ge>8.4</ge><lt>8.4_36</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="https://access.redhat.com/security/cve/CVE-2015-5600">
<p>It was discovered that the OpenSSH sshd daemon did not check the
list of keyboard-interactive authentication methods for duplicates.
A remote attacker could use this flaw to bypass the MaxAuthTries
limit, making it easier to perform password guessing attacks.</p>
</blockquote>
</body>
</description>
<references>
<url>https://access.redhat.com/security/cve/CVE-2015-5600</url>
<cvename>CVE-2015-5600</cvename>
<freebsdsa>SA-15:16.openssh</freebsdsa>
</references>
<dates>
<discovery>2015-07-21</discovery>
<entry>2015-07-27</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="c470bcc7-33fe-11e5-a4a5-002590263bf5">
<topic>logstash -- SSL/TLS vulnerability with Lumberjack input</topic>
<affects>
<package>
<name>logstash</name>
<range><lt>1.4.4</lt></range>
<range><ge>1.5.0</ge><lt>1.5.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Elastic reports:</p>
<blockquote cite="https://www.elastic.co/community/security">
<p>Vulnerability Summary: All Logstash versions prior to 1.5.2 that
use Lumberjack input (in combination with Logstash Forwarder agent)
are vulnerable to a SSL/TLS security issue called the FREAK attack.
This allows an attacker to intercept communication and access secure
data. Users should upgrade to 1.5.3 or 1.4.4.</p>
<p>Remediation Summary: Users that do not want to upgrade can address
the vulnerability by disabling the Lumberjack input.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5378</cvename>
<url>https://www.elastic.co/community/security</url>
</references>
<dates>
<discovery>2015-07-22</discovery>
<entry>2015-07-27</entry>
</dates>
</vuln>
<vuln vid="9d732078-32c7-11e5-b263-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>44.0.2403.89</lt></range>
</package>
<package>
<!-- pcbsd -->
<name>chromium-npapi</name>
<range><lt>44.0.2403.89</lt></range>
</package>
<package>
<!-- pcbsd -->
<name>chromium-pulse</name>
<range><lt>44.0.2403.89</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/">
<p>43 security fixes in this release, including:</p>
<ul>
<li>[446032] High CVE-2015-1271: Heap-buffer-overflow in pdfium.
Credit to cloudfuzzer.</li>
<li>[459215] High CVE-2015-1273: Heap-buffer-overflow in pdfium.
Credit to makosoft.</li>
<li>[461858] High CVE-2015-1274: Settings allowed executable files
to run immediately after download. Credit to andrewm.bpi.</li>
<li>[462843] High CVE-2015-1275: UXSS in Chrome for Android. Credit
to WangTao(neobyte) of Baidu X-Team.</li>
<li>[472614] High CVE-2015-1276: Use-after-free in IndexedDB.
Credit to Collin Payne.</li>
<li>[483981] High CVE-2015-1279: Heap-buffer-overflow in pdfium.
Credit to mlafon.</li>
<li>[486947] High CVE-2015-1280: Memory corruption in skia. Credit
to cloudfuzzer.</li>
<li>[487155] High CVE-2015-1281: CSP bypass. Credit to Masato
Kinugawa.</li>
<li>[487928] High CVE-2015-1282: Use-after-free in pdfium. Credit
to Chamal de Silva.</li>
<li>[492052] High CVE-2015-1283: Heap-buffer-overflow in expat.
Credit to sidhpurwala.huzaifa.</li>
<li>[493243] High CVE-2015-1284: Use-after-free in blink. Credit to
Atte Kettunen of OUSPG.</li>
<li>[504011] High CVE-2015-1286: UXSS in blink. Credit to
anonymous.</li>
<li>[505374] High CVE-2015-1290: Memory corruption in V8. Credit to
Yongjun Liu of NSFOCUS Security Team.</li>
<li>[419383] Medium CVE-2015-1287: SOP bypass with CSS. Credit to
filedescriptor.</li>
<li>[444573] Medium CVE-2015-1270: Uninitialized memory read in
ICU. Credit to Atte Kettunen of OUSPG.</li>
<li>[451456] Medium CVE-2015-1272: Use-after-free related to
unexpected GPU process termination. Credit to Chamal de
Silva.</li>
<li>[479743] Medium CVE-2015-1277: Use-after-free in accessibility.
Credit to SkyLined.</li>
<li>[482380] Medium CVE-2015-1278: URL spoofing using pdf files.
Credit to Chamal de Silva.</li>
<li>[498982] Medium CVE-2015-1285: Information leak in XSS auditor.
Credit to gazheyes.</li>
<li>[479162] Low CVE-2015-1288: Spell checking dictionaries fetched
over HTTP. Credit to mike@michaelruddy.com.</li>
<li>[512110] CVE-2015-1289: Various fixes from internal audits,
fuzzing and other initiatives.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-1270</cvename>
<cvename>CVE-2015-1271</cvename>
<cvename>CVE-2015-1272</cvename>
<cvename>CVE-2015-1273</cvename>
<cvename>CVE-2015-1274</cvename>
<cvename>CVE-2015-1275</cvename>
<cvename>CVE-2015-1276</cvename>
<cvename>CVE-2015-1277</cvename>
<cvename>CVE-2015-1278</cvename>
<cvename>CVE-2015-1279</cvename>
<cvename>CVE-2015-1280</cvename>
<cvename>CVE-2015-1281</cvename>
<cvename>CVE-2015-1282</cvename>
<cvename>CVE-2015-1283</cvename>
<cvename>CVE-2015-1284</cvename>
<cvename>CVE-2015-1285</cvename>
<cvename>CVE-2015-1286</cvename>
<cvename>CVE-2015-1287</cvename>
<cvename>CVE-2015-1288</cvename>
<cvename>CVE-2015-1289</cvename>
<cvename>CVE-2015-1290</cvename>
<url>http://googlechromereleases.blogspot.nl/</url>
</references>
<dates>
<discovery>2015-07-21</discovery>
<entry>2015-07-25</entry>
</dates>
</vuln>
<vuln vid="b202e4ce-3114-11e5-aa32-0026551a22dc">
<topic>shibboleth-sp -- DoS vulnerability</topic>
<affects>
<package>
<name>xmltooling</name>
<range><lt>1.5.5</lt></range>
</package>
<package>
<name>opensaml2</name>
<range><lt>2.5.5</lt></range>
</package>
<package>
<name>shibboleth-sp</name>
<range><lt>2.5.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Shibboleth consortium reports:</p>
<blockquote cite="http://shibboleth.net/community/advisories/secadv_20150721.txt">
<p>
Shibboleth SP software crashes on well-formed but invalid XML.
</p>
<p>
The Service Provider software contains a code path with an uncaught
exception that can be triggered by an unauthenticated attacker by
supplying well-formed but schema-invalid XML in the form of SAML
metadata or SAML protocol messages. The result is a crash and so
causes a denial of service.
</p>
<p>
You must rebuild opensaml and shibboleth with xmltooling-1.5.5 or
later. The easiest way to do so is to update the whole chain including
shibboleth-2.5.5 an opensaml2.5.5.
</p>
</blockquote>
</body>
</description>
<references>
<url>http://shibboleth.net/community/advisories/secadv_20150721.txt</url>
<cvename>CVE-2015-2684</cvename>
</references>
<dates>
<discovery>2015-07-21</discovery>
<entry>2015-07-23</entry>
</dates>
</vuln>
<vuln vid="c80b27a2-3165-11e5-8a1d-14dae9d210b8">
<topic>wordpress -- XSS vulnerability</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>4.2.3,1</lt></range>
</package>
<package>
<name>de-wordpress</name>
<name>ja-wordpress</name>
<name>ru-wordpress</name>
<name>zh-wordpress-zh_CN</name>
<name>zh-wordpress-zh_TW</name>
<range><lt>4.2.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gary Pendergast reports:</p>
<blockquote cite="https://wordpress.org/news/2015/07/wordpress-4-2-3/">
<p>WordPress versions 4.2.2 and earlier are affected by a
cross-site scripting vulnerability, which could allow users with the
Contributor or Author role to compromise a site. This was reported by
Jon Cave and fixed by Robert Chapin, both of the WordPress security
team.</p>
</blockquote>
</body>
</description>
<references>
<url>https://wordpress.org/news/2015/07/wordpress-4-2-3/</url>
<cvename>CVE-2015-5622</cvename>
<cvename>CVE-2015-5623</cvename>
</references>
<dates>
<discovery>2015-07-23</discovery>
<entry>2015-07-23</entry>
<modified>2015-09-15</modified>
</dates>
</vuln>
<vuln vid="4caf01e2-30e6-11e5-a4a5-002590263bf5">
<topic>libidn -- out-of-bounds read issue with invalid UTF-8 input</topic>
<affects>
<package>
<name>libidn</name>
<range><lt>1.31</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Simon Josefsson reports:</p>
<blockquote cite="http://git.savannah.gnu.org/cgit/libidn.git/plain/NEWS?id=libidn-1-31">
<p>stringprep_utf8_to_ucs4 now rejects invalid UTF-8. This function
has always been documented to not validate that the input UTF-8
string is actually valid UTF-8...
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-2059</cvename>
<url>http://git.savannah.gnu.org/cgit/libidn.git/plain/NEWS?id=libidn-1-31</url>
</references>
<dates>
<discovery>2015-02-09</discovery>
<entry>2015-07-23</entry>
<modified>2015-08-03</modified>
</dates>
</vuln>
<vuln vid="9dd761ff-30cb-11e5-a4a5-002590263bf5">
<topic>sox -- memory corruption vulnerabilities</topic>
<affects>
<package>
<name>sox</name>
<range><le>14.4.2</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Michele Spagnuolo, Google Security Team, reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2015/q3/167">
<p>The write heap buffer overflows are related to ADPCM handling in
WAV files, while the read heap buffer overflow is while opening a
.VOC.</p>
</blockquote>
</body>
</description>
<references>
<url>http://seclists.org/oss-sec/2015/q3/167</url>
</references>
<dates>
<discovery>2015-07-22</discovery>
<entry>2015-07-23</entry>
</dates>
</vuln>
<vuln vid="92cda470-30cb-11e5-a4a5-002590263bf5">
<topic>sox -- input sanitization errors</topic>
<affects>
<package>
<name>sox</name>
<range><lt>14.4.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>oCERT reports:</p>
<blockquote cite="http://www.ocert.org/advisories/ocert-2014-010.html">
<p>The sox command line tool is affected by two heap-based buffer
overflows, respectively located in functions start_read() and
AdpcmReadBlock().</p>
<p>A specially crafted wav file can be used to trigger the
vulnerabilities.</p>
</blockquote>
</body>
</description>
<references>
<bid>71774</bid>
<cvename>CVE-2014-8145</cvename>
<url>http://www.ocert.org/advisories/ocert-2014-010.html</url>
</references>
<dates>
<discovery>2014-11-20</discovery>
<entry>2015-07-23</entry>
</dates>
</vuln>
<vuln vid="95eee71d-3068-11e5-a9b5-bcaec565249c">
<topic>gdk-pixbuf2 -- heap overflow and DoS affecting Firefox and other programs</topic>
<affects>
<package>
<name>gdk-pixbuf2</name>
<range><lt>2.31.2_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>gustavo.grieco@imag.fr reports:</p>
<blockquote cite="https://bugzilla.gnome.org/show_bug.cgi?id=752297">
<p>We found a heap overflow and a DoS in the gdk-pixbuf
implementation triggered by the scaling of a malformed bmp.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugzilla.gnome.org/show_bug.cgi?id=752297</url>
</references>
<dates>
<discovery>2015-07-12</discovery>
<entry>2015-07-22</entry>
</dates>
</vuln>
<vuln vid="8a1d0e63-1e07-11e5-b43d-002590263bf5">
<topic>pcre -- Heap Overflow Vulnerability in find_fixedlength()</topic>
<affects>
<package>
<name>pcre</name>
<range><le>8.37_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Venustech ADLAB reports:</p>
<blockquote cite="https://bugs.exim.org/show_bug.cgi?id=1651">
<p>PCRE library is prone to a vulnerability which leads to Heap
Overflow. During subpattern calculation of a malformed regular
expression, an offset that is used as an array index is fully
controlled and can be large enough so that unexpected heap
memory regions are accessed.</p>
<p>One could at least exploit this issue to read objects nearby of
the affected application's memory.</p>
<p>Such information disclosure may also be used to bypass memory
protection method such as ASLR.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5073</cvename>
<url>https://bugs.exim.org/show_bug.cgi?id=1651</url>
<url>http://vcs.pcre.org/pcre?view=revision&revision=1571</url>
<mlist>http://www.openwall.com/lists/oss-security/2015/06/26/1</mlist>
</references>
<dates>
<discovery>2015-06-23</discovery>
<entry>2015-06-29</entry>
</dates>
</vuln>
<vuln vid="0bfda05f-2e6f-11e5-a4a5-002590263bf5">
<topic>cacti -- Multiple XSS and SQL injection vulnerabilities</topic>
<affects>
<package>
<name>cacti</name>
<range><lt>0.8.8e</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Cacti Group, Inc. reports:</p>
<blockquote cite="http://www.cacti.net/release_notes_0_8_8e.php">
<p>Important Security Fixes</p>
<ul>
<li>Multiple XSS and SQL injection vulnerabilities</li>
<li>CVE-2015-4634 - SQL injection in graphs.php</li>
</ul>
<p>Changelog</p>
<ul>
<li>bug: Fixed various SQL Injection vectors</li>
<li>bug#0002574: SQL Injection Vulnerabilities in graph items and
graph template items</li>
<li>bug#0002577: CVE-2015-4634 - SQL injection in graphs.php</li>
<li>bug#0002579: SQL Injection Vulnerabilities in data sources</li>
<li>bug#0002580: SQL Injection in cdef.php</li>
<li>bug#0002582: SQL Injection in data_templates.php</li>
<li>bug#0002583: SQL Injection in graph_templates.php</li>
<li>bug#0002584: SQL Injection in host_templates.php</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4634</cvename>
<freebsdpr>ports/201702</freebsdpr>
<url>http://www.cacti.net/release_notes_0_8_8e.php</url>
<mlist>http://seclists.org/oss-sec/2015/q3/150</mlist>
</references>
<dates>
<discovery>2015-07-12</discovery>
<entry>2015-07-20</entry>
</dates>
</vuln>
<vuln vid="8b1f53f3-2da5-11e5-86ff-14dae9d210b8">
<topic>php-phar -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php56-phar</name>
<range><lt>5.6.11</lt></range>
</package>
<package>
<name>php55-phar</name>
<range><lt>5.5.27</lt></range>
</package>
<package>
<name>php5-phar</name>
<range><lt>5.4.43</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p> reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2015/q3/141">
<p>Segfault in Phar::convertToData on invalid file.</p>
<p>Buffer overflow and stack smashing error in phar_fix_filepath.</p>
</blockquote>
</body>
</description>
<references>
<mlist>http://seclists.org/oss-sec/2015/q3/141</mlist>
<url>https://bugs.php.net/bug.php?id=69958</url>
<url>http://git.php.net/?p=php-src.git;a=commit;h=bf58162ddf970f63502837f366930e44d6a992cf</url>
<url>https://bugs.php.net/bug.php?id=69923</url>
<url>http://git.php.net/?p=php-src.git;a=commit;h=6dedeb40db13971af45276f80b5375030aa7e76f</url>
<cvename>CVE-2015-5589</cvename>
<cvename>CVE-2015-5590</cvename>
</references>
<dates>
<discovery>2015-06-24</discovery>
<entry>2015-07-18</entry>
<modified>2015-12-18</modified>
</dates>
</vuln>
<vuln vid="43891162-2d5e-11e5-a4a5-002590263bf5">
<topic>moodle -- multiple vulnerabilities</topic>
<affects>
<package>
<name>moodle27</name>
<range><lt>2.7.9</lt></range>
</package>
<package>
<name>moodle28</name>
<range><lt>2.8.7</lt></range>
</package>
<package>
<name>moodle29</name>
<range><lt>2.9.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Marina Glancy reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2015/q3/94">
<p>MSA-15-0026: Possible phishing when redirecting to external site
using referer header. (CVE-2015-3272)</p>
<p>MSA-15-0027: Capability 'mod/forum:canposttomygroups' is not
respected when using 'Post a copy to all groups' in forum
(CVE-2015-3273)</p>
<p>MSA-15-0028: Possible XSS through custom text profile fields in Web
Services (CVE-2015-3274)</p>
<p>MSA-15-0029: Javascript injection in SCORM module (CVE-2015-3275)
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3272</cvename>
<cvename>CVE-2015-3273</cvename>
<cvename>CVE-2015-3274</cvename>
<cvename>CVE-2015-3275</cvename>
<mlist>http://seclists.org/oss-sec/2015/q3/94</mlist>
<url>https://docs.moodle.org/dev/Moodle_2.7.9_release_notes</url>
<url>https://docs.moodle.org/dev/Moodle_2.8.7_release_notes</url>
<url>https://docs.moodle.org/dev/Moodle_2.9.1_release_notes</url>
</references>
<dates>
<discovery>2015-07-06</discovery>
<entry>2015-07-18</entry>
<modified>2015-07-19</modified>
</dates>
</vuln>
<vuln vid="29083f8e-2ca8-11e5-86ff-14dae9d210b8">
<topic>apache22 -- chunk header parsing defect</topic>
<affects>
<package>
<name>apache22</name>
<name>apache22-event-mpm</name>
<name>apache22-itk-mpm</name>
<name>apache22-peruser-mpm</name>
<name>apache22-worker-mpm</name>
<range><le>2.2.29_5</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Apache Foundation reports:</p>
<blockquote cite="http://www.apache.org/dist/httpd/Announcement2.2.html">
<p>CVE-2015-3183 core: Fix chunk header parsing defect. Remove
apr_brigade_flatten(), buffering and duplicated code from the HTTP_IN
filter, parse chunks in a single pass with zero copy. Limit accepted
chunk-size to 2^63-1 and be strict about chunk-ext authorized
characters.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.apache.org/dist/httpd/Announcement2.2.html</url>
<url>https://github.com/apache/httpd/commit/29779fd08c18b18efc5e640d74cbe297c7ec007e</url>
<cvename>CVE-2015-3183</cvename>
</references>
<dates>
<discovery>2015-06-24</discovery>
<entry>2015-07-17</entry>
</dates>
</vuln>
<vuln vid="5c399624-2bef-11e5-86ff-14dae9d210b8">
<topic>zenphoto -- multiple vulnerabilities</topic>
<affects>
<package>
<name>zenphoto</name>
<range><lt>1.4.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>zenphoto reports:</p>
<blockquote cite="http://www.zenphoto.org/news/zenphoto-1.4.9">
<p>Fixes several SQL Injection, XSS and path traversal
security issues</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.zenphoto.org/news/zenphoto-1.4.9</url>
<mlist>http://seclists.org/oss-sec/2015/q3/123</mlist>
<url>https://github.com/zenphoto/zenphoto/pull/935</url>
<cvename>CVE-2015-5591</cvename>
<cvename>CVE-2015-5592</cvename>
<cvename>CVE-2015-5593</cvename>
<cvename>CVE-2015-5594</cvename>
<cvename>CVE-2015-5595</cvename>
</references>
<dates>
<discovery>2015-05-24</discovery>
<entry>2015-07-16</entry>
<modified>2015-07-18</modified>
</dates>
</vuln>
<vuln vid="67b3fef2-2bea-11e5-86ff-14dae9d210b8">
<topic>groovy -- remote execution of untrusted code</topic>
<affects>
<package>
<name>groovy</name>
<range><ge>1.7.0</ge><lt>2.4.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Cédric Champeau reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2015/q3/121">
<p>Description</p>
<p>When an application has Groovy on the classpath and that
it uses standard Java serialization mechanism to communicate
between servers, or to store local data, it is possible for
an attacker to bake a special serialized object that will
execute code directly when deserialized. All applications
which rely on serialization and do not isolate the code which
deserializes objects are subject to this vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<mlist>http://seclists.org/oss-sec/2015/q3/121</mlist>
<url>http://groovy-lang.org/security.html</url>
<url>https://issues.apache.org/jira/browse/GROOVY-7504</url>
<cvename>CVE-2015-3253</cvename>
</references>
<dates>
<discovery>2015-07-09</discovery>
<entry>2015-07-16</entry>
</dates>
</vuln>
<vuln vid="a928960a-2bdc-11e5-86ff-14dae9d210b8">
<topic>libav -- divide by zero</topic>
<affects>
<package>
<name>libav</name>
<range><le>11.3_2</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Agostino Sarubbo reports:</p>
<blockquote cite="https://blogs.gentoo.org/ago/2015/07/16/libav-divide-by-zero-in-ff_h263_decode_mba/">
<p>libav: divide-by-zero in ff_h263_decode_mba()</p>
</blockquote>
</body>
</description>
<references>
<url>https://blogs.gentoo.org/ago/2015/07/16/libav-divide-by-zero-in-ff_h263_decode_mba/</url>
<url>https://git.libav.org/?p=libav.git;a=commitdiff;h=0a49a62f998747cfa564d98d36a459fe70d3299b;hp=6f4cd33efb5a9ec75db1677d5f7846c60337129f</url>
<cvename>CVE-2015-5479</cvename>
</references>
<dates>
<discovery>2015-06-21</discovery>
<entry>2015-07-16</entry>
</dates>
</vuln>
<vuln vid="44d9daee-940c-4179-86bb-6e3ffd617869">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>39.0,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>39.0,1</lt></range>
</package>
<package>
<name>seamonkey</name>
<!-- seamonkey-2.35 milestone.txt: 38.2.0esrpre -->
<range><lt>2.35</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<!-- seamonkey-2.35 milestone.txt: 38.2.0esrpre -->
<range><lt>2.35</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><lt>31.8.0,1</lt></range>
<range><ge>38.0,1</ge><lt>38.1.0,1</lt></range>
</package>
<package>
<name>libxul</name>
<range><lt>31.8.0</lt></range>
<range><ge>38.0</ge><lt>38.1.0</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><lt>31.8.0</lt></range>
<range><ge>38.0</ge><lt>38.1.0</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>31.8.0</lt></range>
<range><ge>38.0</ge><lt>38.1.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/">
<p>MFSA 2015-59 Miscellaneous memory safety hazards (rv:39.0
/ rv:31.8 / rv:38.1)</p>
<p>MFSA 2015-60 Local files or privileged URLs in pages can
be opened into new tabs</p>
<p>MFSA 2015-61 Type confusion in Indexed Database
Manager</p>
<p>MFSA 2015-62 Out-of-bound read while computing an
oscillator rendering range in Web Audio</p>
<p>MFSA 2015-63 Use-after-free in Content Policy due to
microtask execution error</p>
<p>MFSA 2015-64 ECDSA signature validation fails to handle
some signatures correctly</p>
<p>MFSA 2015-65 Use-after-free in workers while using
XMLHttpRequest</p>
<p>MFSA 2015-66 Vulnerabilities found through code
inspection</p>
<p>MFSA 2015-67 Key pinning is ignored when overridable
errors are encountered</p>
<p>MFSA 2015-68 OS X crash reports may contain entered key
press information</p>
<p>MFSA 2015-69 Privilege escalation through internal
workers</p>
<p>MFSA 2015-70 NSS accepts export-length DHE keys with
regular DHE cipher suites</p>
<p>MFSA 2015-71 NSS incorrectly permits skipping of
ServerKeyExchange</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-2721</cvename>
<cvename>CVE-2015-2722</cvename>
<cvename>CVE-2015-2724</cvename>
<cvename>CVE-2015-2725</cvename>
<cvename>CVE-2015-2726</cvename>
<cvename>CVE-2015-2727</cvename>
<cvename>CVE-2015-2728</cvename>
<cvename>CVE-2015-2729</cvename>
<cvename>CVE-2015-2730</cvename>
<cvename>CVE-2015-2731</cvename>
<cvename>CVE-2015-2733</cvename>
<cvename>CVE-2015-2734</cvename>
<cvename>CVE-2015-2735</cvename>
<cvename>CVE-2015-2736</cvename>
<cvename>CVE-2015-2737</cvename>
<cvename>CVE-2015-2738</cvename>
<cvename>CVE-2015-2739</cvename>
<cvename>CVE-2015-2740</cvename>
<cvename>CVE-2015-2741</cvename>
<cvename>CVE-2015-2742</cvename>
<cvename>CVE-2015-2743</cvename>
<cvename>CVE-2015-4000</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2015-59/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-60/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-61/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-62/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-63/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-64/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-65/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-66/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-67/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-68/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-69/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-70/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-71/</url>
</references>
<dates>
<discovery>2015-07-02</discovery>
<entry>2015-07-16</entry>
<modified>2015-09-22</modified>
</dates>
</vuln>
<vuln vid="d3216606-2b47-11e5-a668-080027ef73ec">
<topic>PolarSSL -- Security Fix Backports</topic>
<affects>
<package>
<name>polarssl</name>
<range><lt>1.2.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Paul Bakker reports:</p>
<blockquote cite="https://tls.mbed.org/tech-updates/releases/polarssl-1.2.14-released">
<p>PolarSSL 1.2.14 fixes one remotely-triggerable issues that was
found by the Codenomicon Defensics tool, one potential remote crash
and countermeasures against the "Lucky 13 strikes back" cache-based
attack.</p>
</blockquote>
</body>
</description>
<references>
<url>https://tls.mbed.org/tech-updates/releases/polarssl-1.2.14-released</url>
</references>
<dates>
<discovery>2015-06-26</discovery>
<entry>2015-07-15</entry>
</dates>
</vuln>
<vuln vid="ca139c7f-2a8c-11e5-a4a5-002590263bf5">
<topic>libwmf -- multiple vulnerabilities</topic>
<affects>
<package>
<name>libwmf</name>
<range><lt>0.2.8.4_14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mitre reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0941">
<p>Multiple buffer overflows in the gd graphics library (libgd) 2.0.21
and earlier may allow remote attackers to execute arbitrary code via
malformed image files that trigger the overflows due to improper
calls to the gdMalloc function, a different set of vulnerabilities
than CVE-2004-0990.</p>
</blockquote>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0455">
<p>Buffer overflow in the gdImageStringFTEx function in gdft.c in GD
Graphics Library 2.0.33 and earlier allows remote attackers to cause
a denial of service (application crash) and possibly execute
arbitrary code via a crafted string with a JIS encoded font.</p>
</blockquote>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2756">
<p>The gdPngReadData function in libgd 2.0.34 allows user-assisted
attackers to cause a denial of service (CPU consumption) via a
crafted PNG image with truncated data, which causes an infinite loop
in the png_read_info function in libpng.</p>
</blockquote>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3472">
<p>Integer overflow in gdImageCreateTrueColor function in the GD
Graphics Library (libgd) before 2.0.35 allows user-assisted remote
attackers to have unspecified attack vectors and impact.</p>
</blockquote>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3473">
<p>The gdImageCreateXbm function in the GD Graphics Library (libgd)
before 2.0.35 allows user-assisted remote attackers to cause a
denial of service (crash) via unspecified vectors involving a
gdImageCreate failure.</p>
</blockquote>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3477">
<p>The (a) imagearc and (b) imagefilledarc functions in GD Graphics
Library (libgd) before 2.0.35 allow attackers to cause a denial of
service (CPU consumption) via a large (1) start or (2) end angle
degree value.</p>
</blockquote>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546">
<p>The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before
5.3.1, and the GD Graphics Library 2.x, does not properly verify a
certain colorsTotal structure member, which might allow remote
attackers to conduct buffer overflow or buffer over-read attacks via
a crafted GD file, a different vulnerability than CVE-2009-3293.
NOTE: some of these details are obtained from third party
information.</p>
</blockquote>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0848">
<p>Heap-based buffer overflow in libwmf 0.2.8.4 allows remote
attackers to cause a denial of service (crash) or possibly execute
arbitrary code via a crafted BMP image.</p>
</blockquote>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4695">
<p>meta.h in libwmf 0.2.8.4 allows remote attackers to cause a denial
of service (out-of-bounds read) via a crafted WMF file.</p>
</blockquote>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4696">
<p>Use-after-free vulnerability in libwmf 0.2.8.4 allows remote
attackers to cause a denial of service (crash) via a crafted WMF
file to the (1) wmf2gd or (2) wmf2eps command.</p>
</blockquote>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4588">
<p>Heap-based buffer overflow in the DecodeImage function in libwmf
0.2.8.4 allows remote attackers to cause a denial of service (crash)
or possibly execute arbitrary code via a crafted "run-length count"
in an image in a WMF file.</p>
</blockquote>
</body>
</description>
<references>
<bid>11663</bid>
<bid>22289</bid>
<bid>24089</bid>
<bid>24651</bid>
<bid>36712</bid>
<freebsdpr>ports/201513</freebsdpr>
<cvename>CVE-2004-0941</cvename>
<cvename>CVE-2007-0455</cvename>
<cvename>CVE-2007-2756</cvename>
<cvename>CVE-2007-3472</cvename>
<cvename>CVE-2007-3473</cvename>
<cvename>CVE-2007-3477</cvename>
<cvename>CVE-2009-3546</cvename>
<cvename>CVE-2015-0848</cvename>
<cvename>CVE-2015-4695</cvename>
<cvename>CVE-2015-4696</cvename>
<cvename>CVE-2015-4588</cvename>
</references>
<dates>
<discovery>2004-10-12</discovery>
<entry>2015-07-15</entry>
</dates>
</vuln>
<vuln vid="a12494c1-2af4-11e5-86ff-14dae9d210b8">
<topic>apache24 -- multiple vulnerabilities</topic>
<affects>
<package>
<name>apache24</name>
<range><lt>2.4.16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jim Jagielski reports:</p>
<blockquote cite="https://mail-archives.apache.org/mod_mbox/www-announce/201507.mbox/%3CAA5C882C-A9C3-46B9-9320-5040A2152E83@apache.org%3E">
<p>CVE-2015-3183 (cve.mitre.org)
core: Fix chunk header parsing defect.
Remove apr_brigade_flatten(), buffering and duplicated code from
the HTTP_IN filter, parse chunks in a single pass with zero copy.
Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
authorized characters.</p>
<p>CVE-2015-3185 (cve.mitre.org)
Replacement of ap_some_auth_required (unusable in Apache httpd 2.4)
with new ap_some_authn_required and ap_force_authn hook.</p>
<p>CVE-2015-0253 (cve.mitre.org)
core: Fix a crash with ErrorDocument 400 pointing to a local URL-path
with the INCLUDES filter active, introduced in 2.4.11. PR 57531.</p>
<p>CVE-2015-0228 (cve.mitre.org)
mod_lua: A maliciously crafted websockets PING after a script
calls r:wsupgrade() can cause a child process crash.</p>
</blockquote>
</body>
</description>
<references>
<mlist>https://mail-archives.apache.org/mod_mbox/www-announce/201507.mbox/%3CAA5C882C-A9C3-46B9-9320-5040A2152E83@apache.org%3E</mlist>
<cvename>CVE-2015-3183</cvename>
<cvename>CVE-2015-3185</cvename>
<cvename>CVE-2015-0253</cvename>
<cvename>CVE-2015-0228</cvename>
</references>
<dates>
<discovery>2015-02-04</discovery>
<entry>2015-07-15</entry>
</dates>
</vuln>
<vuln vid="8d2d6bbd-2a02-11e5-a0af-bcaec565249c">
<topic>Adobe Flash Player -- critical vulnerabilities</topic>
<affects>
<package>
<name>linux-c6-flashplugin</name>
<range><lt>11.2r202.491</lt></range>
</package>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>11.2r202.491</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb15-18.html">
<p>Critical vulnerabilities (CVE-2015-5122, CVE-2015-5123) have
been identified. Successful exploitation could cause a crash
and potentially allow an attacker to take control of the
affected system. Adobe is aware of reports that exploits
targeting these vulnerabilities have been published publicly.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5122</cvename>
<cvename>CVE-2015-5123</cvename>
<url>https://helpx.adobe.com/security/products/flash-player/apsb15-18.html</url>
</references>
<dates>
<discovery>2015-07-10</discovery>
<entry>2015-07-14</entry>
<modified>2015-07-16</modified>
</dates>
</vuln>
<vuln vid="3d39e927-29a2-11e5-86ff-14dae9d210b8">
<topic>php -- use-after-free vulnerability</topic>
<affects>
<package>
<name>php56-sqlite3</name>
<range><lt>5.6.11</lt></range>
</package>
<package>
<name>php55-sqlite3</name>
<range><lt>5.5.27</lt></range>
</package>
<package>
<name>php5-sqlite3</name>
<range><lt>5.4.43</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Symeon Paraschoudis reports:</p>
<blockquote cite="https://bugs.php.net/bug.php?id=69972">
<p>Use-after-free vulnerability in sqlite3SafetyCheckSickOrOk()</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugs.php.net/bug.php?id=69972</url>
</references>
<dates>
<discovery>2015-06-30</discovery>
<entry>2015-07-13</entry>
</dates>
</vuln>
<vuln vid="af7fbd91-29a1-11e5-86ff-14dae9d210b8">
<topic>php -- use-after-free vulnerability</topic>
<affects>
<package>
<name>php56</name>
<range><lt>5.6.11</lt></range>
</package>
<package>
<name>php55</name>
<range><lt>5.5.27</lt></range>
</package>
<package>
<name>php5</name>
<range><lt>5.4.43</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Symeon Paraschoudis reports:</p>
<blockquote cite="https://bugs.php.net/bug.php?id=69970">
<p>Use-after-free vulnerability in spl_recursive_it_move_forward_ex()</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugs.php.net/bug.php?id=69970</url>
</references>
<dates>
<discovery>2015-06-30</discovery>
<entry>2015-07-13</entry>
</dates>
</vuln>
<vuln vid="5a1d5d74-29a0-11e5-86ff-14dae9d210b8">
<topic>php -- arbitrary code execution</topic>
<affects>
<package>
<name>php56</name>
<range><lt>5.6.11</lt></range>
</package>
<package>
<name>php55</name>
<range><lt>5.5.27</lt></range>
</package>
<package>
<name>php5</name>
<range><lt>5.4.43</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>cmb reports:</p>
<blockquote cite="https://bugs.php.net/bug.php?id=69768">
<p>When delayed variable substitution is enabled (can be set in the
Registry, for instance), !ENV! works similar to %ENV%, and the
value of the environment variable ENV will be subsituted.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugs.php.net/bug.php?id=69768</url>
</references>
<dates>
<discovery>2015-06-07</discovery>
<entry>2015-07-13</entry>
</dates>
</vuln>
<vuln vid="36bd352d-299b-11e5-86ff-14dae9d210b8">
<topic>mysql -- SSL Downgrade</topic>
<affects>
<package>
<name>php56-mysql</name>
<name>php56-mysqli</name>
<range><lt>5.6.11</lt></range>
</package>
<package>
<name>php55-mysql</name>
<name>php55-mysqli</name>
<range><lt>5.5.27</lt></range>
</package>
<package>
<name>php5-mysql</name>
<name>php5-mysqli</name>
<range><lt>5.4.43</lt></range>
</package>
<package>
<name>mariadb55-client</name>
<range><lt>5.5.44</lt></range>
</package>
<package>
<name>mariadb100-client</name>
<range><lt>10.0.20</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Duo Security reports:</p>
<blockquote cite="https://www.duosecurity.com/blog/backronym-mysql-vulnerability">
<p>Researchers have identified a serious vulnerability in some
versions of Oracle’s MySQL database product that allows an attacker to
strip SSL/TLS connections of their security wrapping transparently.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugs.php.net/bug.php?id=69669</url>
<url>https://www.duosecurity.com/blog/backronym-mysql-vulnerability</url>
<url>http://www.ocert.org/advisories/ocert-2015-003.html</url>
<url>https://mariadb.atlassian.net/browse/MDEV-7937</url>
<url>https://mariadb.com/kb/en/mariadb/mariadb-10020-changelog/</url>
<url>https://mariadb.com/kb/en/mariadb/mariadb-5544-changelog/</url>
<cvename>CVE-2015-3152</cvename>
</references>
<dates>
<discovery>2015-03-20</discovery>
<entry>2015-07-13</entry>
<modified>2015-07-18</modified>
</dates>
</vuln>
<vuln vid="81326883-2905-11e5-a4a5-002590263bf5">
<topic>devel/ipython -- CSRF possible remote execution vulnerability</topic>
<affects>
<package>
<name>ipython</name>
<range><ge>0.12</ge><lt>3.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Kyle Kelley reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2015/q3/92">
<p>Summary: POST requests exposed via the IPython REST API are
vulnerable to cross-site request forgery (CSRF). Web pages on
different domains can make non-AJAX POST requests to known IPython
URLs, and IPython will honor them. The user's browser will
automatically send IPython cookies along with the requests. The
response is blocked by the Same-Origin Policy, but the request
isn't.</p>
<p>API paths with issues:</p>
<ul>
<li>POST /api/contents/<path>/<file></li>
<li>POST /api/contents/<path>/<file>/checkpoints</li>
<li>POST /api/contents/<path>/<file>/checkpoints/<checkpoint_id></li>
<li>POST /api/kernels</li>
<li>POST /api/kernels/<kernel_id>/<action></li>
<li>POST /api/sessions</li>
<li>POST /api/clusters/<cluster_id>/<action></li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5607</cvename>
<url>http://seclists.org/oss-sec/2015/q3/92</url>
<url>http://ipython.org/ipython-doc/3/whatsnew/version3.html#ipython-3-2-1</url>
</references>
<dates>
<discovery>2015-07-12</discovery>
<entry>2015-07-13</entry>
<modified>2015-07-22</modified>
</dates>
</vuln>
<vuln vid="379788f3-2900-11e5-a4a5-002590263bf5">
<topic>freeradius -- insufficient CRL application vulnerability</topic>
<affects>
<package>
<name>freeradius2</name>
<range><lt>2.2.8</lt></range>
</package>
<package>
<name>freeradius3</name>
<range><lt>3.0.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>oCERT reports:</p>
<blockquote cite="http://www.ocert.org/advisories/ocert-2015-008.html">
<p>The FreeRADIUS server relies on OpenSSL to perform certificate
validation, including Certificate Revocation List (CRL) checks. The
FreeRADIUS usage of OpenSSL, in CRL application, limits the checks
to leaf certificates, therefore not detecting revocation of
intermediate CA certificates.</p>
<p>An unexpired client certificate, issued by an intermediate CA with
a revoked certificate, is therefore accepted by FreeRADIUS.</p>
<p>Specifically sets the X509_V_FLAG_CRL_CHECK flag for leaf
certificate CRL checks, but does not use X509_V_FLAG_CRL_CHECK_ALL
for CRL checks on the complete trust chain.</p>
<p>The FreeRADIUS project advises that the recommended configuration
is to use self-signed CAs for all EAP-TLS methods.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4680</cvename>
<freebsdpr>ports/201058</freebsdpr>
<freebsdpr>ports/201059</freebsdpr>
<url>http://www.ocert.org/advisories/ocert-2015-008.html</url>
<url>http://freeradius.org/security.html</url>
</references>
<dates>
<discovery>2015-06-22</discovery>
<entry>2015-07-13</entry>
</dates>
</vuln>
<vuln vid="f1deed23-27ec-11e5-a4a5-002590263bf5">
<topic>xen-tools -- xl command line config handling stack overflow</topic>
<affects>
<package>
<name>xen-tools</name>
<range><ge>4.1</ge><lt>4.5.0_8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-137.html">
<p>The xl command line utility mishandles long configuration values
when passed as command line arguments, with a buffer overrun.</p>
<p>A semi-trusted guest administrator or controller, who is intended
to be able to partially control the configuration settings for a
domain, can escalate their privileges to that of the whole host.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3259</cvename>
<url>http://xenbits.xen.org/xsa/advisory-137.html</url>
</references>
<dates>
<discovery>2015-07-07</discovery>
<entry>2015-07-11</entry>
</dates>
</vuln>
<vuln vid="8c31b288-27ec-11e5-a4a5-002590263bf5">
<topic>xen-kernel -- vulnerability in the iret hypercall handler</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><ge>3.1</ge><lt>4.5.0_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-136.html">
<p>A buggy loop in Xen's compat_iret() function iterates the wrong way
around a 32-bit index. Any 32-bit PV guest kernel can trigger this
vulnerability by attempting a hypercall_iret with EFLAGS.VM set.</p>
<p>Given the use of __get/put_user(), and that the virtual addresses
in question are contained within the lower canonical half, the guest
cannot clobber any hypervisor data. Instead, Xen will take up to
2^33 pagefaults, in sequence, effectively hanging the host.</p>
<p>Malicious guest administrators can cause a denial of service
affecting the whole system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4164</cvename>
<url>http://xenbits.xen.org/xsa/advisory-136.html</url>
</references>
<dates>
<discovery>2015-06-11</discovery>
<entry>2015-07-11</entry>
</dates>
</vuln>
<vuln vid="80e846ff-27eb-11e5-a4a5-002590263bf5">
<topic>xen-kernel -- GNTTABOP_swap_grant_ref operation misbehavior</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><ge>4.2</ge><lt>4.5.0_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-134.html">
<p>With the introduction of version 2 grant table operations, a
version check became necessary for most grant table related
hypercalls. The GNTTABOP_swap_grant_ref call was lacking such a
check. As a result, the subsequent code behaved as if version 2 was
in use, when a guest issued this hypercall without a prior
GNTTABOP_setup_table or GNTTABOP_set_version.</p>
<p>The effect is a possible NULL pointer dereferences. However, this
cannot be exploited to elevate privileges of the attacking domain,
as the maximum memory address that can be wrongly accessed this way
is bounded to far below the start of hypervisor memory.</p>
<p>Malicious or buggy guest domain kernels can mount a denial of
service attack which, if successful, can affect the whole system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4163</cvename>
<url>http://xenbits.xen.org/xsa/advisory-134.html</url>
</references>
<dates>
<discovery>2015-06-11</discovery>
<entry>2015-07-11</entry>
</dates>
</vuln>
<vuln vid="ce658051-27ea-11e5-a4a5-002590263bf5">
<topic>xen-kernel -- Information leak through XEN_DOMCTL_gettscinfo</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><ge>4.0</ge><lt>4.5.0_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-132.html">
<p>The handler for XEN_DOMCTL_gettscinfo failed to initialize a
padding field subsequently copied to guest memory.</p>
<p>A similar leak existed in XEN_SYSCTL_getdomaininfolist, which is
being addressed here regardless of that operation being declared
unsafe for disaggregation by XSA-77.</p>
<p>Malicious or buggy stub domain kernels or tool stacks otherwise
living outside of Domain0 may be able to read sensitive data
relating to the hypervisor or other guests not under the control of
that domain.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3340</cvename>
<url>http://xenbits.xen.org/xsa/advisory-132.html</url>
</references>
<dates>
<discovery>2015-04-20</discovery>
<entry>2015-07-11</entry>
</dates>
</vuln>
<vuln vid="3d657340-27ea-11e5-a4a5-002590263bf5">
<topic>xen-tools -- Unmediated PCI register access in qemu</topic>
<affects>
<package>
<name>xen-tools</name>
<range><ge>3.3</ge><lt>4.5.0_6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-131.html">
<p>Qemu allows guests to not only read, but also write all parts of
the PCI config space (but not extended config space) of passed
through PCI devices not explicitly dealt with for (partial)
emulation purposes.</p>
<p>Since the effect depends on the specific purpose of the the config
space field, it's not possible to give a general statement about the
exact impact on the host or other guests. Privilege escalation,
host crash (Denial of Service), and leaked information all cannot be
excluded.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4106</cvename>
<url>http://xenbits.xen.org/xsa/advisory-131.html</url>
</references>
<dates>
<discovery>2015-06-02</discovery>
<entry>2015-07-11</entry>
</dates>
</vuln>
<vuln vid="cbe1a0f9-27e9-11e5-a4a5-002590263bf5">
<topic>xen-tools -- Guest triggerable qemu MSI-X pass-through error messages</topic>
<affects>
<package>
<name>xen-tools</name>
<range><ge>3.3</ge><lt>4.5.0_6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-130.html">
<p>Device model code dealing with guest PCI MSI-X interrupt management
activities logs messages on certain (supposedly) invalid guest
operations.</p>
<p>A buggy or malicious guest repeatedly invoking such operations may
result in the host disk to fill up, possibly leading to a Denial of
Service.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4105</cvename>
<url>http://xenbits.xen.org/xsa/advisory-130.html</url>
</references>
<dates>
<discovery>2015-06-02</discovery>
<entry>2015-07-11</entry>
</dates>
</vuln>
<vuln vid="4db8a0f4-27e9-11e5-a4a5-002590263bf5">
<topic>xen-tools -- PCI MSI mask bits inadvertently exposed to guests</topic>
<affects>
<package>
<name>xen-tools</name>
<range><ge>3.3</ge><lt>4.5.0_6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-129.html">
<p>The mask bits optionally available in the PCI MSI capability
structure are used by the hypervisor to occasionally suppress
interrupt delivery. Unprivileged guests were, however, nevertheless
allowed direct control of these bits.</p>
<p>Interrupts may be observed by Xen at unexpected times, which may
lead to a host crash and therefore a Denial of Service.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4104</cvename>
<url>http://xenbits.xen.org/xsa/advisory-129.html</url>
</references>
<dates>
<discovery>2015-06-02</discovery>
<entry>2015-07-11</entry>
</dates>
</vuln>
<vuln vid="af38cfec-27e7-11e5-a4a5-002590263bf5">
<topic>xen-tools -- Potential unintended writes to host MSI message data field via qemu</topic>
<affects>
<package>
<name>xen-tools</name>
<range><ge>3.3</ge><lt>4.5.0_6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-128.html">
<p>Logic is in place to avoid writes to certain host config space
fields when the guest must nevertheless be able to access their
virtual counterparts. A bug in how this logic deals with accesses
spanning multiple fields allows the guest to write to the host MSI
message data field.</p>
<p>While generally the writes write back the values previously read,
their value in config space may have got changed by the host between
the qemu read and write. In such a case host side interrupt handling
could become confused, possibly losing interrupts or allowing
spurious interrupt injection into other guests.</p>
<p>Certain untrusted guest administrators may be able to confuse host
side interrupt handling, leading to a Denial of Service.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4103</cvename>
<url>http://xenbits.xen.org/xsa/advisory-128.html</url>
</references>
<dates>
<discovery>2015-06-02</discovery>
<entry>2015-07-11</entry>
</dates>
</vuln>
<vuln vid="103a47d5-27e7-11e5-a4a5-002590263bf5">
<topic>xen-kernel -- Certain domctl operations may be abused to lock up the host</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><ge>4.3</ge><lt>4.5.0_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-127.html">
<p>XSA-77 put the majority of the domctl operations on a list
excepting them from having security advisories issued for them if
any effects their use might have could hamper security. Subsequently
some of them got declared disaggregation safe, but for a small
subset this was not really correct: Their (mis-)use may result in
host lockups.</p>
<p>As a result, the potential security benefits of toolstack
disaggregation are not always fully realised.</p>
<p>Domains deliberately given partial management control may be able
to deny service to the entire host.</p>
<p>As a result, in a system designed to enhance security by radically
disaggregating the management, the security may be reduced. But,
the security will be no worse than a non-disaggregated design.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-2751</cvename>
<url>http://xenbits.xen.org/xsa/advisory-127.html</url>
</references>
<dates>
<discovery>2015-03-31</discovery>
<entry>2015-07-11</entry>
</dates>
</vuln>
<vuln vid="79f401cd-27e6-11e5-a4a5-002590263bf5">
<topic>xen-tools -- Unmediated PCI command register access in qemu</topic>
<affects>
<package>
<name>xen-tools</name>
<range><ge>3.3</ge><lt>4.5.0_6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-126.html">
<p>HVM guests are currently permitted to modify the memory and I/O
decode bits in the PCI command register of devices passed through to
them. Unless the device is an SR-IOV virtual function, after
disabling one or both of these bits subsequent accesses to the MMIO
or I/O port ranges would - on PCI Express devices - lead to
Unsupported Request responses. The treatment of such errors is
platform specific.</p>
<p>Furthermore (at least) devices under control of the Linux pciback
driver in the host are handed to guests with the aforementioned bits
turned off. This means that such accesses can similarly lead to
Unsupported Request responses until these flags are set as needed by
the guest.</p>
<p>In the event that the platform surfaces aforementioned UR responses
as Non-Maskable Interrupts, and either the OS is configured to treat
NMIs as fatal or (e.g. via ACPI's APEI) the platform tells the OS to
treat these errors as fatal, the host would crash, leading to a
Denial of Service.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-2756</cvename>
<url>http://xenbits.xen.org/xsa/advisory-126.html</url>
</references>
<dates>
<discovery>2015-03-31</discovery>
<entry>2015-07-11</entry>
</dates>
</vuln>
<vuln vid="d40c66cb-27e4-11e5-a4a5-002590263bf5">
<topic>xen-kernel and xen-tools -- Long latency MMIO mapping operations are not preemptible</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><lt>4.5.0_3</lt></range>
</package>
<package>
<name>xen-tools</name>
<range><lt>4.5.0_6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-125.html">
<p>The XEN_DOMCTL_memory_mapping hypercall allows long running
operations without implementing preemption.</p>
<p>This hypercall is used by the device model as part of the emulation
associated with configuration of PCI devices passed through to HVM
guests and is therefore indirectly exposed to those guests.</p>
<p>This can cause a physical CPU to become busy for a significant
period, leading to a host denial of service in some cases.</p>
<p>If a host denial of service is not triggered then it may instead be
possible to deny service to the domain running the device model,
e.g. domain 0.</p>
<p>This hypercall is also exposed more generally to all toolstacks.
However the uses of it in libxl based toolstacks are not believed
to open up any avenue of attack from an untrusted guest. Other
toolstacks may be vulnerable however.</p>
<p>The vulnerability is exposed via HVM guests which have a PCI device
assigned to them. A malicious HVM guest in such a configuration can
mount a denial of service attack affecting the whole system via its
associated device model (qemu-dm).</p>
<p>A guest is able to trigger this hypercall via operations which it
is legitimately expected to perform, therefore running the device
model as a stub domain does not offer protection against the host
denial of service issue. However it does offer some protection
against secondary issues such as denial of service against dom0.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-2752</cvename>
<url>http://xenbits.xen.org/xsa/advisory-125.html</url>
</references>
<dates>
<discovery>2015-03-31</discovery>
<entry>2015-07-11</entry>
</dates>
</vuln>
<vuln vid="83a28417-27e3-11e5-a4a5-002590263bf5">
<topic>xen-kernel -- Hypervisor memory corruption due to x86 emulator flaw</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><lt>4.5.0_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-123.html">
<p>Instructions with register operands ignore eventual segment
overrides encoded for them. Due to an insufficiently conditional
assignment such a bogus segment override can, however, corrupt a
pointer used subsequently to store the result of the instruction.</p>
<p>A malicious guest might be able to read sensitive data relating to
other guests, or to cause denial of service on the host. Arbitrary
code execution, and therefore privilege escalation, cannot be
excluded.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-2151</cvename>
<url>http://xenbits.xen.org/xsa/advisory-123.html</url>
</references>
<dates>
<discovery>2015-03-10</discovery>
<entry>2015-07-11</entry>
</dates>
</vuln>
<vuln vid="ef9d041e-27e2-11e5-a4a5-002590263bf5">
<topic>xen-kernel -- Information leak through version information hypercall</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><lt>4.5.0_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-122.html">
<p>The code handling certain sub-operations of the
HYPERVISOR_xen_version hypercall fails to fully initialize all
fields of structures subsequently copied back to guest memory. Due
to this hypervisor stack contents are copied into the destination of
the operation, thus becoming visible to the guest.</p>
<p>A malicious guest might be able to read sensitive data relating to
other guests.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-2045</cvename>
<url>http://xenbits.xen.org/xsa/advisory-122.html</url>
</references>
<dates>
<discovery>2015-03-05</discovery>
<entry>2015-07-11</entry>
</dates>
</vuln>
<vuln vid="5023f559-27e2-11e5-a4a5-002590263bf5">
<topic>xen-kernel -- Information leak via internal x86 system device emulation</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><lt>4.5.0_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-121.html">
<p>Emulation routines in the hypervisor dealing with certain system
devices check whether the access size by the guest is a supported
one. When the access size is unsupported these routines failed to
set the data to be returned to the guest for read accesses, so that
hypervisor stack contents are copied into the destination of the
operation, thus becoming visible to the guest.</p>
<p>A malicious HVM guest might be able to read sensitive data relating
to other guests.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-2044</cvename>
<url>http://xenbits.xen.org/xsa/advisory-121.html</url>
</references>
<dates>
<discovery>2015-03-05</discovery>
<entry>2015-07-11</entry>
</dates>
</vuln>
<vuln vid="0d732fd1-27e0-11e5-a4a5-002590263bf5">
<topic>xen-tools -- HVM qemu unexpectedly enabling emulated VGA graphics backends</topic>
<affects>
<package>
<name>xen-tools</name>
<range><lt>4.5.0_6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-119.html">
<p>When instantiating an emulated VGA device for an x86 HVM guest qemu
will by default enable a backend to expose that device, either SDL
or VNC depending on the version of qemu and the build time
configuration.</p>
<p>The libxl toolstack library does not explicitly disable these
default backends when they are not enabled, leading to an unexpected
backend running.</p>
<p>If either SDL or VNC is explicitly enabled in the guest
configuration then only the expected backends will be enabled.</p>
<p>This affects qemu-xen and qemu-xen-traditional differently.</p>
<p>If qemu-xen was compiled with SDL support then this would result in
an SDL window being opened if $DISPLAY is valid, or a failure to
start the guest if not.</p>
<p>If qemu-xen was compiled without SDL support then qemu would
instead start a VNC server listening on ::1 (IPv6 localhost) or
127.0.0.1 (IPv4 localhost) with IPv6 preferred if available. A VNC
password will not be configured even if one is present in the guest
configuration.</p>
<p>qemu-xen-traditional will never start a vnc backend unless
explicitly configured. However by default it will start an SDL
backend if it was built with SDL support and $DISPLAY is valid.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-2152</cvename>
<url>http://xenbits.xen.org/xsa/advisory-119.html</url>
</references>
<dates>
<discovery>2015-03-13</discovery>
<entry>2015-07-11</entry>
</dates>
</vuln>
<vuln vid="912cb7f7-27df-11e5-a4a5-002590263bf5">
<topic>xen-kernel -- arm: vgic: incorrect rate limiting of guest triggered logging</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><ge>4.4</ge><lt>4.5.0_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-118.html">
<p>On ARM systems the code which deals with virtualizing the GIC
distributor would, under various circumstances, log messages on a
guest accessible code path without appropriate rate limiting.</p>
<p>A malicious guest could cause repeated logging to the hypervisor
console, leading to a Denial of Service attack.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-1563</cvename>
<url>http://xenbits.xen.org/xsa/advisory-118.html</url>
</references>
<dates>
<discovery>2015-01-29</discovery>
<entry>2015-07-11</entry>
</dates>
</vuln>
<vuln vid="785c86b1-27d6-11e5-a4a5-002590263bf5">
<topic>xen-kernel -- arm: vgic-v2: GICD_SGIR is not properly emulated</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><ge>4.5</ge><lt>4.5.0_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-117.html">
<p>When decoding a guest write to a specific register in the virtual
interrupt controller Xen would treat an invalid value as a critical
error and crash the host.</p>
<p>By writing an invalid value to the GICD.SGIR register a guest can
crash the host, resulting in a Denial of Service attack.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-0268</cvename>
<url>http://xenbits.xen.org/xsa/advisory-117.html</url>
</references>
<dates>
<discovery>2015-02-12</discovery>
<entry>2015-07-11</entry>
</dates>
</vuln>
<vuln vid="7313b0e3-27b4-11e5-a15a-50af736ef1c0">
<topic>pivotx -- Multiple unrestricted file upload vulnerabilities</topic>
<affects>
<package>
<name>pivotx</name>
<range><lt>2.3.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Pivotx reports:</p>
<blockquote cite="http://pivotx.net/page/security">
<p>Multiple unrestricted file upload vulnerabilities in fileupload.php
in PivotX before 2.3.9 allow remote authenticated users to execute
arbitrary PHP code by uploading a file with a (1) .php or (2) .php#
extension, and then accessing it via unspecified vectors.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-0341</cvename>
</references>
<dates>
<discovery>2014-04-15</discovery>
<entry>2015-07-11</entry>
</dates>
</vuln>
<vuln vid="14d846d6-27b3-11e5-a15a-50af736ef1c0">
<topic>pivotx -- cross-site scripting (XSS) vulnerability</topic>
<affects>
<package>
<name>pivotx</name>
<range><lt>2.3.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>pivotx reports:</p>
<blockquote cite="http://pivotx.net/page/security">
<p>cross-site scripting (XSS) vulnerability in the nickname (and
possibly the email) field. Mitigated by the fact that an attacker
must have a PivotX account.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-0341</cvename>
</references>
<dates>
<discovery>2014-04-15</discovery>
<entry>2015-07-11</entry>
</dates>
</vuln>
<vuln vid="c93c9395-25e1-11e5-a4a5-002590263bf5">
<topic>wpa_supplicant -- WPS_NFC option payload length validation vulnerability</topic>
<affects>
<package>
<name>wpa_supplicant</name>
<range><lt>2.4_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jouni Malinen reports:</p>
<blockquote cite="http://w1.fi/security/2015-5/incomplete-wps-and-p2p-nfc-ndef-record-payload-length-validation.txt">
<p>Incomplete WPS and P2P NFC NDEF record payload length
validation. (2015-5)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8041</cvename>
<url>http://w1.fi/security/2015-5/incomplete-wps-and-p2p-nfc-ndef-record-payload-length-validation.txt</url>
</references>
<dates>
<discovery>2015-07-08</discovery>
<entry>2015-07-09</entry>
<modified>2015-11-10</modified>
</dates>
</vuln>
<vuln vid="075952fe-267e-11e5-9d03-3c970e169bc2">
<topic>openssl -- alternate chains certificate forgery vulnerability</topic>
<affects>
<package>
<name>openssl</name>
<range><ge>1.0.2_2</ge><lt>1.0.2_4</lt></range>
</package>
<package>
<name>mingw32-openssl</name>
<range><ge>1.0.2b</ge><lt>1.0.2d</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenSSL reports:</p>
<blockquote cite="https://www.openssl.org/news/secadv_20150709.txt">
<p>During certificate verification, OpenSSL (starting from version
1.0.1n and 1.0.2b) will attempt to find an alternative certificate
chain if the first attempt to build such a chain fails. An error
in the implementation of this logic can mean that an attacker could
cause certain checks on untrusted certificates to be bypassed,
such as the CA flag, enabling them to use a valid leaf certificate
to act as a CA and "issue" an invalid certificate.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-1793</cvename>
<url>https://www.openssl.org/news/secadv_20150709.txt</url>
</references>
<dates>
<discovery>2015-07-09</discovery>
<entry>2015-07-09</entry>
</dates>
</vuln>
<vuln vid="37ed8e9c-2651-11e5-86ff-14dae9d210b8">
<topic>django -- multiple vulnerabilities</topic>
<affects>
<package>
<name>py27-django</name>
<range><ge>1.4.0</ge><lt>1.4.21</lt></range>
</package>
<package>
<name>py32-django</name>
<range><ge>1.4.0</ge><lt>1.4.21</lt></range>
</package>
<package>
<name>py33-django</name>
<range><ge>1.4.0</ge><lt>1.4.21</lt></range>
</package>
<package>
<name>py34-django</name>
<range><ge>1.4.0</ge><lt>1.4.21</lt></range>
</package>
<package>
<name>py27-django</name>
<range><ge>1.7.0</ge><lt>1.7.9</lt></range>
</package>
<package>
<name>py32-django</name>
<range><ge>1.7.0</ge><lt>1.7.9</lt></range>
</package>
<package>
<name>py33-django</name>
<range><ge>1.7.0</ge><lt>1.7.9</lt></range>
</package>
<package>
<name>py34-django</name>
<range><ge>1.7.0</ge><lt>1.7.9</lt></range>
</package>
<package>
<name>py27-django</name>
<range><ge>1.8.0</ge><lt>1.8.3</lt></range>
</package>
<package>
<name>py32-django</name>
<range><ge>1.8.0</ge><lt>1.8.3</lt></range>
</package>
<package>
<name>py33-django</name>
<range><ge>1.8.0</ge><lt>1.8.3</lt></range>
</package>
<package>
<name>py34-django</name>
<range><ge>1.8.0</ge><lt>1.8.3</lt></range>
</package>
<package>
<name>py27-django-devel</name>
<range><le>20150531,1</le></range>
</package>
<package>
<name>py32-django-devel</name>
<range><le>20150531,1</le></range>
</package>
<package>
<name>py33-django-devel</name>
<range><le>20150531,1</le></range>
</package>
<package>
<name>py34-django-devel</name>
<range><le>20150531,1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Tim Graham reports:</p>
<blockquote cite="https://www.djangoproject.com/weblog/2015/jul/08/security-releases/">
<p>In accordance with our security release policy, the Django
team is issuing multiple releases -- Django 1.4.21, 1.7.9, and 1.8.3.
These releases are now available on PyPI and our download page. These
releases address several security issues detailed below. We encourage
all users of Django to upgrade as soon as possible. The Django master
branch has also been updated.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.djangoproject.com/weblog/2015/jul/08/security-releases/</url>
<url>https://github.com/django/django/commit/df049ed77a4db67e45db5679bfc76a85d2a26680</url>
<url>https://github.com/django/django/commit/014247ad1922931a2f17beaf6249247298e9dc44</url>
<url>https://github.com/django/django/commit/17d3a6d8044752f482453f5906026eaf12c39e8e</url>
<cvename>CVE-2015-5143</cvename>
<cvename>CVE-2015-5144</cvename>
<cvename>CVE-2015-5145</cvename>
</references>
<dates>
<discovery>2015-06-10</discovery>
<entry>2015-07-09</entry>
</dates>
</vuln>
<vuln vid="348bfa69-25a2-11e5-ade1-0011d823eebd">
<topic>Adobe Flash Player -- critical vulnerabilities</topic>
<affects>
<package>
<name>linux-c6-flashplugin</name>
<range><lt>11.2r202.481</lt></range>
</package>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>11.2r202.481</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb15-16.html">
<p>
Adobe has released security updates for Adobe Flash Player. These
updates address critical vulnerabilities that could potentially
allow an attacker to take control of the affected system. Adobe is
aware of a report that an exploit targeting CVE-2015-5119 has been
publicly published.
</p>
</blockquote>
</body>
</description>
<references>
<url>https://helpx.adobe.com/security/products/flash-player/apsb15-16.html</url>
<cvename>CVE-2015-5119</cvename>
</references>
<dates>
<discovery>2015-07-07</discovery>
<entry>2015-07-08</entry>
</dates>
</vuln>
<vuln vid="c93533a3-24f1-11e5-8b74-3c970e169bc2">
<topic>bind -- denial of service vulnerability</topic>
<affects>
<package>
<name>bind910</name>
<range><lt>9.10.2P2</lt></range>
</package>
<package>
<name>bind99</name>
<range><lt>9.9.7P1</lt></range>
</package>
<package>
<name>bind910-base</name>
<name>bind99-base</name>
<range><gt>0</gt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>9.3</ge><lt>9.3_19</lt></range>
<range><ge>8.4</ge><lt>8.4_33</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://kb.isc.org/article/AA-01267/">
<p>A very uncommon combination of zone data has been found
that triggers a bug in BIND, with the result that named
will exit with a "REQUIRE" failure in name.c when validating
the data returned in answer to a recursive query.</p>
<p>A recursive resolver that is performing DNSSEC validation
can be deliberately terminated by any attacker who can
cause a query to be performed against a maliciously
constructed zone. This will result in a denial of
service to clients who rely on that resolver.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-15:11.bind</freebsdsa>
<cvename>CVE-2015-4620</cvename>
<url>https://kb.isc.org/article/AA-01267/</url>
</references>
<dates>
<discovery>2015-07-07</discovery>
<entry>2015-07-07</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="cbfa8bd7-24b6-11e5-86ff-14dae9d210b8">
<topic>haproxy -- information leak vulnerability</topic>
<affects>
<package>
<name>haproxy</name>
<range><ge>1.5.0</ge><lt>1.5.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>HAProxy reports:</p>
<blockquote cite="http://www.haproxy.org/news.html">
<p>A vulnerability was found when HTTP pipelining is used. In
some cases, a client might be able to cause a buffer alignment issue and
retrieve uninitialized memory contents that exhibit data from a past
request or session. I want to address sincere congratulations to Charlie
Smurthwaite of aTech Media for the really detailed traces he provided
which made it possible to find the cause of this bug. Every user of
1.5-dev, 1.5.x or 1.6-dev must upgrade to 1.5.14 or latest 1.6-dev
snapshot to fix this issue, or use the backport of the fix provided by
their operating system vendors. CVE-2015-3281 was assigned to this bug.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.haproxy.org/news.html</url>
<url>http://git.haproxy.org/?p=haproxy-1.5.git;a=commit;h=7ec765568883b2d4e5a2796adbeb492a22ec9bd4</url>
<mlist>http://seclists.org/oss-sec/2015/q3/61</mlist>
<cvename>CVE-2015-3281</cvename>
</references>
<dates>
<discovery>2015-07-02</discovery>
<entry>2015-07-07</entry>
</dates>
</vuln>
<vuln vid="038a5808-24b3-11e5-b0c8-bf4d8935d4fa">
<topic>roundcube -- multiple vulnerabilities</topic>
<affects>
<package>
<name>roundcube</name>
<range><ge>1.1.0,1</ge><lt>1.1.2,1</lt></range>
<range><lt>1.0.6,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Roundcube reports:</p>
<blockquote cite="https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released/">
<p>We just published updates to both stable versions 1.0 and
1.1 after fixing many minor bugs and adding some security improvements
to the 1.1 release branch. Version 1.0.6 comes with cherry-picked fixes
from the more recent version to ensure proper long term support
especially in regards of security and compatibility.<br/>
<br/>
The security-related fixes in particular are:<br/>
<br/>
* XSS vulnerability in _mbox argument<br/>
* security improvement in contact photo handling<br/>
* potential info disclosure from temp directory</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5381</cvename>
<cvename>CVE-2015-5383</cvename>
<mlist>http://openwall.com/lists/oss-security/2015/07/06/10</mlist>
<url>https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released/</url>
</references>
<dates>
<discovery>2015-05-30</discovery>
<entry>2015-07-07</entry>
</dates>
</vuln>
<vuln vid="543b5939-2067-11e5-a4a5-002590263bf5">
<topic>turnserver -- SQL injection vulnerability</topic>
<affects>
<package>
<name>turnserver</name>
<range><lt>4.4.5.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Oleg Moskalenko reports:</p>
<blockquote cite="http://turnserver.open-sys.org/downloads/v4.4.5.3/ChangeLog">
<p>SQL injection security hole fixed.</p>
</blockquote>
</body>
</description>
<references>
<url>http://turnserver.open-sys.org/downloads/v4.4.5.3/ChangeLog</url>
<mlist>https://groups.google.com/d/msg/turn-server-project-rfc5766-turn-server/Dj3MmgyZX1o/ZaFo3zvxIw0J</mlist>
</references>
<dates>
<discovery>2015-06-20</discovery>
<entry>2015-07-02</entry>
</dates>
</vuln>
<vuln vid="150d1538-23fa-11e5-a4a5-002590263bf5">
<topic>squid -- Improper Protection of Alternate Path with CONNECT requests</topic>
<affects>
<package>
<name>squid</name>
<range><lt>3.5.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Squid security advisory 2015:2 reports:</p>
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2015_2.txt">
<p>Squid configured with cache_peer and operating on explicit proxy
traffic does not correctly handle CONNECT method peer responses.</p>
<p>The bug is important because it allows remote clients to bypass
security in an explicit gateway proxy.</p>
<p>However, the bug is exploitable only if you have configured
cache_peer to receive CONNECT requests.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.squid-cache.org/Advisories/SQUID-2015_2.txt</url>
<cvename>CVE-2015-5400</cvename>
</references>
<dates>
<discovery>2015-07-06</discovery>
<entry>2015-07-06</entry>
<modified>2015-07-17</modified>
</dates>
</vuln>
<vuln vid="b6da24da-23f7-11e5-a4a5-002590263bf5">
<topic>squid -- client-first SSL-bump does not correctly validate X509 server certificate</topic>
<affects>
<package>
<name>squid</name>
<range><ge>3.5</ge><lt>3.5.4</lt></range>
<range><ge>3.4</ge><lt>3.4.13</lt></range>
</package>
<package>
<name>squid33</name>
<range><ge>3.3</ge><lt>3.3.14</lt></range>
</package>
<package>
<name>squid32</name>
<range><ge>3.2</ge><lt>3.2.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Squid security advisory 2015:1 reports:</p>
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2015_1.txt">
<p>Squid configured with client-first SSL-bump does not correctly
validate X509 server certificate domain / hostname fields.</p>
<p>The bug is important because it allows remote servers to bypass
client certificate validation. Some attackers may also be able
to use valid certificates for one domain signed by a global
Certificate Authority to abuse an unrelated domain.</p>
<p>However, the bug is exploitable only if you have configured
Squid to perform SSL Bumping with the "client-first" or "bump"
mode of operation.</p>
<p>Sites that do not use SSL-Bump are not vulnerable.</p>
<p>All Squid built without SSL support are not vulnerable to the
problem.</p>
</blockquote>
<p>The FreeBSD port does not use SSL by default and is not vulnerable
in the default configuration.</p>
</body>
</description>
<references>
<cvename>CVE-2015-3455</cvename>
<url>http://www.squid-cache.org/Advisories/SQUID-2015_1.txt</url>
</references>
<dates>
<discovery>2015-05-01</discovery>
<entry>2015-07-06</entry>
</dates>
</vuln>
<vuln vid="72fccfdf-2061-11e5-a4a5-002590263bf5">
<topic>ansible -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ansible</name>
<range><lt>1.9.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ansible, Inc. reports:</p>
<blockquote cite="http://www.ansible.com/security">
<p>Ensure that hostnames match certificate names when using HTTPS -
resolved in Ansible 1.9.2</p>
<p>Improper symlink handling in zone, jail, and chroot connection
plugins could lead to escape from confined environment - resolved
in Ansible 1.9.2</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3908</cvename>
<cvename>CVE-2015-6240</cvename>
<url>http://www.ansible.com/security</url>
<url>https://raw.githubusercontent.com/ansible/ansible/v1.9.2-1/CHANGELOG.md</url>
</references>
<dates>
<discovery>2015-06-25</discovery>
<entry>2015-07-02</entry>
<modified>2015-08-18</modified>
</dates>
</vuln>
<vuln vid="e308c61a-2060-11e5-a4a5-002590263bf5">
<topic>ansible -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ansible</name>
<range><lt>1.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ansible, Inc. reports:</p>
<blockquote cite="http://www.ansible.com/security">
<p>Arbitrary execution from data from compromised remote hosts or
local data when using a legacy Ansible syntax - resolved in
Ansible 1.7</p>
<p>ansible-galaxy command when used on local tarballs (and not
galaxy.ansible.com) can install a malformed tarball if so provided
- resolved in Ansible 1.7</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.ansible.com/security</url>
<url>https://raw.githubusercontent.com/ansible/ansible/devel/CHANGELOG.md</url>
</references>
<dates>
<discovery>2014-08-06</discovery>
<entry>2015-07-02</entry>
</dates>
</vuln>
<vuln vid="9dae9d62-205f-11e5-a4a5-002590263bf5">
<topic>ansible -- code execution from compromised remote host data or untrusted local data</topic>
<affects>
<package>
<name>ansible</name>
<range><lt>1.6.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ansible, Inc. reports:</p>
<blockquote cite="http://www.ansible.com/security">
<p>Arbitrary execution from data from compromised remote hosts or
untrusted local data - resolved in Ansible 1.6.7</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-4966</cvename>
<bid>68794</bid>
<url>http://www.ansible.com/security</url>
<url>https://raw.githubusercontent.com/ansible/ansible/devel/CHANGELOG.md</url>
</references>
<dates>
<discovery>2014-07-21</discovery>
<entry>2015-07-02</entry>
</dates>
</vuln>
<vuln vid="2c493ac8-205e-11e5-a4a5-002590263bf5">
<topic>ansible -- remote code execution vulnerability</topic>
<affects>
<package>
<name>ansible</name>
<range><lt>1.6.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ansible, Inc. reports:</p>
<blockquote cite="http://www.ansible.com/security">
<p>Incomplete Fix Remote Code Execution Vulnerability - Fixed in
Ansible 1.6.4</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-4678</cvename>
<bid>68335</bid>
<url>http://www.ansible.com/security</url>
<url>https://raw.githubusercontent.com/ansible/ansible/devel/CHANGELOG.md</url>
</references>
<dates>
<discovery>2014-06-25</discovery>
<entry>2015-07-02</entry>
</dates>
</vuln>
<vuln vid="a6a9f9d5-205c-11e5-a4a5-002590263bf5">
<topic>ansible -- local symlink exploits</topic>
<affects>
<package>
<name>ansible</name>
<range><lt>1.2.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4259">
<p>runner/connection_plugins/ssh.py in Ansible before 1.2.3, when
using ControlPersist, allows local users to redirect a ssh session
via a symlink attack on a socket file with a predictable name in
/tmp/.</p>
</blockquote>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4260">
<p>lib/ansible/playbook/__init__.py in Ansible 1.2.x before 1.2.3,
when playbook does not run due to an error, allows local users to
overwrite arbitrary files via a symlink attack on a retry file with
a predictable name in /var/tmp/ansible/.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4259</cvename>
<cvename>CVE-2013-4260</cvename>
<url>http://www.ansible.com/security</url>
<url>https://groups.google.com/forum/#!topic/ansible-project/UVDYW0HGcNg</url>
</references>
<dates>
<discovery>2013-08-21</discovery>
<entry>2015-07-02</entry>
</dates>
</vuln>
<vuln vid="a478421e-2059-11e5-a4a5-002590263bf5">
<topic>ansible -- enable host key checking in paramiko connection type</topic>
<affects>
<package>
<name>ansible</name>
<range><lt>1.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ansible changelog reports:</p>
<blockquote cite="https://raw.githubusercontent.com/ansible/ansible/devel/CHANGELOG.md">
<p>Host key checking is on by default. Disable it if you like by
adding host_key_checking=False in the [default] section of
/etc/ansible/ansible.cfg or ~/ansible.cfg or by exporting
ANSIBLE_HOST_KEY_CHECKING=False.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-2233</cvename>
<url>https://raw.githubusercontent.com/ansible/ansible/devel/CHANGELOG.md</url>
<url>http://www.ansible.com/security</url>
<url>https://github.com/ansible/ansible/issues/857</url>
</references>
<dates>
<discovery>2012-08-13</discovery>
<entry>2015-07-02</entry>
</dates>
</vuln>
<vuln vid="d7b9a28d-238c-11e5-86ff-14dae9d210b8">
<topic>bitcoin -- denial of service</topic>
<affects>
<package>
<name>bitcoin</name>
<range><lt>0.10.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gregory Maxwell reports:</p>
<blockquote cite="http://bitcoin-development.narkive.com/tO8M0R0j/upcoming-dos-vulnerability-announcements-for-bitcoin-core">
<p>On July 7th I will be making public details of several
serious denial of service vulnerabilities which have fixed in recent
versions of Bitcoin Core, including including CVE-2015-3641.
I strongly recommend anyone running production nodes exposed to inbound
connections from the internet upgrade to 0.10.2 as soon as possible.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3641</cvename>
<url>http://bitcoin-development.narkive.com/tO8M0R0j/upcoming-dos-vulnerability-announcements-for-bitcoin-core</url>
<url>https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures</url>
</references>
<dates>
<discovery>2015-06-27</discovery>
<entry>2015-07-06</entry>
</dates>
</vuln>
<vuln vid="864e6f75-2372-11e5-86ff-14dae9d210b8">
<topic>node, iojs, and v8 -- denial of service</topic>
<affects>
<package>
<name>node</name>
<range><lt>0.12.6</lt></range>
</package>
<package>
<name>node-devel</name>
<range><lt>0.12.6</lt></range>
</package>
<package>
<name>iojs</name>
<range><lt>2.3.3</lt></range>
</package>
<package>
<name>v8</name>
<range><le>3.18.5</le></range>
</package>
<package>
<name>v8-devel</name>
<range><le>3.27.7_2</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>node reports:</p>
<blockquote cite="http://blog.nodejs.org/2015/07/03/node-v0-12-6-stable/">
<p>This release of Node.js fixes a bug that triggers an
out-of-band write in V8's utf-8 decoder. This bug impacts all Buffer to
String conversions. This is an important security update as this bug can
be used to cause a denial of service attack.</p>
</blockquote>
</body>
</description>
<references>
<url>http://blog.nodejs.org/2015/07/03/node-v0-12-6-stable/</url>
<url>https://github.com/joyent/node/commit/78b0e30954111cfaba0edbeee85450d8cbc6fdf6</url>
<url>https://github.com/nodejs/io.js/commit/030f8045c706a8c3925ec7cb3184fdfae4ba8676</url>
<url>https://codereview.chromium.org/1226493003</url>
<cvename>CVE-2015-5380</cvename>
</references>
<dates>
<discovery>2015-07-03</discovery>
<entry>2015-07-06</entry>
<modified>2015-07-10</modified>
</dates>
</vuln>
<vuln vid="bf1d9331-21b6-11e5-86ff-14dae9d210b8">
<topic>cups-filters -- texttopdf integer overflow</topic>
<affects>
<package>
<name>cups-filters</name>
<range><lt>1.0.71</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Stefan Cornelius from Red Hat reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/07/03/2">
<p>An integer overflow flaw leading to a heap-based buffer overflow was
discovered in the way the texttopdf utility of cups-filter processed
print jobs with a specially crafted line size. An attacker being able
to submit print jobs could exploit this flaw to crash texttopdf or,
possibly, execute arbitrary code with the privileges of the 'lp' user.</p>
</blockquote>
<p>Tim Waugh reports:</p>
<blockquote cite="http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7365">
<p>The Page allocation is moved into textcommon.c, where it does all the
necessary checking: lower-bounds for CVE-2015-3258 and upper-bounds
for CVE-2015-3259 due to integer overflows for the calloc() call
initializing Page[0] and the memset() call in texttopdf.c's
WritePage() function zeroing the entire array.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3279</cvename>
<url>https://access.redhat.com/security/cve/CVE-2015-3279</url>
<url>http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7365</url>
<mlist>http://osdir.com/ml/opensource-software-security/2015-07/msg00021.html</mlist>
</references>
<dates>
<discovery>2015-07-03</discovery>
<entry>2015-07-03</entry>
<modified>2015-07-07</modified>
</dates>
</vuln>
<vuln vid="9c7177ff-1fe1-11e5-9a01-bcaec565249c">
<topic>libxml2 -- Enforce the reader to run in constant memory</topic>
<affects>
<package>
<name>libxml2</name>
<range><lt>2.9.2_3</lt></range>
</package>
<package>
<name>linux-c6-libxml2</name>
<range><lt>2.7.6_5</lt></range>
</package>
<package>
<name>linux-f10-libxml2</name>
<range><ge>*</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Daniel Veilland reports:</p>
<blockquote cite="https://git.gnome.org/browse/libxml2/commit/?id=213f1fe0d76d30eaed6e5853057defc43e6df2c9">
<p>Enforce the reader to run in constant memory. One of the
operation on the reader could resolve entities leading to
the classic expansion issue. Make sure the buffer used for
xmlreader operation is bounded. Introduce a new allocation
type for the buffers for this effect.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-1819</cvename>
<url>https://git.gnome.org/browse/libxml2/commit/?id=213f1fe0d76d30eaed6e5853057defc43e6df2c9</url>
</references>
<dates>
<discovery>2015-04-14</discovery>
<entry>2015-07-01</entry>
<modified>2016-01-31</modified>
</dates>
</vuln>
<vuln vid="2a8b7d21-1ecc-11e5-a4a5-002590263bf5">
<topic>wesnoth -- disclosure of .pbl files with lowercase, uppercase, and mixed-case extension</topic>
<affects>
<package>
<name>wesnoth</name>
<range><lt>1.12.4,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ignacio R. Morelle reports:</p>
<blockquote cite="http://forums.wesnoth.org/viewtopic.php?t=42776">
<p>As mentioned in the Wesnoth 1.12.4 and Wesnoth 1.13.1 release
announcements, a security vulnerability targeting add-on authors
was found (bug #23504) which allowed a malicious user to obtain
add-on server passphrases from the client's .pbl files and transmit
them over the network, or store them in saved game files intended
to be shared by the victim. This vulnerability affects all existing
releases up to and including versions 1.12.2 and 1.13.0.
Additionally, version 1.12.3 included only a partial fix that failed
to guard users against attempts to read from .pbl files with an
uppercase or mixed-case extension. CVE-2015-5069 and CVE-2015-5070
have been assigned to the vulnerability affecting .pbl files with a
lowercase extension, and .pbl files with an uppercase or mixed-case
extension, respectively.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5069</cvename>
<cvename>CVE-2015-5070</cvename>
<url>http://forums.wesnoth.org/viewtopic.php?t=42776</url>
<url>http://forums.wesnoth.org/viewtopic.php?t=42775</url>
</references>
<dates>
<discovery>2015-06-28</discovery>
<entry>2015-07-01</entry>
</dates>
</vuln>
<vuln vid="b19da422-1e02-11e5-b43d-002590263bf5">
<topic>cups-filters -- buffer overflow in texttopdf size allocation</topic>
<affects>
<package>
<name>cups-filters</name>
<range><lt>1.0.70</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Stefan Cornelius from Red Hat reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/06/26/4">
<p>A heap-based buffer overflow was discovered in the way the
texttopdf utility of cups-filters processed print jobs with a
specially crafted line size. An attacker being able to submit
print jobs could exploit this flaw to crash texttopdf or,
possibly, execute arbitrary code.</p>
</blockquote>
<p>Till Kamppeter reports:</p>
<blockquote cite="http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7363">
<p>texttopdf: Fixed buffer overflow on size allocation of texttopdf
when working with extremely small line sizes, which causes the size
calculation to result in 0 (CVE-2015-3258, thanks to Stefan
Cornelius from Red Hat for the patch).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3258</cvename>
<mlist>http://www.openwall.com/lists/oss-security/2015/06/26/4</mlist>
<url>http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7363</url>
</references>
<dates>
<discovery>2015-06-26</discovery>
<entry>2015-06-29</entry>
</dates>
</vuln>
<vuln vid="0d0f3050-1f69-11e5-9ba9-d050996490d0">
<topic>ntp -- control message remote Denial of Service vulnerability</topic>
<affects>
<package>
<name>ntp</name>
<range><lt>4.2.8p3</lt></range>
</package>
<package>
<name>ntp-devel</name>
<range><lt>4.3.25</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ntp.org reports:</p>
<blockquote cite="http://support.ntp.org/bin/view/Main/SecurityNotice#June_2015_NTP_Security_Vulnerabi">
<p>Under limited and specific circumstances an attacker can send a
crafted packet to cause a vulnerable ntpd instance to crash.
This requires each of the following to be true:</p>
<ul>
<li>ntpd set up to allow for remote configuration (not
allowed by default), and</li>
<li>knowledge of the configuration password, and</li>
<li>access to a computer entrusted to perform remote
configuration.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://bugs.ntp.org/show_bug.cgi?id=2853</url>
<url>https://www.kb.cert.org/vuls/id/668167</url>
<url>http://support.ntp.org/bin/view/Main/SecurityNotice#June_2015_NTP_Security_Vulnerabi</url>
</references>
<dates>
<discovery>2015-06-29</discovery>
<entry>2015-06-30</entry>
</dates>
</vuln>
<vuln vid="acd5d037-1c33-11e5-be9c-6805ca1d3bb1">
<topic>qemu -- Heap overflow in QEMU PCNET controller, allowing guest to host escape (CVE-2015-3209)</topic>
<affects>
<package>
<name>qemu</name>
<name>qemu-devel</name>
<range><lt>0.11.1_20</lt></range>
<range><ge>0.12</ge><lt>2.3.0_2</lt></range>
</package>
<package>
<name>qemu-sbruno</name>
<range><lt>2.3.50.g20150618_1</lt></range>
</package>
<package>
<name>xen-tools</name>
<range><lt>4.5.0_6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The QEMU security team reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-135.html">
<p>A guest which has access to an emulated PCNET network
device (e.g. with "model=pcnet" in their VIF configuration)
can exploit this vulnerability to take over the qemu
process elevating its privilege to that of the qemu
process.</p>
</blockquote>
</body>
</description>
<references>
<url>http://xenbits.xen.org/xsa/advisory-135.html</url>
<cvename>CVE-2015-3209</cvename>
</references>
<dates>
<discovery>2015-04-10</discovery>
<entry>2015-06-26</entry>
<modified>2015-07-11</modified>
</dates>
</vuln>
<vuln vid="23232028-1ba4-11e5-b43d-002590263bf5">
<topic>elasticsearch -- security fix for shared file-system repositories</topic>
<affects>
<package>
<name>elasticsearch</name>
<range><ge>1.0.0</ge><lt>1.6.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Elastic reports:</p>
<blockquote cite="https://www.elastic.co/community/security">
<p>Vulnerability Summary: All Elasticsearch versions from 1.0.0 to
1.5.2 are vulnerable to an attack that uses Elasticsearch to modify
files read and executed by certain other applications.</p>
<p>Remediation Summary: Users should upgrade to 1.6.0. Alternately,
ensure that other applications are not present on the system, or
that Elasticsearch cannot write into areas where these applications
would read.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4165</cvename>
<freebsdpr>ports/201008</freebsdpr>
<url>https://www.elastic.co/community/security</url>
<url>https://www.elastic.co/blog/elasticsearch-1-6-0-released</url>
</references>
<dates>
<discovery>2015-06-09</discovery>
<entry>2015-06-26</entry>
</dates>
</vuln>
<vuln vid="a71e7440-1ba3-11e5-b43d-002590263bf5">
<topic>elasticsearch -- directory traversal attack with site plugins</topic>
<affects>
<package>
<name>elasticsearch</name>
<range><lt>1.4.5</lt></range>
<range><ge>1.5.0</ge><lt>1.5.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Elastic reports:</p>
<blockquote cite="https://www.elastic.co/community/security">
<p>Vulnerability Summary: All Elasticsearch versions prior to 1.5.2
and 1.4.5 are vulnerable to a directory traversal attack that allows
an attacker to retrieve files from the server running Elasticsearch
when one or more site plugins are installed, or when Windows is the
server OS.</p>
<p>Remediation Summary: Users should upgrade to 1.4.5 or 1.5.2. Users
that do not want to upgrade can address the vulnerability by
disabling site plugins. See the CVE description for additional
options.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3337</cvename>
<bid>74353</bid>
<url>https://www.elastic.co/community/security</url>
<url>https://www.elastic.co/blog/elasticsearch-1-5-2-and-1-4-5-released</url>
<url>https://www.exploit-db.com/exploits/37054/</url>
<url>https://packetstormsecurity.com/files/131646/Elasticsearch-Directory-Traversal.html</url>
<url>http://www.securityfocus.com/archive/1/535385</url>
</references>
<dates>
<discovery>2015-04-27</discovery>
<entry>2015-06-26</entry>
</dates>
</vuln>
<vuln vid="026759e0-1ba3-11e5-b43d-002590263bf5">
<topic>elasticsearch -- remote OS command execution via Groovy scripting engine</topic>
<affects>
<package>
<name>elasticsearch</name>
<range><ge>1.3.0</ge><lt>1.3.8</lt></range>
<range><ge>1.4.0</ge><lt>1.4.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Elastic reports:</p>
<blockquote cite="https://www.elastic.co/community/security">
<p>Vulnerability Summary: Elasticsearch versions 1.3.0-1.3.7 and
1.4.0-1.4.2 have vulnerabilities in the Groovy scripting engine that
were introduced in 1.3.0. The vulnerability allows an attacker to
construct Groovy scripts that escape the sandbox and execute shell
commands as the user running the Elasticsearch Java VM.</p>
<p>Remediation Summary: Users should upgrade to 1.3.8 or 1.4.3. Users
that do not want to upgrade can address the vulnerability by setting
script.groovy.sandbox.enabled to false in elasticsearch.yml and
restarting the node.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-1427</cvename>
<bid>72585</bid>
<url>https://www.elastic.co/community/security</url>
<url>https://www.elastic.co/blog/elasticsearch-1-4-3-and-1-3-8-released</url>
<url>http://www.securityfocus.com/archive/1/archive/1/534689/100/0/threaded</url>
<url>https://packetstormsecurity.com/files/130368/Elasticsearch-1.3.7-1.4.2-Sandbox-Escape-Command-Execution.html</url>
<url>https://packetstormsecurity.com/files/130784/ElasticSearch-Unauthenticated-Remote-Code-Execution.html</url>
</references>
<dates>
<discovery>2015-02-11</discovery>
<entry>2015-06-26</entry>
</dates>
</vuln>
<vuln vid="5951fb49-1ba2-11e5-b43d-002590263bf5">
<topic>elasticsearch -- cross site scripting vulnerability in the CORS functionality</topic>
<affects>
<package>
<name>elasticsearch</name>
<range><lt>1.4.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Elastic reports:</p>
<blockquote cite="https://www.elastic.co/community/security">
<p>Vulnerability Summary: Elasticsearch versions 1.3.x and prior have
a default configuration for CORS that allows an attacker to craft
links that could cause a user's browser to send requests to
Elasticsearch instances on their local network. These requests could
cause data loss or compromise.</p>
<p>Remediation Summary: Users should either set "http.cors.enabled" to
false, or set "http.cors.allow-origin" to the value of the server
that should be allowed access, such as localhost or a server hosting
Kibana. Disabling CORS entirely with the former setting is more
secure, but may not be suitable for all use cases.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-6439</cvename>
<bid>70233</bid>
<url>https://www.elastic.co/community/security</url>
<url>https://www.elastic.co/blog/elasticsearch-1-4-0-beta-released</url>
<url>https://packetstormsecurity.com/files/128556/Elasticsearch-1.3.x-CORS-Issue.html</url>
<url>http://www.securityfocus.com/archive/1/archive/1/533602/100/0/threaded</url>
</references>
<dates>
<discovery>2014-10-01</discovery>
<entry>2015-06-26</entry>
</dates>
</vuln>
<vuln vid="43ac9d42-1b9a-11e5-b43d-002590263bf5">
<topic>elasticsearch and logstash -- remote OS command execution via dynamic scripting</topic>
<affects>
<package>
<name>elasticsearch</name>
<range><lt>1.2.0</lt></range>
</package>
<package>
<name>logstash</name>
<range><lt>1.4.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Elastic reports:</p>
<blockquote cite="https://www.elastic.co/community/security">
<p>Vulnerability Summary: In Elasticsearch versions 1.1.x and prior,
dynamic scripting is enabled by default. This could allow an
attacker to execute OS commands.</p>
<p>Remediation Summary: Disable dynamic scripting.</p>
</blockquote>
<blockquote cite="https://www.elastic.co/blog/logstash-1-4-3-released">
<p>Logstash 1.4.2 was bundled with Elasticsearch 1.1.1, which is
vulnerable to CVE-2014-3120. These binaries are used in
Elasticsearch output specifically when using the node protocol.
Since a node client joins the Elasticsearch cluster, the attackers
could use scripts to execute commands on the host OS using the node
client's URL endpoint. With 1.4.3 release, we are packaging Logstash
with Elasticsearch 1.5.2 binaries which by default disables the
ability to run scripts. This also affects users who are using the
configuration option embedded=>true in the Elasticsearch output
which starts a local embedded Elasticsearch cluster. This is
typically used in development environment and proof of concept
deployments. Regardless of this vulnerability, we strongly recommend
not using embedded in production.</p>
<p>Note that users of transport and http protocol are not vulnerable
to this attack.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-3120</cvename>
<bid>67731</bid>
<url>https://www.elastic.co/community/security</url>
<url>https://www.elastic.co/blog/elasticsearch-1-2-0-released</url>
<url>https://www.elastic.co/blog/logstash-1-4-3-released</url>
<url>https://www.exploit-db.com/exploits/33370/</url>
<url>http://bouk.co/blog/elasticsearch-rce/</url>
<url>http://www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rce</url>
<url>https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch</url>
</references>
<dates>
<discovery>2014-05-22</discovery>
<entry>2015-06-26</entry>
</dates>
</vuln>
<vuln vid="24bde04f-1a10-11e5-b43d-002590263bf5">
<topic>logstash -- Directory traversal vulnerability in the file output plugin</topic>
<affects>
<package>
<name>logstash</name>
<range><lt>1.4.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Elastic reports:</p>
<blockquote cite="https://www.elastic.co/blog/logstash-1-4-3-released">
<p>An attacker could use the File output plugin with dynamic field
references in the path option to traverse paths outside of Logstash
directory. This technique could also be used to overwrite any files
which can be accessed with permissions associated with Logstash
user. This release sandboxes the paths which can be traversed using
the configuration. We have also disallowed use of dynamic field
references if the path options is pointing to an absolute path.</p>
<p>We have added this vulnerability to our CVE page and are working
on filling out the CVE. We would like to thank Colin Coghill for
reporting the issue and working with us on the resolution.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4152</cvename>
<url>https://www.elastic.co/blog/logstash-1-4-3-released</url>
<url>https://www.elastic.co/community/security</url>
</references>
<dates>
<discovery>2015-06-09</discovery>
<entry>2015-06-24</entry>
</dates>
</vuln>
<vuln vid="2184ccad-1a10-11e5-b43d-002590263bf5">
<topic>logstash -- Remote command execution in Logstash zabbix and nagios_nsca outputs</topic>
<affects>
<package>
<name>logstash</name>
<range><lt>1.4.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Elastic reports:</p>
<blockquote cite="https://www.elastic.co/blog/logstash-1-4-2">
<p>The vulnerability impacts deployments that use the either the
zabbix or the nagios_nsca outputs. In these cases, an attacker
with an ability to send crafted events to any source of data for
Logstash could execute operating system commands with the
permissions of the Logstash process.</p>
<p>Deployments that do not use the zabbix or the nagios_nsca outputs
are not vulnerable and do not need to upgrade for this reason.</p>
<p>We have added this vulnerability to our CVE page and are working
on filling out the CVE.</p>
<p>We would like to thank Jan Karwowski and Danila Borisiuk for
reporting the issue and working with us on the resolution.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-4326</cvename>
<url>https://www.elastic.co/blog/logstash-1-4-2</url>
<url>https://www.elastic.co/community/security</url>
</references>
<dates>
<discovery>2014-06-24</discovery>
<entry>2015-06-24</entry>
</dates>
</vuln>
<vuln vid="ad4d3871-1a0d-11e5-b43d-002590263bf5">
<topic>logstash-forwarder and logstash -- susceptibility to POODLE vulnerability</topic>
<affects>
<package>
<name>logstash-forwarder</name>
<range><lt>0.4.0.20150507</lt></range>
</package>
<package>
<name>logstash</name>
<range><lt>1.4.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Elastic reports:</p>
<blockquote cite="https://www.elastic.co/blog/logstash-1-4-3-released">
<p>The combination of Logstash Forwarder and Lumberjack input (and
output) was vulnerable to the POODLE attack in SSLv3 protocol. We
have disabled SSLv3 for this combination and set the minimum version
to be TLSv1.0. We have added this vulnerability to our CVE page and
are working on filling out the CVE.</p>
<p>Thanks to Tray Torrance, Marc Chadwick, and David Arena for
reporting this.</p>
</blockquote>
<blockquote cite="https://www.elastic.co/blog/logstash-forwarder-0-4-0-released">
<p>SSLv3 is no longer supported; TLS 1.0+ is required (compatible
with Logstash 1.4.2+).</p>
</blockquote>
</body>
</description>
<references>
<!-- POODLE CVE pending -->
<freebsdpr>ports/201065</freebsdpr>
<freebsdpr>ports/201065</freebsdpr>
<url>https://www.elastic.co/blog/logstash-1-4-3-released</url>
<url>https://www.elastic.co/blog/logstash-forwarder-0-4-0-released</url>
</references>
<dates>
<discovery>2015-06-09</discovery>
<entry>2015-06-24</entry>
<modified>2015-06-24</modified>
</dates>
</vuln>
<vuln vid="d02f6b01-1a3f-11e5-8bd6-c485083ca99c">
<topic>Adobe Flash Player -- critical vulnerabilities</topic>
<affects>
<package>
<name>linux-c6-flashplugin</name>
<range><lt>11.2r202.466</lt></range>
</package>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>11.2r202.466</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb15-14.html">
<p>
Adobe has released security updates for Adobe Flash Player for
Windows, Macintosh and Linux. These updates address a critical
vulnerability (CVE-2015-3113) that could potentially allow an
attacker to take control of the affected system.
</p>
<p>
Adobe is aware of reports that CVE-2015-3113 is being actively
exploited in the wild via limited, targeted attacks. Systems running
Internet Explorer for Windows 7 and below, as well as Firefox on
Windows XP, are known targets.
</p>
</blockquote>
</body>
</description>
<references>
<url>https://helpx.adobe.com/security/products/flash-player/apsb15-14.html</url>
<cvename>CVE-2015-3113</cvename>
</references>
<dates>
<discovery>2015-06-23</discovery>
<entry>2015-06-24</entry>
</dates>
</vuln>
<vuln vid="f5225b23-192d-11e5-a1cf-002590263bf5">
<topic>rubygem-bson -- DoS and possible injection</topic>
<affects>
<package>
<name>rubygem-bson</name>
<range><lt>3.0.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Phill MV reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/06/06/1">
<p>By submitting a specially crafted string to a service relying on
the bson rubygem, an attacker may trigger denials of service or even
inject data into victim's MongoDB instances.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4412</cvename>
<mlist>http://www.openwall.com/lists/oss-security/2015/06/06/1</mlist>
<url>http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html</url>
<url>https://github.com/mongodb/bson-ruby/commit/976da329ff03ecdfca3030eb6efe3c85e6db9999</url>
</references>
<dates>
<discovery>2015-06-04</discovery>
<entry>2015-06-23</entry>
</dates>
</vuln>
<vuln vid="cdff0af2-1492-11e5-a1cf-002590263bf5">
<topic>php5 -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php5-dom</name>
<name>php5-ftp</name>
<name>php5-gd</name>
<name>php5-pgsql</name>
<range><lt>5.4.42</lt></range>
</package>
<package>
<name>php55-dom</name>
<name>php55-ftp</name>
<name>php55-gd</name>
<name>php55-pgsql</name>
<range><lt>5.5.26</lt></range>
</package>
<package>
<name>php56-dom</name>
<name>php56-ftp</name>
<name>php56-gd</name>
<name>php56-psql</name>
<range><lt>5.6.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PHP project reports:</p>
<blockquote cite="http://www.php.net/ChangeLog-5.php">
<p>DOM and GD:</p>
<ul>
<li>Fixed bug #69719 (Incorrect handling of paths with NULs).</li>
</ul>
<p>FTP:</p>
<ul>
<li>Improved fix for bug #69545 (Integer overflow in ftp_genlist()
resulting in heap overflow). (CVE-2015-4643)</li>
</ul>
<p>Postgres:</p>
<ul>
<li>Fixed bug #69667 (segfault in php_pgsql_meta_data).
(CVE-2015-4644)</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4643</cvename>
<cvename>CVE-2015-4644</cvename>
<url>http://www.php.net/ChangeLog-5.php#5.4.42</url>
<url>http://www.php.net/ChangeLog-5.php#5.5.26</url>
<url>http://www.php.net/ChangeLog-5.php#5.6.10</url>
<mlist>http://openwall.com/lists/oss-security/2015/06/18/3</mlist>
</references>
<dates>
<discovery>2015-06-11</discovery>
<entry>2015-06-23</entry>
</dates>
</vuln>
<vuln vid="a4460ac7-192c-11e5-9c01-bcaec55be5e5">
<topic>devel/ipython -- remote execution</topic>
<affects>
<package>
<name>ipython</name>
<range><lt>3.2.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Kyle Kelley reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2015/q2/779">
<p>Summary: JSON error responses from the IPython notebook REST API
contained URL parameters and were incorrectly reported as text/html
instead of application/json. The error messages included some of these
URL params, resulting in a cross site scripting attack. This affects
users on Mozilla Firefox but not Chromium/Google Chrome.</p>
<p>API paths with issues:</p>
<ul>
<li>/api/contents (3.0-3.1)</li>
<li>/api/notebooks (2.0-2.4, 3.0-3.1)</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4706</cvename>
<cvename>CVE-2015-4707</cvename>
<url>http://seclists.org/oss-sec/2015/q2/779</url>
</references>
<dates>
<discovery>2015-06-22</discovery>
<entry>2015-06-22</entry>
</dates>
</vuln>
<vuln vid="d46ed7b8-1912-11e5-9fdf-00262d5ed8ee">
<topic>www/chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>43.0.2357.130</lt></range>
</package>
<package>
<!-- pcbsd -->
<name>chromium-npapi</name>
<range><lt>43.0.2357.130</lt></range>
</package>
<package>
<!-- pcbsd -->
<name>chromium-pulse</name>
<range><lt>43.0.2357.130</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/2015/06/chrome-stable-update.html">
<p>4 security fixes in this release:</p>
<ul>
<li>[464922] High CVE-2015-1266: Scheme validation error in WebUI.
Credit to anonymous.</li>
<li>[494640] High CVE-2015-1268: Cross-origin bypass in Blink.
Credit to Mariusz Mlynski.</li>
<li>[497507] Medium CVE-2015-1267: Cross-origin bypass in Blink.
Credit to anonymous.</li>
<li>[461481] Medium CVE-2015-1269: Normalization error in HSTS/HPKP
preload list. Credit to Mike Ruddy.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-1266</cvename>
<cvename>CVE-2015-1267</cvename>
<cvename>CVE-2015-1268</cvename>
<cvename>CVE-2015-1269</cvename>
<url>http://googlechromereleases.blogspot.nl/2015/06/chrome-stable-update.html</url>
</references>
<dates>
<discovery>2015-06-22</discovery>
<entry>2015-06-22</entry>
</dates>
</vuln>
<vuln vid="0f154810-16e4-11e5-a1cf-002590263bf5">
<topic>rubygem-paperclip -- validation bypass vulnerability</topic>
<affects>
<package>
<name>rubygem-paperclip</name>
<range><lt>4.2.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jon Yurek reports:</p>
<blockquote cite="https://github.com/thoughtbot/paperclip/commit/9aee4112f36058cd28d5fe4a006d6981bd1eda57">
<p>Thanks to MORI Shingo of DeNA Co., Ltd. for reporting this.</p>
<p>There is an issue where if an HTML file is uploaded with a .html
extension, but the content type is listed as being `image/jpeg`,
this will bypass a validation checking for images. But it will also
pass the spoof check, because a file named .html and containing
actual HTML passes the spoof check.</p>
<p>This change makes it so that we also check the supplied content
type. So even if the file contains HTML and ends with .html, it
doesn't match the content type of `image/jpeg` and so it fails.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-2963</cvename>
<url>https://github.com/thoughtbot/paperclip/commit/9aee4112f36058cd28d5fe4a006d6981bd1eda57</url>
<url>https://robots.thoughtbot.com/paperclip-security-release</url>
<url>http://jvn.jp/en/jp/JVN83881261/index.html</url>
</references>
<dates>
<discovery>2015-06-05</discovery>
<entry>2015-06-22</entry>
</dates>
</vuln>
<vuln vid="0da404ad-1891-11e5-a1cf-002590263bf5">
<topic>chicken -- Potential buffer overrun in string-translate*</topic>
<affects>
<package>
<name>chicken</name>
<range><lt>4.10.0.r2,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>chicken developer Peter Bex reports:</p>
<blockquote cite="http://lists.nongnu.org/archive/html/chicken-announce/2015-06/msg00010.html">
<p>Using gcc's Address Sanitizer, it was discovered that the string-translate*
procedure from the data-structures unit can scan beyond the input string's
length up to the length of the source strings in the map that's passed to
string-translate*. This issue was fixed in master 8a46020, and it will
make its way into CHICKEN 4.10.</p>
<p>This bug is present in all released versions of CHICKEN.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4556</cvename>
<freebsdpr>ports/200980</freebsdpr>
<mlist>http://lists.nongnu.org/archive/html/chicken-announce/2015-06/msg00010.html</mlist>
<mlist>http://lists.nongnu.org/archive/html/chicken-hackers/2015-06/msg00037.html</mlist>
<mlist>http://lists.nongnu.org/archive/html/chicken-announce/2015-07/msg00001.html</mlist>
</references>
<dates>
<discovery>2015-06-15</discovery>
<entry>2015-06-22</entry>
<modified>2015-07-31</modified>
</dates>
</vuln>
<vuln vid="e7b7f2b5-177a-11e5-ad33-f8d111029e6a">
<topic>chicken -- buffer overrun in substring-index[-ci]</topic>
<affects>
<package>
<name>chicken</name>
<range><lt>4.10.0.r1,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>chicken developer Moritz Heidkamp reports:</p>
<blockquote cite="http://lists.gnu.org/archive/html/chicken-users/2015-01/msg00048.html">
<p>The substring-index[-ci] procedures of the data-structures unit are
vulnerable to a buffer overrun attack when passed an integer greater
than zero as the optional START argument.</p>
<p>As a work-around you can switch to SRFI 13's
string-contains procedure which also returns the substring's index in
case it is found.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-9651</cvename>
<mlist>http://lists.gnu.org/archive/html/chicken-users/2015-01/msg00048.html</mlist>
<mlist>http://lists.nongnu.org/archive/html/chicken-hackers/2014-12/txt2UqAS9CtvH.txt</mlist>
</references>
<dates>
<discovery>2015-01-12</discovery>
<entry>2015-06-22</entry>
<modified>2015-06-23</modified>
</dates>
</vuln>
<vuln vid="a3929112-181b-11e5-a1cf-002590263bf5">
<topic>cacti -- Multiple XSS and SQL injection vulnerabilities</topic>
<affects>
<package>
<name>cacti</name>
<range><lt>0.8.8d</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Cacti Group, Inc. reports:</p>
<blockquote cite="http://www.cacti.net/release_notes_0_8_8d.php">
<p>Important Security Fixes</p>
<ul>
<li>Multiple XSS and SQL injection vulnerabilities</li>
</ul>
<p>Changelog</p>
<ul>
<li>bug: Fixed SQL injection VN: JVN#78187936 /
TN:JPCERT#98968540</li>
<li>bug#0002542: [FG-VD-15-017] Cacti Cross-Site Scripting
Vulnerability Notification</li>
<li>bug#0002571: SQL Injection and Location header injection from
cdef id CVE-2015-4342</li>
<li>bug#0002572: SQL injection in graph template</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4342</cvename>
<freebsdpr>ports/200963</freebsdpr>
<url>http://www.cacti.net/release_notes_0_8_8d.php</url>
<mlist>http://seclists.org/fulldisclosure/2015/Jun/19</mlist>
</references>
<dates>
<discovery>2015-06-09</discovery>
<entry>2015-06-21</entry>
</dates>
</vuln>
<vuln vid="a0e74731-181b-11e5-a1cf-002590263bf5">
<topic>cacti -- multiple security vulnerabilities</topic>
<affects>
<package>
<name>cacti</name>
<range><lt>0.8.8c</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Cacti Group, Inc. reports:</p>
<blockquote cite="http://www.cacti.net/release_notes_0_8_8c.php">
<p>Important Security Fixes</p>
<ul>
<li>CVE-2013-5588 - XSS issue via installer or device editing</li>
<li>CVE-2013-5589 - SQL injection vulnerability in device editing</li>
<li>CVE-2014-2326 - XSS issue via CDEF editing</li>
<li>CVE-2014-2327 - Cross-site request forgery (CSRF) vulnerability</li>
<li>CVE-2014-2328 - Remote Command Execution Vulnerability in graph export</li>
<li>CVE-2014-4002 - XSS issues in multiple files</li>
<li>CVE-2014-5025 - XSS issue via data source editing</li>
<li>CVE-2014-5026 - XSS issues in multiple files</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-5588</cvename>
<cvename>CVE-2013-5589</cvename>
<cvename>CVE-2014-2326</cvename>
<cvename>CVE-2014-2327</cvename>
<cvename>CVE-2014-2328</cvename>
<cvename>CVE-2014-4002</cvename>
<cvename>CVE-2014-5025</cvename>
<cvename>CVE-2014-5026</cvename>
<freebsdpr>ports/198586</freebsdpr>
<mlist>http://sourceforge.net/p/cacti/mailman/message/33072838/</mlist>
<url>http://www.cacti.net/release_notes_0_8_8c.php</url>
</references>
<dates>
<discovery>2014-11-23</discovery>
<entry>2015-06-21</entry>
</dates>
</vuln>
<vuln vid="968d1e74-1740-11e5-a643-40a8f0757fb4">
<topic>p5-Dancer -- possible to abuse session cookie values</topic>
<affects>
<package>
<name>p5-Dancer</name>
<range><lt>1.3138</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Russell Jenkins reports:</p>
<blockquote cite="INSERT URL HERE">
<p>It was possible to abuse session cookie values so that
file-based session stores such as Dancer::Session::YAML or
Dancer2::Session::YAML would attempt to read/write from
any file on the filesystem with the same extension the
file-based store uses, such as '*.yml' for the YAML
stores.</p>
</blockquote>
</body>
</description>
<references>
<url>http://lists.preshweb.co.uk/pipermail/dancer-users/2015-June/004621.html</url>
</references>
<dates>
<discovery>2015-06-12</discovery>
<entry>2015-06-20</entry>
</dates>
</vuln>
<vuln vid="d605edb1-1616-11e5-a000-d050996490d0">
<topic>drupal -- multiple vulnerabilities</topic>
<affects>
<package>
<name>drupal6</name>
<range><lt>6.36</lt></range>
</package>
<package>
<name>drupal7</name>
<range><lt>7.38</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal development team reports:</p>
<blockquote cite="https://www.drupal.org/SA-CORE-2015-002">
<h3>Impersonation (OpenID module - Drupal 6 and 7 - Critical)</h3>
<p>A vulnerability was found in the OpenID module that allows
a malicious user to log in as other users on the site,
including administrators, and hijack their accounts.</p>
<p>This vulnerability is mitigated by the fact that the victim
must have an account with an associated OpenID identity from
a particular set of OpenID providers (including, but not
limited to, Verisign, LiveJournal, or StackExchange).</p>
<h3>Open redirect (Field UI module - Drupal 7 - Less critical)</h3>
<p>The Field UI module uses a "destinations" query string parameter
in URLs to redirect users to new destinations after completing
an action on a few administration pages. Under certain
circumstances, malicious users can use this parameter to
construct a URL that will trick users into being redirected
to a 3rd party website, thereby exposing the users to potential
social engineering attacks.</p>
<p>This vulnerability is mitigated by the fact that only sites
with the Field UI module enabled are affected.</p>
<p>Drupal 6 core is not affected, but see the similar advisory
for the Drupal 6 contributed CCK module:
<a href="https://www.drupal.org/node/2507753">SA-CONTRIB-2015-126</a></p>
<h3>Open redirect (Overlay module - Drupal 7 - Less critical)</h3>
<p>The Overlay module displays administrative pages as a layer
over the current page (using JavaScript), rather than replacing
the page in the browser window. The Overlay module does not
sufficiently validate URLs prior to displaying their contents,
leading to an open redirect vulnerability.</p>
<p>This vulnerability is mitigated by the fact that it can only
be used against site users who have the "Access the administrative
overlay" permission, and that the Overlay module must be enabled.</p>
<h3>Information disclosure (Render cache system - Drupal 7
- Less critical)</h3>
<p>On sites utilizing Drupal 7's render cache system to cache
content on the site by user role, private content viewed by
user 1 may be included in the cache and exposed to non-privileged
users.</p>
<p>This vulnerability is mitigated by the fact that render caching
is not used in Drupal 7 core itself (it requires custom code or
the contributed <a href="https://www.drupal.org/project/render_cache">Render
Cache</a> module to enable) and that it only affects sites that
have user 1 browsing the live site. Exposure is also limited if an
administrative role has been assigned to the user 1 account (which
is done, for example, by the Standard install profile that ships
with Drupal core).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3231</cvename>
<cvename>CVE-2015-3232</cvename>
<cvename>CVE-2015-3233</cvename>
<cvename>CVE-2015-3234</cvename>
<url>https://www.drupal.org/SA-CORE-2015-002</url>
</references>
<dates>
<discovery>2015-06-17</discovery>
<entry>2015-06-19</entry>
</dates>
</vuln>
<vuln vid="2438d4af-1538-11e5-a106-3c970e169bc2">
<topic>cURL -- Multiple Vulnerability</topic>
<affects>
<package>
<name>curl</name>
<range><ge>7.40</ge><lt>7.43</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>cURL reports:</p>
<blockquote cite="http://curl.haxx.se/docs/adv_20150617A.html">
<p>libcurl can wrongly send HTTP credentials when re-using
connections.</p>
<p>libcurl allows applications to set credentials for the
upcoming transfer with HTTP Basic authentication, like
with CURLOPT_USERPWD for example. Name and password.
Just like all other libcurl options the credentials
are sticky and are kept associated with the "handle"
until something is made to change the situation.</p>
<p>Further, libcurl offers a curl_easy_reset() function
that resets a handle back to its pristine state in
terms of all settable options. A reset is of course
also supposed to clear the credentials. A reset is
typically used to clear up the handle and prepare
it for a new, possibly unrelated, transfer.</p>
<p>Within such a handle, libcurl can also store a
set of previous connections in case a second transfer
is requested to a host name for which an existing
connection is already kept alive.</p>
<p>With this flaw present, using the handle even
after a reset would make libcurl accidentally use
those credentials in a subsequent request if done
to the same host name and connection as was
previously accessed.</p>
<p>An example case would be first requesting a password
protected resource from one section of a web site, and
then do a second request of a public resource from a
completely different part of the site without
authentication. This flaw would then inadvertently
leak the credentials in the second request.</p>
</blockquote>
<blockquote cite="http://curl.haxx.se/docs/adv_20150617B.html">
<p>libcurl can get tricked by a malicious SMB server to
send off data it did not intend to.</p>
<p>In libcurl's state machine function handling the SMB
protocol (smb_request_state()), two length and offset
values are extracted from data that has arrived over
the network, and those values are subsequently used
to figure out what data range to send back.</p>
<p>The values are used and trusted without boundary
checks and are just assumed to be valid. This allows
carefully handcrafted packages to trick libcurl
into responding and sending off data that was not
intended. Or just crash if the values cause libcurl
to access invalid memory.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3236</cvename>
<cvename>CVE-2015-3237</cvename>
<url>http://curl.haxx.se/docs/adv_20150617A.html</url>
<url>http://curl.haxx.se/docs/adv_20150617B.html</url>
</references>
<dates>
<discovery>2015-06-17</discovery>
<entry>2015-06-17</entry>
</dates>
</vuln>
<vuln vid="eb8a8978-8dd5-49ce-87f4-49667b2166dd">
<topic>rubygem-rails -- multiple vulnerabilities</topic>
<affects>
<package>
<name>rubygem-activesupport</name>
<range><lt>3.2.22</lt></range>
</package>
<package>
<name>rubygem-activesupport4</name>
<range><lt>4.2.2</lt></range>
</package>
<package>
<name>rubygem-jquery-rails</name>
<range><lt>3.1.3</lt></range>
</package>
<package>
<name>rubygem-jquery-rails4</name>
<range><lt>4.0.4</lt></range>
</package>
<package>
<name>rubygem-rack</name>
<range><lt>1.4.6</lt></range>
</package>
<package>
<name>rubygem-rack15</name>
<range><lt>1.5.4</lt></range>
</package>
<package>
<name>rubygem-rack16</name>
<range><lt>1.6.2</lt></range>
</package>
<package>
<name>rubygem-rails</name>
<range><lt>3.2.22</lt></range>
</package>
<package>
<name>rubygem-rails4</name>
<range><lt>4.2.2</lt></range>
</package>
<package>
<name>rubygem-web-console</name>
<range><lt>2.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ruby on Rails blog:</p>
<blockquote cite="http://weblog.rubyonrails.org/2015/6/16/Rails-3-2-22-4-1-11-and-4-2-2-have-been-released-and-more/">
<p>Rails 3.2.22, 4.1.11 and 4.2.2 have been released, along with web
console and jquery-rails plugins and Rack 1.5.4 and 1.6.2.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-1840</cvename>
<cvename>CVE-2015-3224</cvename>
<cvename>CVE-2015-3225</cvename>
<cvename>CVE-2015-3226</cvename>
<cvename>CVE-2015-3227</cvename>
<url>http://weblog.rubyonrails.org/2015/6/16/Rails-3-2-22-4-1-11-and-4-2-2-have-been-released-and-more/</url>
</references>
<dates>
<discovery>2015-06-16</discovery>
<entry>2015-06-17</entry>
</dates>
</vuln>
<vuln vid="c67069dc-0986-11e5-bb90-002590263bf5">
<topic>testdisk -- buffer overflow with malicious disk image</topic>
<affects>
<package>
<name>testdisk</name>
<range><lt>7.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CGSecurity TestDisk Changelog reports:</p>
<blockquote cite="http://www.cgsecurity.org/wiki/TestDisk_7.0_Release">
<p>Various fix including security fix, thanks to:</p>
<ul>
<li><p>Coverity scan (Static Analysis of source code)</p></li>
<li><p>afl-fuzz (security-oriented fuzzer).</p></li>
<li><p>Denis Andzakovic from Security Assessment for reporting an
exploitable Stack Buffer Overflow.</p></li>
</ul>
</blockquote>
<p>Denis Andzakovic reports:</p>
<blockquote cite="http://www.security-assessment.com/files/documents/advisory/Testdisk%20Check_OS2MB%20Stack%20Buffer%20Overflow%20-%20Release.pdf">
<p>A buffer overflow is triggered within the software when a malicious
disk image is attempted to be recovered. This may be leveraged by an
attacker to crash TestDisk and gain control of program execution. An
attacker would have to coerce the victim to run TestDisk against
their malicious image.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.cgsecurity.org/wiki/TestDisk_7.0_Release</url>
<url>http://www.security-assessment.com/files/documents/advisory/Testdisk%20Check_OS2MB%20Stack%20Buffer%20Overflow%20-%20Release.pdf</url>
</references>
<dates>
<discovery>2015-04-30</discovery>
<entry>2015-06-16</entry>
</dates>
</vuln>
<vuln vid="25e0593d-13c0-11e5-9afb-3c970e169bc2">
<topic>tomcat -- multiple vulnerabilities</topic>
<affects>
<package>
<name>tomcat</name>
<range><lt>6.0.44</lt></range>
</package>
<package>
<name>tomcat7</name>
<range><lt>7.0.55</lt></range>
</package>
<package>
<name>tomcat8</name>
<range><lt>8.0.9</lt></range>
</package>
<package>
<name>hadoop2</name>
<range><le>2.6.0</le></range>
</package>
<package>
<name>oozie</name>
<range><le>4.1.0</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Apache Software Foundation reports:</p>
<blockquote cite="https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.44">
<p>Low: Denial of Service CVE-2014-0230</p>
<p>When a response for a request with a request body is
returned to the user agent before the request body is
fully read, by default Tomcat swallows the remaining
request body so that the next request on the connection
may be processed. There was no limit to the size of
request body that Tomcat would swallow. This permitted
a limited Denial of Service as Tomcat would never close
the connection and a processing thread would remain
allocated to the connection.</p>
<p>Moderate: Security Manager bypass CVE-2014-7810</p>
<p>Malicious web applications could use expression
language to bypass the protections of a Security
Manager as expressions were evaluated within a
privileged code section.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-0230</cvename>
<cvename>CVE-2014-7810</cvename>
<url>https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.44</url>
</references>
<dates>
<discovery>2015-05-12</discovery>
<entry>2015-06-16</entry>
<modified>2017-03-18</modified>
</dates>
</vuln>
<vuln vid="c470db07-1098-11e5-b6a8-002590263bf5">
<topic>security/ossec-hids-* -- root escalation via syscheck feature</topic>
<affects>
<package>
<name>ossec-hids-server</name>
<name>ossec-hids-client</name>
<name>ossec-hids-local</name>
<range><ge>2.7</ge><lt>2.8.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OSSEC reports:</p>
<blockquote cite="http://www.ossec.net/?p=1198">
<p>The CVE-2015-3222 vulnerability, which allows for root escalation
via sys check has been fixed in OSSEC 2.8.2. This issue does not
affect agents.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3222</cvename>
<freebsdpr>ports/200801</freebsdpr>
<url>http://www.ossec.net/?p=1198</url>
<url>https://github.com/ossec/ossec-hids/releases/tag/2.8.2</url>
</references>
<dates>
<discovery>2015-06-11</discovery>
<entry>2015-06-12</entry>
</dates>
</vuln>
<vuln vid="8305e215-1080-11e5-8ba2-000c2980a9f3">
<topic>openssl -- multiple vulnerabilities</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.0.2_2</lt></range>
</package>
<package>
<name>mingw32-openssl</name>
<range><ge>1.0.1</ge><lt>1.0.2b</lt></range>
</package>
<package>
<name>linux-c6-openssl</name>
<range><lt>1.0.1e_6</lt></range>
</package>
<package>
<name>libressl</name>
<range><lt>2.1.7</lt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>10.1</ge><lt>10.1_12</lt></range>
<range><ge>9.3</ge><lt>9.3_16</lt></range>
<range><ge>8.4</ge><lt>8.4_30</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenSSL team reports:</p>
<blockquote cite="https://www.openssl.org/news/secadv_20150611.txt">
<ul>
<li>Missing DHE man-in-the-middle protection (Logjam)
(CVE-2015-4000)</li>
<li>Malformed ECParameters causes infinite loop (CVE-2015-1788)</li>
<li>Exploitable out-of-bounds read in X509_cmp_time
(CVE-2015-1789)</li>
<li>PKCS#7 crash with missing EnvelopedContent (CVE-2015-1790)</li>
<li>CMS verify infinite loop with unknown hash function
(CVE-2015-1792)</li>
<li>Race condition handling NewSessionTicket (CVE-2015-1791)</li>
<li>Invalid free in DTLS (CVE-2014-8176)</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-8176</cvename>
<cvename>CVE-2015-1788</cvename>
<cvename>CVE-2015-1789</cvename>
<cvename>CVE-2015-1790</cvename>
<cvename>CVE-2015-1791</cvename>
<cvename>CVE-2015-1792</cvename>
<cvename>CVE-2015-4000</cvename>
<freebsdsa>SA-15:10.openssl</freebsdsa>
<url>https://www.openssl.org/news/secadv_20150611.txt</url>
</references>
<dates>
<discovery>2015-06-11</discovery>
<entry>2015-06-11</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="1e63db88-1050-11e5-a4df-c485083ca99c">
<topic>Adobe Flash Player -- critical vulnerabilities</topic>
<affects>
<package>
<name>linux-c6-flashplugin</name>
<range><lt>11.2r202.466</lt></range>
</package>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>11.2r202.466</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb15-11.html">
<p>
Adobe has released security updates for Adobe Flash Player for
Windows, Macintosh and Linux. These updates address vulnerabilities
that could potentially allow an attacker to take control of the
affected system.
</p>
<p>
These updates resolve a vulnerability (CVE-2015-3096) that could be
exploited to bypass the fix for CVE-2014-5333.
</p>
<p>
These updates improve memory address randomization of the Flash heap
for the Window 7 64-bit platform (CVE-2015-3097).
</p>
<p>
These updates resolve vulnerabilities that could be exploited to
bypass the same-origin-policy and lead to information disclosure
(CVE-2015-3098, CVE-2015-3099, CVE-2015-3102).
</p>
<p>
These updates resolve a stack overflow vulnerability that could lead
to code execution (CVE-2015-3100).
</p>
<p>
These updates resolve a permission issue in the Flash broker for
Internet Explorer that could be exploited to perform privilege
escalation from low to medium integrity level (CVE-2015-3101).
</p>
<p>
These updates resolve an integer overflow vulnerability that could
lead to code execution (CVE-2015-3104).
</p>
<p>
These updates resolve a memory corruption vulnerability that could
lead to code execution (CVE-2015-3105).
</p>
<p>
These updates resolve use-after-free vulnerabilities that could lead
to code execution (CVE-2015-3103, CVE-2015-3106, CVE-2015-3107).
</p>
<p>
These updates resolve a memory leak vulnerability that could be used
to bypass ASLR (CVE-2015-3108).
</p>
</blockquote>
</body>
</description>
<references>
<url>https://helpx.adobe.com/security/products/flash-player/apsb15-11.html</url>
<cvename>CVE-2015-3096</cvename>
<cvename>CVE-2015-3097</cvename>
<cvename>CVE-2015-3098</cvename>
<cvename>CVE-2015-3099</cvename>
<cvename>CVE-2015-3100</cvename>
<cvename>CVE-2015-3101</cvename>
<cvename>CVE-2015-3102</cvename>
<cvename>CVE-2015-3103</cvename>
<cvename>CVE-2015-3104</cvename>
<cvename>CVE-2015-3105</cvename>
<cvename>CVE-2015-3106</cvename>
<cvename>CVE-2015-3107</cvename>
<cvename>CVE-2015-3108</cvename>
</references>
<dates>
<discovery>2015-06-09</discovery>
<entry>2015-06-11</entry>
</dates>
</vuln>
<vuln vid="10a6d0aa-0b1c-11e5-bb90-002590263bf5">
<topic>libzmq4 -- V3 protocol handler vulnerable to downgrade attacks</topic>
<affects>
<package>
<name>libzmq4</name>
<range><ge>4.0.0</ge><lt>4.0.6</lt></range>
<range><ge>4.1.0</ge><lt>4.1.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Pieter Hintjens reports:</p>
<blockquote cite="https://github.com/zeromq/libzmq/issues/1273">
<p>It is easy to bypass the security mechanism in 4.1.0 and 4.0.5 by
sending a ZMTP v2 or earlier header. The library accepts such
connections without applying its security mechanism.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-9721</cvename>
<url>https://github.com/zeromq/libzmq/issues/1273</url>
<mlist>http://www.openwall.com/lists/oss-security/2015/05/07/8</mlist>
<freebsdpr>ports/200502</freebsdpr>
</references>
<dates>
<discovery>2014-12-04</discovery>
<entry>2015-06-10</entry>
<modified>2015-09-28</modified>
</dates>
</vuln>
<vuln vid="8fbd4187-0f18-11e5-b6a8-002590263bf5">
<topic>pgbouncer -- remote denial of service</topic>
<affects>
<package>
<name>pgbouncer</name>
<range><lt>1.5.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PgBouncer reports:</p>
<blockquote cite="https://pgbouncer.github.io/2015/04/pgbouncer-1-5-5/">
<p>Fix remote crash - invalid packet order causes lookup of NULL pointer. Not
exploitable, just DoS.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4054</cvename>
<url>https://pgbouncer.github.io/2015/04/pgbouncer-1-5-5/</url>
<mlist>http://www.openwall.com/lists/oss-security/2015/05/21/2</mlist>
<freebsdpr>ports/200507</freebsdpr>
</references>
<dates>
<discovery>2015-04-08</discovery>
<entry>2015-06-10</entry>
<modified>2015-09-28</modified>
</dates>
</vuln>
<vuln vid="a40ec970-0efa-11e5-90e4-d050996490d0">
<topic>cups -- multiple vulnerabilities</topic>
<affects>
<package>
<name>cups-base</name>
<range><lt>2.0.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CUPS development team reports:</p>
<blockquote cite="https://cups.org/blog.php?L1082">
<p>The new release addresses two security vulnerabilities,
add localizations for German and Russian, and includes
several general bug fixes. Changes include:</p>
<p>Security: Fixed CERT VU #810572/CVE-2015-1158/CVE-2015-1159
exploiting the dynamic linker (STR #4609)</p>
<p>Security: The scheduler could hang with malformed
gzip data (STR #4602)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-1158</cvename>
<cvename>CVE-2015-1159</cvename>
<url>https://cups.org/blog.php?L1082</url>
<url>https://www.kb.cert.org/vuls/id/810572</url>
</references>
<dates>
<discovery>2015-06-09</discovery>
<entry>2015-06-09</entry>
</dates>
</vuln>
<vuln vid="55363e65-0e71-11e5-8027-00167671dd1d">
<topic>strongswan -- Denial-of-service and potential remote code execution vulnerability</topic>
<affects>
<package>
<name>strongswan</name>
<range><ge>5.2.2</ge><lt>5.3.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>StrongSwan Project reports</p>
<blockquote cite="https://www.strongswan.org/blog/2015/06/01/strongswan-vulnerability-(cve-2015-3991).html">
<p>A denial-of-service and potential remote code execution vulnerability
triggered by crafted IKE messages was discovered in strongSwan. Versions
5.2.2 and 5.3.0 are affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3991</cvename>
<url>https://www.strongswan.org/blog/2015/06/01/strongswan-vulnerability-(cve-2015-3991).html</url>
</references>
<dates>
<discovery>2015-05-15</discovery>
<entry>2015-06-09</entry>
<modified>2015-09-28</modified>
</dates>
</vuln>
<vuln vid="10d14955-0e45-11e5-b6a8-002590263bf5">
<topic>strongswan -- Information Leak Vulnerability</topic>
<affects>
<package>
<name>strongswan</name>
<range><ge>4.3.0</ge><lt>5.3.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>strongSwan Project reports:</p>
<blockquote cite="http://www.strongswan.org/blog/2015/06/08/strongswan-5.3.2-released.html">
<p>An information leak vulnerability was fixed that, in certain IKEv2
setups, allowed rogue servers with a valid certificate accepted by
the client to trick it into disclosing user credentials (even plain
passwords if the client accepts EAP-GTC). This was caused because
constraints against the server's authentication were enforced too
late. All versions since 4.3.0 are affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4171</cvename>
<url>http://www.strongswan.org/blog/2015/06/08/strongswan-5.3.2-released.html</url>
</references>
<dates>
<discovery>2015-06-08</discovery>
<entry>2015-06-09</entry>
</dates>
</vuln>
<vuln vid="838fa84a-0e25-11e5-90e4-d050996490d0">
<topic>redis -- EVAL Lua Sandbox Escape</topic>
<affects>
<package>
<name>redis</name>
<name>redis-devel</name>
<range><ge>2.6.0</ge><lt>2.8.21</lt></range>
<range><ge>3.0</ge><lt>3.0.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ben Murphy reports:</p>
<blockquote cite="http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/">
<p>It is possible to break out of the Lua sandbox in
Redis and execute arbitrary code.</p>
<p>This shouldn’t pose a threat to users under the
trusted Redis security model where only trusted
users can connect to the database. However, in real
deployments there could be databases that can be
accessed by untrusted users. The main deployments
that are vulnerable are developers machines, places
where redis servers can be reached via SSRF attacks
and cloud hosting.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4335</cvename>
<url>http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/</url>
</references>
<dates>
<discovery>2015-06-04</discovery>
<entry>2015-06-08</entry>
</dates>
</vuln>
<vuln vid="bd1ab7a5-0e01-11e5-9976-a0f3c100ae18">
<topic>tidy -- heap-buffer-overflow</topic>
<affects>
<package>
<name>tidy4</name>
<range><le>20000804_3</le></range>
</package>
<package>
<name>tidy-devel</name>
<range><le>090315.c_2</le></range>
</package>
<package>
<name>tidy-lib</name>
<range><le>090315.c_2</le></range>
</package>
<package>
<name>tidy-html5</name>
<range><lt>4.9.31</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Geoff McLane reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2015/q2/633">
<p>tidy is affected by a write out of bounds when processing malformed html files.</p>
<p>This issue could be abused on server side applications that use php-tidy extension with user input.</p>
<p>The issue was confirmed, analyzed, and fixed by the tidy5 maintainer.</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/htacg/tidy-html5/issues/217</url>
<url>http://seclists.org/oss-sec/2015/q2/633</url>
<url>http://seclists.org/oss-sec/2015/q3/116</url>
<cvename>CVE-2015-5522</cvename>
<cvename>CVE-2015-5523</cvename>
</references>
<dates>
<discovery>2015-06-03</discovery>
<entry>2015-06-08</entry>
<modified>2015-07-15</modified>
</dates>
</vuln>
<vuln vid="e69af246-0ae2-11e5-90e4-d050996490d0">
<topic>pcre -- multiple vulnerabilities</topic>
<affects>
<package>
<name>pcre</name>
<range><lt>8.37_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Venustech ADLAB reports:</p>
<blockquote cite="https://bugs.exim.org/show_bug.cgi?id=1636">
<p>PCRE library is prone to a vulnerability which leads
to Heap Overflow. During the compilation of a malformed
regular expression, more data is written on the malloced
block than the expected size output by compile_regex.</p>
</blockquote>
<blockquote cite="https://bugs.exim.org/show_bug.cgi?id=1638">
<p>PCRE library is prone to a vulnerability which leads to
Stack Overflow. Without enough bound checking inside
match(), the stack memory could be overflowed via a
crafted regular expression.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3210</cvename>
<cvename>CVE-2015-3217</cvename>
<url>https://bugs.exim.org/show_bug.cgi?id=1636</url>
<url>https://bugs.exim.org/show_bug.cgi?id=1638</url>
</references>
<dates>
<discovery>2015-05-29</discovery>
<entry>2015-06-04</entry>
<modified>2015-06-07</modified>
</dates>
</vuln>
<vuln vid="bbc0db92-084c-11e5-bb90-002590263bf5">
<topic>hostapd and wpa_supplicant -- multiple vulnerabilities</topic>
<affects>
<package>
<name>hostapd</name>
<range><lt>2.4_1</lt></range>
</package>
<package>
<name>wpa_supplicant</name>
<range><lt>2.4_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jouni Malinen reports:</p>
<blockquote cite="http://w1.fi/security/2015-2/wps-upnp-http-chunked-transfer-encoding.txt">
<p>WPS UPnP vulnerability with HTTP chunked transfer encoding. (2015-2
- CVE-2015-4141)</p>
</blockquote>
<blockquote cite="http://w1.fi/security/2015-3/integer-underflow-in-ap-mode-wmm-action-frame.txt">
<p>Integer underflow in AP mode WMM Action frame processing. (2015-3 -
CVE-2015-4142)</p>
</blockquote>
<blockquote cite="http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt">
<p>EAP-pwd missing payload length validation. (2015-4 - CVE-2015-4143,
CVE-2015-4144, CVE-2015-4145, CVE-2015-4146)</p>
</blockquote>
</body>
</description>
<references>
<url>http://w1.fi/security/2015-2/wps-upnp-http-chunked-transfer-encoding.txt</url>
<url>http://w1.fi/security/2015-3/integer-underflow-in-ap-mode-wmm-action-frame.txt</url>
<url>http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt</url>
<cvename>CVE-2015-4141</cvename>
<cvename>CVE-2015-4142</cvename>
<cvename>CVE-2015-4143</cvename>
<cvename>CVE-2015-4144</cvename>
<cvename>CVE-2015-4145</cvename>
<cvename>CVE-2015-4146</cvename>
<mlist>http://openwall.com/lists/oss-security/2015/05/31/6</mlist>
</references>
<dates>
<discovery>2015-05-04</discovery>
<entry>2015-06-01</entry>
</dates>
</vuln>
<vuln vid="65b14d39-d01f-419c-b0b8-5df60b929973">
<topic>ffmpeg -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ffmpeg</name>
<name>ffmpeg0</name>
<range><lt>0.7.17,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Please reference CVE/URL list for details</p>
</body>
</description>
<references>
<cvename>CVE-2012-5150</cvename>
<cvename>CVE-2014-4609</cvename>
<cvename>CVE-2014-8541</cvename>
<cvename>CVE-2014-8542</cvename>
<cvename>CVE-2014-8543</cvename>
<cvename>CVE-2014-8545</cvename>
<cvename>CVE-2014-8547</cvename>
<cvename>CVE-2014-8548</cvename>
<cvename>CVE-2014-9316</cvename>
<cvename>CVE-2014-9317</cvename>
<cvename>CVE-2014-9603</cvename>
<cvename>CVE-2015-1872</cvename>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=c3ece52decafc4923aebe7fd74b274e9ebb1962e</url>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=1b291e0466308b341bc2e8c2a49d44862400f014</url>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=b5e661bcd2bb4fe771cb2c1e21215c68e6a17665</url>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=cd3c4d8c55222337b0b59af4ea1fecfb46606e5e</url>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=73962e677d871fa0dde5385ee04ea07c048d8864</url>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=7a5590ef4282e19d48d70cba0bc4628c13ec6fd8</url>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=ef32bc8dde52439afd13988f56012a9f4dd55a83</url>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=5b2097626d0e4ccb432d7d8ab040aa8dbde9eb3a</url>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=30e8a375901f8802853fd6d478b77a127d208bd6</url>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=cb1db92cca98f963e91f421ee0c84f8866325a73</url>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=fac6f744d8170585f05e098ce9c9f27eeffa818e</url>
<url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=75b0cfcf105c8720a47a2ee80a70ba16799d71b7</url>
<url>https://ffmpeg.org/security.html</url>
</references>
<dates>
<discovery>2015-03-12</discovery>
<entry>2015-06-02</entry>
</dates>
</vuln>
<vuln vid="022255be-0895-11e5-a242-5404a68ad561">
<topic>avidemux26 -- multiple vulnerabilities in bundled FFmpeg</topic>
<affects>
<package>
<name>avidemux2</name>
<range><lt>2.6.8</lt></range>
</package>
<package>
<name>avidemux26</name>
<range><lt>2.6.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mageia project reports:</p>
<blockquote cite="http://advisories.mageia.org/MGASA-2015-0233.html">
<p>Avidemux is built with a bundled set of FFmpeg libraries.
The bundled FFmpeg version has been updated from 1.2.10
to 1.2.12 to fix these security issues and other bugs
fixed upstream in FFmpeg.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-9316</cvename>
<cvename>CVE-2014-9317</cvename>
<cvename>CVE-2014-9603</cvename>
<cvename>CVE-2014-9604</cvename>
<cvename>CVE-2015-1872</cvename>
<cvename>CVE-2015-3417</cvename>
<freebsdpr>ports/200507</freebsdpr>
<url>http://advisories.mageia.org/MGASA-2015-0233.html</url>
</references>
<dates>
<discovery>2015-05-18</discovery>
<entry>2015-06-01</entry>
<modified>2015-09-28</modified>
</dates>
</vuln>
<vuln vid="ffe2d86c-07d9-11e5-9a28-001e67150279">
<topic>rest-client -- plaintext password disclosure</topic>
<affects>
<package>
<name>rubygem-rest-client</name>
<range><lt>1.6.7_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The open sourced vulnerability database reports:</p>
<blockquote cite="http://osvdb.org/show/osvdb/117461">
<p>REST Client for Ruby contains a flaw that is due to the application
logging password information in plaintext. This may allow a local
attacker to gain access to password information.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3448</cvename>
<freebsdpr>ports/200504</freebsdpr>
<url>https://github.com/rest-client/rest-client/issues/349</url>
<url>http://osvdb.org/show/osvdb/117461</url>
</references>
<dates>
<discovery>2015-01-12</discovery>
<entry>2015-05-31</entry>
<modified>2015-09-28</modified>
</dates>
</vuln>
<vuln vid="83a7a720-07d8-11e5-9a28-001e67150279">
<topic>rest-client -- session fixation vulnerability</topic>
<affects>
<package>
<name>rubygem-rest-client</name>
<range><lt>1.6.7_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Andy Brody reports:</p>
<blockquote cite="https://github.com/rest-client/rest-client/issues/369">
<p>When Ruby rest-client processes an HTTP redirection response,
it blindly passes along the values from any Set-Cookie headers to the
redirection target, regardless of domain, path, or expiration.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-1820</cvename>
<freebsdpr>ports/200504</freebsdpr>
<url>https://github.com/rest-client/rest-client/issues/369</url>
</references>
<dates>
<discovery>2015-03-24</discovery>
<entry>2015-05-31</entry>
<modified>2015-09-28</modified>
</dates>
</vuln>
<vuln vid="cfb12f02-06e1-11e5-8fda-002590263bf5">
<topic>cabextract -- directory traversal with UTF-8 symbols in filenames</topic>
<affects>
<package>
<name>cabextract</name>
<range><lt>1.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Cabextract ChangeLog reports:</p>
<blockquote cite="http://www.cabextract.org.uk/#changes">
<p>It was possible for cabinet files to extract to absolute file
locations, and it was possible on Cygwin to get around cabextract's
absolute and relative path protections by using backslashes.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.cabextract.org.uk/#changes</url>
<mlist>http://www.openwall.com/lists/oss-security/2015/02/18/3</mlist>
<cvename>CVE-2015-2060</cvename>
</references>
<dates>
<discovery>2015-02-18</discovery>
<entry>2015-05-31</entry>
</dates>
</vuln>
<vuln vid="cc7548ef-06e1-11e5-8fda-002590263bf5">
<topic>libmspack -- frame_end overflow which could cause infinite loop</topic>
<affects>
<package>
<name>libmspack</name>
<range><lt>0.5</lt></range>
</package>
<package>
<name>cabextract</name>
<range><lt>1.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>There is a denial of service vulnerability in libmspack. The
libmspack code is built into cabextract, so it is also
vulnerable.</p>
<p>MITRE reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9556">
<p>Integer overflow in the qtmd_decompress function in libmspack 0.4
allows remote attackers to cause a denial of service (hang) via a
crafted CAB file, which triggers an infinite loop.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-9556</cvename>
<url>https://bugs.debian.org/773041</url>
<mlist>http://www.openwall.com/lists/oss-security/2015/01/07/2</mlist>
</references>
<dates>
<discovery>2014-12-11</discovery>
<entry>2015-05-31</entry>
</dates>
</vuln>
<vuln vid="48504af7-07ad-11e5-879c-00e0814cab4e">
<topic>django -- Fixed session flushing in the cached_db backend</topic>
<affects>
<package>
<name>py27-django</name>
<range><ge>1.8</ge><lt>1.8.2</lt></range>
</package>
<package>
<name>py32-django</name>
<range><ge>1.8</ge><lt>1.8.2</lt></range>
</package>
<package>
<name>py33-django</name>
<range><ge>1.8</ge><lt>1.8.2</lt></range>
</package>
<package>
<name>py34-django</name>
<range><ge>1.8</ge><lt>1.8.2</lt></range>
</package>
<package>
<name>py27-django-devel</name>
<range><lt>20150531,1</lt></range>
</package>
<package>
<name>py32-django-devel</name>
<range><lt>20150531,1</lt></range>
</package>
<package>
<name>py33-django-devel</name>
<range><lt>20150531,1</lt></range>
</package>
<package>
<name>py34-django-devel</name>
<range><lt>20150531,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Django project reports:</p>
<blockquote cite="https://www.djangoproject.com/weblog/2015/may/20/security-release/">
<p>A change to session.flush() in the cached_db session backend in
Django 1.8 mistakenly sets the session key to an empty string
rather than None. An empty string is treated as a valid session key
and the session cookie is set accordingly. Any users with an empty
string in their session cookie will use the same session store.
session.flush() is called by django.contrib.auth.logout() and, more
seriously, by django.contrib.auth.login() when a user switches accounts.
If a user is logged in and logs in again to a different account
(without logging out) the session is flushed to avoid reuse.
After the session is flushed (and its session key becomes '') the
account details are set on the session and the session is saved.
Any users with an empty string in their session cookie will now be
logged into that account.</p>
<p>Thanks to Sam Cooke for reporting the issue.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.djangoproject.com/weblog/2015/may/20/security-release/</url>
<cvename>CVE-2015-3982</cvename>
</references>
<dates>
<discovery>2015-05-20</discovery>
<entry>2015-05-31</entry>
</dates>
</vuln>
<vuln vid="9471ec47-05a2-11e5-8fda-002590263bf5">
<topic>proxychains-ng -- current path as the first directory for the library search path</topic>
<affects>
<package>
<name>proxychains-ng</name>
<range><lt>4.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mamoru TASAKA reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2015/q2/430">
<p>proxychains4 sets LD_PRELOAD to dlopen libproxychains4.so
and execvp() the arbitrary command user has specified.
proxychains4 sets the current directory as the first path
to search libproxychains4.so</p>
</blockquote>
</body>
</description>
<references>
<mlist>http://openwall.com/lists/oss-security/2015/05/12/6</mlist>
<mlist>http://seclists.org/oss-sec/2015/q2/430</mlist>
<cvename>CVE-2015-3887</cvename>
</references>
<dates>
<discovery>2015-05-11</discovery>
<entry>2015-05-29</entry>
</dates>
</vuln>
<vuln vid="a13500d0-0570-11e5-aab1-d050996490d0">
<topic>wireshark -- multiple vulnerabilities</topic>
<affects>
<package>
<name>wireshark</name>
<name>wireshark-lite</name>
<name>tshark</name>
<name>tshark-lite</name>
<range><lt>1.12.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Wireshark development team reports:</p>
<blockquote cite="https://www.wireshark.org/docs/relnotes/wireshark-1.12.5.html">
<p>The following vulnerabilities have been fixed.</p>
<ul>
<li><p>wnpa-sec-2015-12</p>
<p>The LBMR dissector could go into an infinite loop.
(Bug 11036) CVE-2015-3808, CVE-2015-3809</p></li>
<li><p>wnpa-sec-2015-13</p>
<p>The WebSocket dissector could recurse excessively.
(Bug 10989) CVE-2015-3810</p></li>
<li><p>wnpa-sec-2015-14</p>
<p>The WCP dissector could crash while decompressing data.
(Bug 10978) CVE-2015-3811</p></li>
<li><p>wnpa-sec-2015-15</p>
<p>The X11 dissector could leak memory. (Bug 11088)
CVE-2015-3812</p></li>
<li><p>wnpa-sec-2015-16</p>
<p>The packet reassembly code could leak memory.
(Bug 11129) CVE-2015-3813</p></li>
<li><p>wnpa-sec-2015-17</p>
<p>The IEEE 802.11 dissector could go into an infinite loop.
(Bug 11110) CVE-2015-3814</p></li>
<li><p>wnpa-sec-2015-18</p>
<p>The Android Logcat file parser could crash. Discovered by
Hanno Böck. (Bug 11188) CVE-2015-3815</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3808</cvename>
<cvename>CVE-2015-3809</cvename>
<cvename>CVE-2015-3810</cvename>
<cvename>CVE-2015-3811</cvename>
<cvename>CVE-2015-3812</cvename>
<cvename>CVE-2015-3813</cvename>
<cvename>CVE-2015-3814</cvename>
<cvename>CVE-2015-3815</cvename>
<url>https://www.wireshark.org/docs/relnotes/wireshark-1.12.5.html</url>
<url>https://www.wireshark.org/security/wnpa-sec-2015-12.html</url>
<url>https://www.wireshark.org/security/wnpa-sec-2015-13.html</url>
<url>https://www.wireshark.org/security/wnpa-sec-2015-14.html</url>
<url>https://www.wireshark.org/security/wnpa-sec-2015-15.html</url>
<url>https://www.wireshark.org/security/wnpa-sec-2015-16.html</url>
<url>https://www.wireshark.org/security/wnpa-sec-2015-17.html</url>
<url>https://www.wireshark.org/security/wnpa-sec-2015-18.html</url>
</references>
<dates>
<discovery>2015-05-12</discovery>
<entry>2015-05-28</entry>
</dates>
</vuln>
<vuln vid="406636fe-055d-11e5-aab1-d050996490d0">
<topic>krb5 -- requires_preauth bypass in PKINIT-enabled KDC</topic>
<affects>
<package>
<name>krb5</name>
<range><lt>1.13.2</lt></range>
</package>
<package>
<name>krb5-112</name>
<range><lt>1.12.3_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MIT reports:</p>
<blockquote cite="http://krbdev.mit.edu/rt/Ticket/Display.html?id=8160">
<p>In MIT krb5 1.12 and later, when the KDC is configured
with PKINIT support, an unauthenticated remote attacker
can bypass the requires_preauth flag on a client principal
and obtain a ciphertext encrypted in the principal's
long-term key. This ciphertext could be used to conduct
an off-line dictionary attack against the user's password.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-2694</cvename>
<url>http://krbdev.mit.edu/rt/Ticket/Display.html?id=8160</url>
</references>
<dates>
<discovery>2015-05-25</discovery>
<entry>2015-05-28</entry>
</dates>
</vuln>
<vuln vid="27f742f6-03f4-11e5-aab1-d050996490d0">
<topic>cURL -- sensitive HTTP server headers also sent to proxies</topic>
<affects>
<package>
<name>curl</name>
<range><lt>7.42.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>cURL reports:</p>
<blockquote cite="http://curl.haxx.se/docs/adv_20150429.html">
<p>libcurl provides applications a way to set custom HTTP
headers to be sent to the server by using CURLOPT_HTTPHEADER.
A similar option is available for the curl command-line
tool with the '--header' option.</p>
<p>When the connection passes through an HTTP proxy the
same set of headers is sent to the proxy as well by default.
While this is by design, it has not necessarily been clear
nor understood by application programmers.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3153</cvename>
<url>http://curl.haxx.se/docs/adv_20150429.html</url>
</references>
<dates>
<discovery>2015-04-29</discovery>
<entry>2015-05-26</entry>
</dates>
</vuln>
<vuln vid="6294f75f-03f2-11e5-aab1-d050996490d0">
<topic>cURL -- multiple vulnerabilities</topic>
<affects>
<package>
<name>curl</name>
<range><lt>7.42.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>cURL reports:</p>
<blockquote cite="http://curl.haxx.se/docs/adv_20150422A.html">
<p>libcurl keeps a pool of its last few connections around
after use to facilitate easy, convenient, and completely
transparent connection re-use for applications.</p>
<p>When doing HTTP requests NTLM authenticated, the entire
connection becomes authenticated and not just the
specific HTTP request which is otherwise how HTTP works.
This makes NTLM special and a subject for special
treatment in the code. With NTLM, once the connection is
authenticated, no further authentication is necessary until
the connection gets closed.</p>
</blockquote>
<blockquote cite="http://curl.haxx.se/docs/adv_20150422B.html">
<p>When doing HTTP requests Negotiate authenticated, the
entire connection may become authenticated and not just
the specific HTTP request which is otherwise how HTTP
works, as Negotiate can basically use NTLM under the hood.
curl was not adhering to this fact but would assume that
such requests would also be authenticated per request.</p>
</blockquote>
<blockquote cite="http://curl.haxx.se/docs/adv_20150422C.html">
<p>libcurl supports HTTP "cookies" as documented in RFC 6265.
Together with each individual cookie there are several
different properties, but for this vulnerability we
focus on the associated "path" element. It tells
information about for which path on a given host the
cookies is valid.</p>
<p>The internal libcurl function called sanitize_cookie_path()
that cleans up the path element as given to it from a
remote site or when read from a file, did not properly
validate the input. If given a path that consisted of a
single double-quote, libcurl would index a newly
allocated memory area with index -1 and assign a zero
to it, thus destroying heap memory it wasn't supposed to.</p>
</blockquote>
<blockquote cite="http://curl.haxx.se/docs/adv_20150422D.html">
<p>There is a private function in libcurl called fix_hostname()
that removes a trailing dot from the host name if there is
one. The function is called after the host name has been
extracted from the URL libcurl has been told to act on.</p>
<p>If a URL is given with a zero-length host name, like in
"http://:80" or just ":80", fix_hostname() will index the
host name pointer with a -1 offset (as it blindly assumes
a non-zero length) and both read and assign that address.</p>
</blockquote>
</body>
</description>
<references>
<url>http://curl.haxx.se/docs/adv_20150422A.html</url>
<url>http://curl.haxx.se/docs/adv_20150422B.html</url>
<url>http://curl.haxx.se/docs/adv_20150422C.html</url>
<url>http://curl.haxx.se/docs/adv_20150422D.html</url>
<cvename>CVE-2014-3143</cvename>
<cvename>CVE-2014-3144</cvename>
<cvename>CVE-2014-3145</cvename>
<cvename>CVE-2014-3148</cvename>
</references>
<dates>
<discovery>2015-04-22</discovery>
<entry>2015-05-26</entry>
</dates>
</vuln>
<vuln vid="607f4d44-0158-11e5-8fda-002590263bf5">
<topic>cassandra -- remote execution of arbitrary code</topic>
<affects>
<package>
<name>cassandra</name>
<range><ge>1.2.0</ge><le>1.2.19</le></range>
</package>
<package>
<name>cassandra2</name>
<range><ge>2.0.0</ge><lt>2.0.14</lt></range>
<range><ge>2.1.0</ge><lt>2.1.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jake Luciani reports:</p>
<blockquote cite="http://mail-archives.apache.org/mod_mbox/cassandra-dev/201504.mbox/raw/%3CCALamADJu4yo=cO8HgA6NpgFc1wQN_VNqpkMn-3SZwhPq9foLBw@mail.gmail.com%3E/">
<p>Under its default configuration, Cassandra binds an unauthenticated
JMX/RMI interface to all network interfaces. As RMI is an API for the
transport and remote execution of serialized Java, anyone with access
to this interface can execute arbitrary code as the running user.</p>
<p>Mitigation:</p>
<p>1.2.x has reached EOL, so users of <= 1.2.x are recommended to upgrade
to a supported version of Cassandra, or manually configure encryption
and authentication of JMX,
(see https://wiki.apache.org/cassandra/JmxSecurity).</p>
<p>2.0.x users should upgrade to 2.0.14</p>
<p>2.1.x users should upgrade to 2.1.4</p>
<p>Alternately, users of any version not wishing to upgrade can
reconfigure JMX/RMI to enable encryption and authentication according
to https://wiki.apache.org/cassandra/JmxSecurityor
http://docs.oracle.com/javase/7/docs/technotes/guides/management/agent.html</p>
<p>Credit:</p>
<p>This issue was discovered by Georgi Geshev of MWR InfoSecurity</p>
</blockquote>
</body>
</description>
<references>
<url>http://mail-archives.apache.org/mod_mbox/cassandra-dev/201504.mbox/raw/%3CCALamADJu4yo=cO8HgA6NpgFc1wQN_VNqpkMn-3SZwhPq9foLBw@mail.gmail.com%3E/</url>
<cvename>CVE-2015-0225</cvename>
</references>
<dates>
<discovery>2015-04-01</discovery>
<entry>2015-05-24</entry>
</dates>
</vuln>
<vuln vid="865863af-fb5e-11e4-8fda-002590263bf5">
<topic>py-salt -- potential shell injection vulnerabilities</topic>
<affects>
<package>
<name>py27-salt</name>
<range><lt>2015.5.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Colton Myers reports:</p>
<blockquote cite="http://docs.saltstack.com/en/latest/topics/releases/2015.5.0.html">
<p>In order to fix potential shell injection vulnerabilities in salt
modules, a change has been made to the various cmd module functions.
These functions now default to python_shell=False, which means that
the commands will not be sent to an actual shell.</p>
<p>The largest side effect of this change is that "shellisms", such as
pipes, will not work by default. The modules shipped with salt have
been audited to fix any issues that might have arisen from this
change. Additionally, the cmd state module has been unaffected, and
use of cmd.run in jinja is also unaffected. cmd.run calls on the
CLI will also allow shellisms.</p>
<p>However, custom execution modules which use shellisms in cmd calls
will break, unless you pass python_shell=True to these calls.</p>
<p>As a temporary workaround, you can set cmd_safe: False in your
minion and master configs. This will revert the default, but is
also less secure, as it will allow shell injection vulnerabilities
to be written in custom code. We recommend you only set this
setting for as long as it takes to resolve these issues in your
custom code, then remove the override.</p>
</blockquote>
</body>
</description>
<references>
<url>http://docs.saltstack.com/en/latest/topics/releases/2015.5.0.html</url>
</references>
<dates>
<discovery>2015-05-11</discovery>
<entry>2015-05-24</entry>
</dates>
</vuln>
<vuln vid="384fc0b2-0144-11e5-8fda-002590263bf5">
<topic>davmail -- fix potential CVE-2014-3566 vulnerability (POODLE)</topic>
<affects>
<package>
<name>davmail</name>
<range><lt>4.6.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mickaël Guessant reports:</p>
<blockquote cite="http://sourceforge.net/p/davmail/mailman/message/33279118/">
<p>DavMail 4.6.0 released</p>
<p>Enhancements: Fix potential CVE-2014-3566 vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<url>http://sourceforge.net/p/davmail/mailman/message/33279118/</url>
<url>http://sourceforge.net/p/davmail/code/2322/</url>
<cvename>CVE-2014-3566</cvename>
</references>
<dates>
<discovery>2014-10-27</discovery>
<entry>2015-05-23</entry>
</dates>
</vuln>
<vuln vid="7927165a-0126-11e5-9d98-080027ef73ec">
<topic>dnsmasq -- remotely exploitable buffer overflow in release candidate</topic>
<affects>
<package>
<name>dnsmasq-devel</name>
<range><ge>2.73rc6</ge><lt>2.73rc8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Simon Kelley reports:</p>
<blockquote cite="http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q2/009529.html">
<p>Anyone running 2.[73]rc6 or 2.[73]rc7 should be aware that there's a
remotely exploitable buffer overflow in those trees. I just tagged
2.[73]rc8, which includes the fix.
</p>
</blockquote>
<p>(Corrections from second URL.)</p>
</body>
</description>
<references>
<url>http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q2/009529.html</url>
<url>http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q2/009535.html</url>
</references>
<dates>
<discovery>2015-05-15</discovery>
<entry>2015-05-23</entry>
</dates>
</vuln>
<vuln vid="37569eb7-0125-11e5-9d98-080027ef73ec">
<topic>dnsmasq -- data exposure and denial of service</topic>
<affects>
<package>
<name>dnsmasq</name>
<range><lt>2.72_1</lt></range>
</package>
<package>
<name>dnsmasq-devel</name>
<range><lt>2.73rc4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Nick Sampanis reported a potential memory exposure and denial of service vulnerability against dnsmasq 2.72. The CVE entry summarizes this as:
</p>
<blockquote cite="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3294"><p>The tcp_request function in Dnsmasq before 2.73rc4
does not properly handle the return value of the setup_reply function,
which allows remote attackers to read process memory and cause a
denial of service (out-of-bounds read and crash) via a malformed DNS
request."</p>
</blockquote>
</body>
</description>
<references>
<url>http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q2/009382.html</url>
<cvename>CVE-2015-3294</cvename>
<url>http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=ad4a8ff7d9097008d7623df8543df435bfddeac8</url>
</references>
<dates>
<discovery>2015-04-07</discovery>
<entry>2015-05-23</entry>
</dates>
</vuln>
<vuln vid="4a88e3ed-00d3-11e5-a072-d050996490d0">
<topic>pcre -- multiple vulnerabilities</topic>
<affects>
<package>
<name>pcre</name>
<range><lt>8.37</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PCRE development team reports:</p>
<blockquote cite="http://www.pcre.org/original/changelog.txt">
<p>A pattern such as "((?2){0,1999}())?", which has a group
containing a forward reference repeated a large (but limited)
number of times within a repeated outer group that has a zero
minimum quantifier, caused incorrect code to be compiled,
leading to the error "internal error: previously-checked
referenced subpattern not found" when an incorrect memory
address was read. This bug was reported as "heap overflow",
discovered by Kai Lu of Fortinet's FortiGuard Labs and given
the CVE number CVE-2015-2325.</p>
<p>A pattern such as "((?+1)(\1))/" containing a forward
reference subroutine call within a group that also contained
a recursive back reference caused incorrect code to be
compiled. This bug was reported as "heap overflow",
discovered by Kai Lu of Fortinet's FortiGuard Labs,
and given the CVE number CVE-2015-2326.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-2325</cvename>
<cvename>CVE-2015-2326</cvename>
<url>http://www.pcre.org/original/changelog.txt</url>
</references>
<dates>
<discovery>2015-04-28</discovery>
<entry>2015-05-22</entry>
<modified>2015-06-07</modified>
</dates>
</vuln>
<vuln vid="31de2e13-00d2-11e5-a072-d050996490d0">
<topic>php -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php5</name>
<range><lt>5.4.41</lt></range>
</package>
<package>
<name>php55</name>
<range><lt>5.5.25</lt></range>
</package>
<package>
<name>php56</name>
<range><lt>5.6.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PHP development team reports:</p>
<blockquote cite="https://php.net/ChangeLog-5.php#5.6.9">
<p>Fixed bug #69364 (PHP Multipart/form-data remote DoS
Vulnerability). (CVE-2015-4024)</p>
<p>Fixed bug #69418 (CVE-2006-7243 fix regressions in
5.4+). (CVE-2015-4025)</p>
<p>Fixed bug #69545 (Integer overflow in ftp_genlist()
resulting in heap overflow). (CVE-2015-4022)</p>
<p>Fixed bug #68598 (pcntl_exec() should not allow null
char). (CVE-2015-4026)</p>
<p>Fixed bug #69453 (Memory Corruption in phar_parse_tarfile
when entry filename starts with null). (CVE-2015-4021)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4021</cvename>
<cvename>CVE-2015-4022</cvename>
<cvename>CVE-2015-4024</cvename>
<cvename>CVE-2015-4025</cvename>
<cvename>CVE-2015-4026</cvename>
<url>https://php.net/ChangeLog-5.php#5.6.9</url>
</references>
<dates>
<discovery>2015-05-14</discovery>
<entry>2015-05-22</entry>
</dates>
</vuln>
<vuln vid="fc38cd83-00b3-11e5-8ebd-0026551a22dc">
<topic>PostgreSQL -- minor security problems.</topic>
<affects>
<package>
<name>postgresql90-server</name>
<range><ge>9.0.0</ge><lt>9.0.20</lt></range>
</package>
<package>
<name>postgresql91-server</name>
<range><ge>9.1.0</ge><lt>9.1.16</lt></range>
</package>
<package>
<name>postgresql92-server</name>
<range><ge>9.2.0</ge><lt>9.2.11</lt></range>
</package>
<package>
<name>postgresql93-server</name>
<range><ge>9.3.0</ge><lt>9.3.7</lt></range>
</package>
<package>
<name>postgresql94-server</name>
<range><ge>9.4.0</ge><lt>9.4.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PostgreSQL project reports:</p>
<blockquote cite="http://www.postgresql.org/about/news/1587/">
<p>
This update fixes three security vulnerabilities reported in
PostgreSQL over the past few months. Nether of these issues is seen as
particularly urgent. However, users should examine them in case their
installations are vulnerable:.
</p>
<ul>
<li>CVE-2015-3165 Double "free" after authentication timeout.</li>
<li>CVE-2015-3166 Unanticipated errors from the standard library.</li>
<li>CVE-2015-3167 pgcrypto has multiple error messages for decryption with an incorrect key.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3165</cvename>
<cvename>CVE-2015-3166</cvename>
<cvename>CVE-2015-3167</cvename>
</references>
<dates>
<discovery>2015-04-10</discovery>
<entry>2015-05-22</entry>
</dates>
</vuln>
<vuln vid="d0034536-ff24-11e4-a072-d050996490d0">
<topic>proftpd -- arbitrary code execution vulnerability with chroot</topic>
<affects>
<package>
<name>proftpd</name>
<range><lt>1.3.5_7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ProFTPd development team reports:</p>
<blockquote cite="http://bugs.proftpd.org/show_bug.cgi?id=4169">
<p>Vadim Melihow reported a critical issue with proftpd
installations that use the mod_copy module's SITE CPFR/SITE
CPTO commands; mod_copy allows these commands to be used by
*unauthenticated clients*.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3306</cvename>
<url>http://bugs.proftpd.org/show_bug.cgi?id=4169</url>
</references>
<dates>
<discovery>2015-04-15</discovery>
<entry>2015-05-20</entry>
</dates>
</vuln>
<vuln vid="35431f79-fe3e-11e4-ba63-000c292ee6b8">
<topic>ipsec-tools -- Memory leak leading to denial of service</topic>
<affects>
<package>
<name>ipsec-tools</name>
<range><lt>0.8.2_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Javantea reports:</p>
<blockquote cite="https://www.altsci.com/ipsec/">
<p>It is a null dereference crash, leading to denial of
service against the IKE daemon.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.altsci.com/ipsec/</url>
</references>
<dates>
<discovery>2015-05-18</discovery>
<entry>2015-05-19</entry>
</dates>
</vuln>
<vuln vid="a9d456b4-fe4c-11e4-ad15-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>43.0.2357.65</lt></range>
</package>
<package>
<!-- pcbsd -->
<name>chromium-npapi</name>
<range><lt>43.0.2357.65</lt></range>
</package>
<package>
<!-- pcbsd -->
<name>chromium-pulse</name>
<range><lt>43.0.2357.65</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/2015/05/stable-channel-update_19.html">
<p>37 security fixes in this release, including:</p>
<ul>
<li>[474029] High CVE-2015-1252: Sandbox escape in Chrome. Credit
to anonymous.</li>
<li>[464552] High CVE-2015-1253: Cross-origin bypass in DOM. Credit
to anonymous.</li>
<li>[444927] High CVE-2015-1254: Cross-origin bypass in Editing.
Credit to armin@rawsec.net.</li>
<li>[473253] High CVE-2015-1255: Use-after-free in WebAudio. Credit
to Khalil Zhani.</li>
<li>[478549] High CVE-2015-1256: Use-after-free in SVG. Credit to
Atte Kettunen of OUSPG.</li>
<li>[481015] High CVE-2015-1251: Use-after-free in Speech. Credit
to SkyLined working with HP's Zero Day Initiative.</li>
<li>[468519] Medium CVE-2015-1257: Container-overflow in SVG.
Credit to miaubiz.</li>
<li>[450939] Medium CVE-2015-1258: Negative-size parameter in
libvpx. Credit to cloudfuzzer</li>
<li>[468167] Medium CVE-2015-1259: Uninitialized value in PDFium.
Credit to Atte Kettunen of OUSPG</li>
<li>[474370] Medium CVE-2015-1260: Use-after-free in WebRTC. Credit
to Khalil Zhani.</li>
<li>[466351] Medium CVE-2015-1261: URL bar spoofing. Credit to Juho
Nurminen.</li>
<li>[476647] Medium CVE-2015-1262: Uninitialized value in Blink.
Credit to miaubiz.</li>
<li>[479162] Low CVE-2015-1263: Insecure download of spellcheck
dictionary. Credit to Mike Ruddy.</li>
<li>[481015] Low CVE-2015-1264: Cross-site scripting in bookmarks.
Credit to K0r3Ph1L.</li>
<li>[489518] CVE-2015-1265: Various fixes from internal audits,
fuzzing and other initiatives.</li>
<li>Multiple vulnerabilities in V8 fixed at the tip of the 4.3
branch (currently 4.3.61.21).</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://googlechromereleases.blogspot.nl/2015/05/stable-channel-update_19.html</url>
<cvename>CVE-2015-1251</cvename>
<cvename>CVE-2015-1252</cvename>
<cvename>CVE-2015-1253</cvename>
<cvename>CVE-2015-1254</cvename>
<cvename>CVE-2015-1255</cvename>
<cvename>CVE-2015-1256</cvename>
<cvename>CVE-2015-1257</cvename>
<cvename>CVE-2015-1258</cvename>
<cvename>CVE-2015-1259</cvename>
<cvename>CVE-2015-1260</cvename>
<cvename>CVE-2015-1261</cvename>
<cvename>CVE-2015-1262</cvename>
<cvename>CVE-2015-1263</cvename>
<cvename>CVE-2015-1264</cvename>
<cvename>CVE-2015-1265</cvename>
</references>
<dates>
<discovery>2015-05-19</discovery>
<entry>2015-05-19</entry>
</dates>
</vuln>
<vuln vid="3d0428b2-fdfb-11e4-894f-d050996490d0">
<topic>clamav -- multiple vulnerabilities</topic>
<affects>
<package>
<name>clamav</name>
<range><lt>0.98.7</lt></range>
</package>
<package>
<name>clamav-devel</name>
<range><gt>0</gt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ClamAV project reports:</p>
<blockquote cite="http://blog.clamav.net/2015/04/clamav-0987-has-been-released.html">
<p>ClamAV 0.98.7 is here! This release contains new
scanning features and bug fixes.</p>
<p>Fix infinite loop condition on crafted y0da cryptor file.
Identified and patch suggested by Sebastian Andrzej Siewior.
CVE-2015-2221.</p>
<p>Fix crash on crafted petite packed file. Reported and patch
supplied by Sebastian Andrzej Siewior. CVE-2015-2222.</p>
<p>Fix an infinite loop condition on a crafted "xz" archive
file. This was reported by Dimitri Kirchner and Goulven
Guiheux. CVE-2015-2668.</p>
<p>Apply upstream patch for possible heap overflow in Henry
Spencer's regex library. CVE-2015-2305.</p>
<p>Fix crash in upx decoder with crafted file. Discovered and
patch supplied by Sebastian Andrzej Siewior. CVE-2015-2170.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-2170</cvename>
<cvename>CVE-2015-2221</cvename>
<cvename>CVE-2015-2222</cvename>
<cvename>CVE-2015-2305</cvename>
<cvename>CVE-2015-2668</cvename>
<url>http://blog.clamav.net/2015/04/clamav-0987-has-been-released.html</url>
</references>
<dates>
<discovery>2015-04-29</discovery>
<entry>2015-05-19</entry>
</dates>
</vuln>
<vuln vid="a0089e18-fc9e-11e4-bc58-001e67150279">
<topic>rubygems -- request hijacking vulnerability</topic>
<affects>
<package>
<name>ruby20-gems</name>
<range><lt>2.4.7</lt></range>
</package>
<package>
<name>ruby21-gems</name>
<range><lt>2.4.7</lt></range>
</package>
<package>
<name>ruby22-gems</name>
<range><lt>2.4.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jonathan Claudius reports:</p>
<blockquote cite="http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html">
<p>RubyGems provides the ability of a domain to direct clients to a
separate host that is used to fetch gems and make API calls against.
This mechanism is implemented via DNS, specifically a SRV record
_rubygems._tcp under the original requested domain.</p>
<p>RubyGems did not validate the hostname returned in the SRV record
before sending requests to it. This left clients open to a DNS
hijack attack, whereby an attacker could return a SRV of their
choosing and get the client to use it.</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/200264</freebsdpr>
<cvename>CVE-2015-3900</cvename>
<url>http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html</url>
</references>
<dates>
<discovery>2015-05-14</discovery>
<entry>2015-05-17</entry>
</dates>
</vuln>
<vuln vid="2780e442-fc59-11e4-b18b-6805ca1d3bb1">
<topic>qemu, xen and VirtualBox OSE -- possible VM escape and code execution ("VENOM")</topic>
<affects>
<package>
<name>qemu</name>
<name>qemu-devel</name>
<range><lt>0.11.1_19</lt></range>
<range><ge>0.12</ge><lt>2.3.0_1</lt></range>
</package>
<package>
<name>qemu-sbruno</name>
<range><lt>2.3.50.g20150501_1</lt></range>
</package>
<package>
<name>virtualbox-ose</name>
<range><lt>4.3.28</lt></range>
</package>
<package>
<name>xen-tools</name>
<range><ge>4.5.0</ge><lt>4.5.0_5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jason Geffner, CrowdStrike Senior Security Researcher reports:</p>
<blockquote cite="http://venom.crowdstrike.com/">
<p>VENOM, CVE-2015-3456, is a security vulnerability in
the virtual floppy drive code used by many computer
virtualization platforms. This vulnerability may allow
an attacker to escape from the confines of an affected
virtual machine (VM) guest and potentially obtain
code-execution access to the host. Absent mitigation,
this VM escape could open access to the host system and
all other VMs running on that host, potentially giving
adversaries significant elevated access to the host's
local network and adjacent systems.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3456</cvename>
<freebsdpr>ports/200255</freebsdpr>
<freebsdpr>ports/200256</freebsdpr>
<freebsdpr>ports/200257</freebsdpr>
<url>http://venom.crowdstrike.com/</url>
<url>http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.html</url>
<url>http://xenbits.xen.org/xsa/advisory-133.html</url>
</references>
<dates>
<discovery>2015-04-29</discovery>
<entry>2015-05-17</entry>
<modified>2015-09-28</modified>
</dates>
</vuln>
<vuln vid="49d9c28c-fbad-11e4-b0fb-00269ee29e57">
<topic>Quassel IRC -- SQL injection vulnerability</topic>
<affects>
<package>
<name>quassel</name>
<range><lt>0.11.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Quassel IRC developers report:</p>
<blockquote cite="http://www.quassel-irc.org/node/127">
<p>Restarting a PostgreSQL database while Quassel Core is running
would not properly re-initialize the database session inside Quassel,
bringing back an old security issue (CVE-2013-4422).</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/quassel/quassel/commit/6605882f41331c80f7ac3a6992650a702ec71283</url>
<cvename>CVE-2015-3427</cvename>
</references>
<dates>
<discovery>2015-04-23</discovery>
<entry>2015-05-16</entry>
</dates>
</vuln>
<vuln vid="c368155a-fa83-11e4-bc58-001e67150279">
<topic>rubygem-redcarpet -- XSS vulnerability</topic>
<affects>
<package>
<name>rubygem-redcarpet</name>
<range><lt>3.2.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Daniel LeCheminant reports:</p>
<blockquote cite="https://hackerone.com/reports/46916">
<p>When markdown is being presented as HTML, there seems to be a
strange interaction between _ and @ that lets an attacker insert
malicious tags.</p>
</blockquote>
</body>
</description>
<references>
<mlist>http://openwall.com/lists/oss-security/2015/04/07/11</mlist>
<url>https://hackerone.com/reports/46916</url>
<url>http://danlec.com/blog/bug-in-sundown-and-redcarpet</url>
</references>
<dates>
<discovery>2015-04-07</discovery>
<entry>2015-05-14</entry>
</dates>
</vuln>
<vuln vid="57325ecf-facc-11e4-968f-b888e347c638">
<topic>dcraw -- integer overflow condition</topic>
<affects>
<package>
<name>cinepaint</name>
<!-- no known fixed version -->
<range><ge>0.22.0</ge></range>
</package>
<package>
<name>darktable</name>
<range><lt>1.6.7</lt></range>
</package>
<package>
<name>dcraw</name>
<range><ge>7.00</ge><lt>9.26</lt></range>
</package>
<package>
<name>dcraw-m</name>
<!-- no known fixed version -->
<range><ge>0</ge></range>
</package>
<package>
<name>exact-image</name>
<range><lt>0.9.1</lt></range>
</package>
<package>
<name>flphoto</name>
<!-- no known fixed version -->
<range><ge>0</ge></range>
</package>
<package>
<name>freeimage</name>
<range><ge>3.13.0</ge><lt>3.16.0_1</lt></range>
</package>
<package>
<name>kodi</name>
<range><lt>14.2_1</lt></range>
</package>
<package>
<name>libraw</name>
<range><lt>0.16.1</lt></range>
</package>
<package>
<name>lightzone</name>
<range><lt>4.1.2</lt></range>
</package>
<package>
<name>netpbm</name>
<range><lt>10.35.96</lt></range>
</package>
<package>
<name>opengtl</name>
<!-- no known fixed version -->
<range><ge>0</ge></range>
</package>
<package>
<name>rawstudio</name>
<range><lt>2.0_11</lt></range>
</package>
<package>
<name>ufraw</name>
<range><lt>0.21</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ocert reports:</p>
<blockquote cite="http://www.ocert.org/advisories/ocert-2015-006.html">
<p>The dcraw tool, as well as several other projects re-using its
code, suffers from an integer overflow condition which lead to a
buffer overflow.</p>
<p>The vulnerability concerns the 'len' variable, parsed without
validation from opened images, used in the ljpeg_start()
function.</p>
<p>A maliciously crafted raw image file can be used to trigger the
vulnerability, causing a Denial of Service condition.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3885</cvename>
<url>http://www.ocert.org/advisories/ocert-2015-006.html</url>
<url>https://github.com/rawstudio/rawstudio/commit/983bda1f0fa5fa86884381208274198a620f006e</url>
<url>https://github.com/LibRaw/LibRaw/commit/4606c28f494a750892c5c1ac7903e62dd1c6fdb5</url>
<url>https://sourceforge.net/p/netpbm/code/2512/</url>
</references>
<dates>
<discovery>2015-04-24</discovery>
<entry>2015-05-15</entry>
<modified>2016-01-08</modified>
</dates>
</vuln>
<vuln vid="c6e31869-f99f-11e4-9f91-6805ca0b3d42">
<topic>phpMyAdmin -- XSRF and man-in-the-middle vulnerabilities</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><ge>4.4.0</ge><lt>4.4.6.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2015-2.php">
<p>XSRF/CSRF vulnerability in phpMyAdmin setup.</p>
<p>By deceiving a user to click on a crafted URL, it is
possible to alter the configuration file being generated
with phpMyAdmin setup.</p>
<p>This vulnerability only affects the configuration file
generation process and does not affect the effective
configuration file. Moreover, the configuration file being
generated is at risk only during the period when it's
writable.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2015-3.php">
<p> Vulnerability allowing man-in-the-middle attack on API
call to GitHub.</p>
<p>A vulnerability in the API call to GitHub can be
exploited to perform a man-in-the-middle attack.</p>
<p>We consider this vulnerability to be serious.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2015-2.php</url>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2015-3.php</url>
<cvename>CVE-2015-3902</cvename>
<cvename>CVE-2015-3903</cvename>
</references>
<dates>
<discovery>2015-05-13</discovery>
<entry>2015-05-13</entry>
</dates>
</vuln>
<vuln vid="e206df57-f97b-11e4-b799-c485083ca99c">
<topic>Adobe Flash Player -- critical vulnerabilities</topic>
<affects>
<package>
<name>linux-c6-flashplugin</name>
<range><le>11.2r202.457</le></range>
</package>
<package>
<name>linux-f10-flashplugin</name>
<range><le>11.2r202.457</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb15-09.html">
<p>
Adobe has released security updates for Adobe Flash Player for
Windows, Macintosh and Linux. These updates address vulnerabilities
that could potentially allow an attacker to take control of the
affected system. Adobe recommends users update their product
installations to the latest versions.
</p>
<p>
These updates resolve memory corruption vulnerabilities that could
lead to code execution (CVE-2015-3078, CVE-2015-3089, CVE-2015-3090,
CVE-2015-3093).
</p>
<p>
These updates resolve a heap overflow vulnerability that could lead
to code execution (CVE-2015-3088).
</p>
<p>
These updates resolve a time-of-check time-of-use (TOCTOU) race
condition that could be exploited to bypass Protected Mode in
Internet Explorer (CVE-2015-3081).
</p>
<p>
These updates resolve validation bypass issues that could be
exploited to write arbitrary data to the file system under user
permissions (CVE-2015-3082, CVE-2015-3083, CVE-2015-3085).
</p>
<p>
These updates resolve an integer overflow vulnerability that could
lead to code execution (CVE-2015-3087).
</p>
<p>
These updates resolve a type confusion vulnerability that could lead
to code execution (CVE-2015-3077, CVE-2015-3084, CVE-2015-3086).
</p>
<p>
These updates resolve a use-after-free vulnerability that could lead
to code execution (CVE-2015-3080).
</p>
<p>
These updates resolve memory leak vulnerabilities that could be used
to bypass ASLR (CVE-2015-3091, CVE-2015-3092).
</p>
<p>
These updates resolve a security bypass vulnerability that could lead
to information disclosure (CVE-2015-3079), and provide additional
hardening to protect against CVE-2015-3044.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3044</cvename>
<cvename>CVE-2015-3077</cvename>
<cvename>CVE-2015-3078</cvename>
<cvename>CVE-2015-3079</cvename>
<cvename>CVE-2015-3080</cvename>
<cvename>CVE-2015-3081</cvename>
<cvename>CVE-2015-3082</cvename>
<cvename>CVE-2015-3083</cvename>
<cvename>CVE-2015-3084</cvename>
<cvename>CVE-2015-3085</cvename>
<cvename>CVE-2015-3086</cvename>
<cvename>CVE-2015-3087</cvename>
<cvename>CVE-2015-3088</cvename>
<cvename>CVE-2015-3089</cvename>
<cvename>CVE-2015-3090</cvename>
<cvename>CVE-2015-3091</cvename>
<cvename>CVE-2015-3092</cvename>
<cvename>CVE-2015-3093</cvename>
<url>https://helpx.adobe.com/security/products/flash-player/apsb15-09.html</url>
</references>
<dates>
<discovery>2015-05-12</discovery>
<entry>2015-05-13</entry>
</dates>
</vuln>
<vuln vid="d9b43004-f5fd-4807-b1d7-dbf66455b244">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>38.0,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>38.0,1</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.35</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.35</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><lt>31.7.0,1</lt></range>
</package>
<package>
<name>libxul</name>
<range><lt>31.7.0</lt></range>
<range><ge>32.0</ge><lt>38.0</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><lt>31.7.0</lt></range>
<range><ge>32.0</ge><lt>38.0</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>31.7.0</lt></range>
<range><ge>32.0</ge><lt>38.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/">
<p>MFSA-2015-46 Miscellaneous memory safety hazards (rv:38.0
/ rv:31.7)</p>
<p>MFSA-2015-47 Buffer overflow parsing H.264 video with
Linux Gstreamer</p>
<p>MFSA-2015-48 Buffer overflow with SVG content and CSS</p>
<p>MFSA-2015-49 Referrer policy ignored when links opened by
middle-click and context menu</p>
<p>MFSA-2015-50 Out-of-bounds read and write in asm.js validation</p>
<p>MFSA-2015-51 Use-after-free during text processing with
vertical text enabled</p>
<p>MFSA-2015-52 Sensitive URL encoded information written to
Android logcat</p>
<p>MFSA-2015-53 Use-after-free due to Media Decoder Thread creation
during shutdown</p>
<p>MFSA-2015-54 Buffer overflow when parsing compressed XML</p>
<p>MFSA-2015-55 Buffer overflow and out-of-bounds read while
parsing MP4 video metadata</p>
<p>MFSA-2015-56 Untrusted site hosting trusted page can
intercept webchannel responses</p>
<p>MFSA-2015-57 Privilege escalation through IPC channel messages</p>
<p>MFSA-2015-58 Mozilla Windows updater can be run outside
of application directory</p>
<p>MFSA 2015-93 Integer overflows in libstagefright while processing
MP4 video metadata</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3079</cvename>
<cvename>CVE-2015-0797</cvename>
<cvename>CVE-2015-0833</cvename>
<cvename>CVE-2015-2708</cvename>
<cvename>CVE-2015-2709</cvename>
<cvename>CVE-2015-2710</cvename>
<cvename>CVE-2015-2711</cvename>
<cvename>CVE-2015-2712</cvename>
<cvename>CVE-2015-2713</cvename>
<cvename>CVE-2015-2714</cvename>
<cvename>CVE-2015-2715</cvename>
<cvename>CVE-2015-2716</cvename>
<cvename>CVE-2015-2717</cvename>
<cvename>CVE-2015-2718</cvename>
<cvename>CVE-2015-2720</cvename>
<cvename>CVE-2015-4496</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2015-46/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-47/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-48/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-49/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-50/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-51/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-52/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-53/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-54/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-55/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-56/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-57/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-58/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-93/</url>
</references>
<dates>
<discovery>2015-05-12</discovery>
<entry>2015-05-12</entry>
<modified>2015-08-28</modified>
</dates>
</vuln>
<vuln vid="fe910ed6-f88d-11e4-9ae3-0050562a4d7b">
<topic>suricata -- TLS/DER Parser Bug (DoS)</topic>
<affects>
<package>
<name>suricata</name>
<range><lt>2.0.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OISF Development Team reports:</p>
<blockquote cite="https://lists.openinfosecfoundation.org/pipermail/oisf-devel/2015-May/003406.html">
<p>The OISF development team is pleased to announce Suricata 2.0.8.
This release fixes a number of issues in the 2.0 series.</p>
<p>The most important issue is a bug in the DER parser which is used to
decode SSL/TLS certificates could crash Suricata. This issue was
reported by Kostya Kortchinsky of the Google Security Team and was fixed
by Pierre Chifflier of ANSSI.</p>
<p>Those processing large numbers of (untrusted) pcap files need to update
as a malformed pcap could crash Suricata. Again, credits go to Kostya
Kortchinsky.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-0971</cvename>
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0971</url>
<url>https://github.com/inliniac/suricata/commit/fa73a0bb8f312fd0a95cc70f6b3ee4e4997bdba7</url>
</references>
<dates>
<discovery>2015-05-06</discovery>
<entry>2015-05-12</entry>
</dates>
</vuln>
<vuln vid="0b040e24-f751-11e4-b24d-5453ed2e2b49">
<topic>libssh -- null pointer dereference</topic>
<affects>
<package>
<name>libssh</name>
<range><lt>0.6.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Andreas Schneider reports:</p>
<blockquote cite="https://www.libssh.org/2015/04/30/libssh-0-6-5-security-and-bugfix-release/">
<p>libssh versions 0.5.1 and above have a logical error in the
handling of a SSH_MSG_NEWKEYS and SSH_MSG_KEXDH_REPLY package. A
detected error did not set the session into the error state
correctly and further processed the packet which leads to a null
pointer dereference. This is the packet after the initial key
exchange and doesn’t require authentication.</p>
<p>This could be used for a Denial of Service (DoS) attack.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3146</cvename>
<url>https://www.libssh.org/2015/04/30/libssh-0-6-5-security-and-bugfix-release</url>
</references>
<dates>
<discovery>2015-04-30</discovery>
<entry>2015-05-10</entry>
</dates>
</vuln>
<vuln vid="b13af778-f4fc-11e4-a95d-ac9e174be3af">
<topic>Vulnerability in HWP document filter</topic>
<affects>
<package>
<name>libreoffice</name>
<range><lt>4.3.7</lt></range>
</package>
<package>
<name>apache-openoffice</name>
<range><lt>4.1.1_9</lt></range>
</package>
<package>
<name>apache-openoffice-devel</name>
<range><lt>4.2.1677190,3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>US-CERT/NIST reports:</p>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1774">
<p>The HWP filter in LibreOffice before 4.3.7 and 4.4.x before
4.4.2 and Apache OpenOffice before 4.1.2 allows remote
attackers to cause a denial of service (crash) or possibly
execute arbitrary code via a crafted HWP document, which
triggers an out-of-bounds write.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-1774</cvename>
<url>http://www.openoffice.org/security/cves/CVE-2015-1774.html</url>
<url>https://www.libreoffice.org/about-us/security/advisories/cve-2015-1774/</url>
</references>
<dates>
<discovery>2015-04-27</discovery>
<entry>2015-05-07</entry>
</dates>
</vuln>
<vuln vid="d86890da-f498-11e4-99aa-bcaec565249c">
<topic>wordpress -- 2 cross-site scripting vulnerabilities</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>4.2.2,1</lt></range>
</package>
<package>
<name>de-wordpress</name>
<range><lt>4.2.2</lt></range>
</package>
<package>
<name>ja-wordpress</name>
<range><lt>4.2.2</lt></range>
</package>
<package>
<name>ru-wordpress</name>
<range><lt>4.2.2</lt></range>
</package>
<package>
<name>zh-wordpress-zh_CN</name>
<range><lt>4.2.2</lt></range>
</package>
<package>
<name>zh-wordpress-zh_TW</name>
<range><lt>4.2.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Samuel Sidler reports:</p>
<blockquote cite="https://wordpress.org/news/2015/05/wordpress-4-2-2/">
<p>The Genericons icon font package, which is used in a number of
popular themes and plugins, contained an HTML file vulnerable to
a cross-site scripting attack. All affected themes and plugins
hosted on WordPress.org (including the Twenty Fifteen default
theme) have been updated today by the WordPress security team
to address this issue by removing this nonessential file. To
help protect other Genericons usage, WordPress 4.2.2
proactively scans the wp-content directory for this HTML
file and removes it. Reported by Robert Abela of Netsparker.</p>
<p>WordPress versions 4.2 and earlier are affected by a critical
cross-site scripting vulnerability, which could enable anonymous
users to compromise a site. WordPress 4.2.2 includes a
comprehensive fix for this issue.</p>
<p>The release also includes hardening for a potential cross-site
scripting vulnerability when using the visual editor. This issue
was reported by Mahadev Subedi.</p>
</blockquote>
</body>
</description>
<references>
<url>https://wordpress.org/news/2015/05/wordpress-4-2-2/</url>
</references>
<dates>
<discovery>2015-05-07</discovery>
<entry>2015-05-07</entry>
<modified>2015-09-15</modified>
</dates>
</vuln>
<vuln vid="ba4f9b19-ed9d-11e4-9118-bcaec565249c">
<topic>wordpress -- cross-site scripting vulnerability</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>4.2.1,1</lt></range>
</package>
<package>
<name>de-wordpress</name>
<range><lt>4.2.1</lt></range>
</package>
<package>
<name>ja-wordpress</name>
<range><lt>4.2.1</lt></range>
</package>
<package>
<name>ru-wordpress</name>
<range><lt>4.2.1</lt></range>
</package>
<package>
<name>zh-wordpress-zh_CN</name>
<range><lt>4.2.1</lt></range>
</package>
<package>
<name>zh-wordpress-zh_TW</name>
<range><lt>4.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gary Pendergast reports:</p>
<blockquote cite="https://wordpress.org/news/2015/04/wordpress-4-2-1/">
<p>WordPress 4.2.1 is now available. This is a critical security
release for all previous versions and we strongly encourage you
to update your sites immediately.</p>
<p>A few hours ago, the WordPress team was made aware of a
cross-site scripting vulnerability, which could enable commenters
to compromise a site. The vulnerability was discovered by Jouko
Pynnöne.</p>
</blockquote>
</body>
</description>
<references>
<url>https://wordpress.org/news/2015/04/wordpress-4-2-1/</url>
</references>
<dates>
<discovery>2015-04-27</discovery>
<entry>2015-05-07</entry>
<modified>2015-09-15</modified>
</dates>
</vuln>
<vuln vid="64e6006e-f009-11e4-98c6-000c292ee6b8">
<topic>powerdns -- Label decompression bug can cause crashes or CPU spikes</topic>
<affects>
<package>
<name>powerdns</name>
<range><lt>3.4.5</lt></range>
</package>
<package>
<name>powerdns-recursor</name>
<range><lt>3.7.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PowerDNS project reports:</p>
<blockquote cite="https://doc.powerdns.com/md/security/powerdns-advisory-2015-01/">
<p>A bug was discovered in our label decompression code, making it
possible for names to refer to themselves, thus causing a loop during
decompression. On some platforms, this bug can be abused to cause
crashes. On all platforms, this bug can be abused to cause
service-affecting CPU spikes.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-1868</cvename>
<cvename>CVE-2015-5470</cvename>
<url>https://doc.powerdns.com/md/security/powerdns-advisory-2015-01/</url>
<mlist>http://www.openwall.com/lists/oss-security/2015/07/10/8</mlist>
</references>
<dates>
<discovery>2015-04-23</discovery>
<entry>2015-05-01</entry>
<modified>2015-07-12</modified>
</dates>
</vuln>
<vuln vid="210f80b9-ede4-11e4-81c4-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>42.0.2311.135</lt></range>
</package>
<package>
<!-- pcbsd -->
<name>chromium-npapi</name>
<range><lt>42.0.2311.135</lt></range>
</package>
<package>
<!-- pcbsd -->
<name>chromium-pulse</name>
<range><lt>42.0.2311.135</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/2015/04/stable-channel-update_28.html">
<p>5 security fixes in this release, including:</p>
<ul>
<li>[453279] High CVE-2015-1243: Use-after-free in DOM. Credit to
Saif El-Sherei.</li>
<li>[481777] CVE-2015-1250: Various fixes from internal audits,
fuzzing and other initiatives.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-1243</cvename>
<cvename>CVE-2015-1250</cvename>
<url>http://googlechromereleases.blogspot.nl/2015/04/stable-channel-update_28.html</url>
</references>
<dates>
<discovery>2015-04-28</discovery>
<entry>2015-04-28</entry>
</dates>
</vuln>
<vuln vid="b57f690e-ecc9-11e4-876c-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>42.0.2311.90</lt></range>
</package>
<package>
<!-- pcbsd -->
<name>chromium-npapi</name>
<range><lt>42.0.2311.90</lt></range>
</package>
<package>
<!-- pcbsd -->
<name>chromium-pulse</name>
<range><lt>42.0.2311.90</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/2015/04/stable-channel-update_14.html">
<p>45 new security fixes, including:</p>
<ul>
<li>[456518] High CVE-2015-1235: Cross-origin-bypass in HTML
parser. Credit to anonymous.</li>
<li>[313939] Medium CVE-2015-1236: Cross-origin-bypass in Blink.
Credit to Amitay Dobo.</li>
<li>[461191] High CVE-2015-1237: Use-after-free in IPC. Credit to
Khalil Zhani.</li>
<li>[445808] High CVE-2015-1238: Out-of-bounds write in Skia.
Credit to cloudfuzzer.</li>
<li>[463599] Medium CVE-2015-1240: Out-of-bounds read in WebGL.
Credit to w3bd3vil.</li>
<li>[418402] Medium CVE-2015-1241: Tap-Jacking. Credit to Phillip
Moon and Matt Weston of Sandfield Information Systems.</li>
<li>[460917] High CVE-2015-1242: Type confusion in V8. Credit to
fcole@onshape.com.</li>
<li>[455215] Medium CVE-2015-1244: HSTS bypass in WebSockets.
Credit to Mike Ruddy.</li>
<li>[444957] Medium CVE-2015-1245: Use-after-free in PDFium. Credit
to Khalil Zhani.</li>
<li>[437399] Medium CVE-2015-1246: Out-of-bounds read in Blink.
Credit to Atte Kettunen of OUSPG.</li>
<li>[429838] Medium CVE-2015-1247: Scheme issues in OpenSearch.
Credit to Jann Horn.</li>
<li>[380663] Medium CVE-2015-1248: SafeBrowsing bypass. Credit to
Vittorio Gambaletta (VittGam).</li>
<li>[476786] CVE-2015-1249: Various fixes from internal audits,
fuzzing and other initiatives. Multiple vulnerabilities in V8
fixed at the tip of the 4.2 branch (currently 4.2.77.14).</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://googlechromereleases.blogspot.nl/2015/04/stable-channel-update_14.html</url>
<cvename>CVE-2015-1235</cvename>
<cvename>CVE-2015-1236</cvename>
<cvename>CVE-2015-1237</cvename>
<cvename>CVE-2015-1238</cvename>
<cvename>CVE-2015-1240</cvename>
<cvename>CVE-2015-1241</cvename>
<cvename>CVE-2015-1242</cvename>
<cvename>CVE-2015-1244</cvename>
<cvename>CVE-2015-1245</cvename>
<cvename>CVE-2015-1246</cvename>
<cvename>CVE-2015-1247</cvename>
<cvename>CVE-2015-1248</cvename>
<cvename>CVE-2015-1249</cvename>
</references>
<dates>
<discovery>2015-04-14</discovery>
<entry>2015-04-27</entry>
</dates>
</vuln>
<vuln vid="cb9d2fcd-eb47-11e4-b03e-002590263bf5">
<topic>wpa_supplicant -- P2P SSID processing vulnerability</topic>
<affects>
<package>
<name>wpa_supplicant</name>
<range><lt>2.4_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jouni Malinen reports:</p>
<blockquote cite="http://w1.fi/security/2015-1/wpa_supplicant-p2p-ssid-overflow.txt">
<p>A vulnerability was found in how wpa_supplicant uses SSID information
parsed from management frames that create or update P2P peer entries
(e.g., Probe Response frame or number of P2P Public Action frames). SSID
field has valid length range of 0-32 octets. However, it is transmitted
in an element that has a 8-bit length field and potential maximum
payload length of 255 octets. wpa_supplicant was not sufficiently
verifying the payload length on one of the code paths using the SSID
received from a peer device.</p>
<p>This can result in copying arbitrary data from an attacker to a fixed
length buffer of 32 bytes (i.e., a possible overflow of up to 223
bytes). The SSID buffer is within struct p2p_device that is allocated
from heap. The overflow can override couple of variables in the struct,
including a pointer that gets freed. In addition about 150 bytes (the
exact length depending on architecture) can be written beyond the end of
the heap allocation.</p>
<p>This could result in corrupted state in heap, unexpected program
behavior due to corrupted P2P peer device information, denial of service
due to wpa_supplicant process crash, exposure of memory contents during
GO Negotiation, and potentially arbitrary code execution.</p>
<p>Vulnerable versions/configurations</p>
<p>wpa_supplicant v1.0-v2.4 with CONFIG_P2P build option enabled
(which is not compiled by default).</p>
<p>Attacker (or a system controlled by the attacker) needs to be within
radio range of the vulnerable system to send a suitably constructed
management frame that triggers a P2P peer device information to be
created or updated.</p>
<p>The vulnerability is easiest to exploit while the device has started an
active P2P operation (e.g., has ongoing P2P_FIND or P2P_LISTEN control
interface command in progress). However, it may be possible, though
significantly more difficult, to trigger this even without any active
P2P operation in progress.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-1863</cvename>
<url>http://w1.fi/security/2015-1/wpa_supplicant-p2p-ssid-overflow.txt</url>
</references>
<dates>
<discovery>2015-04-22</discovery>
<entry>2015-04-25</entry>
</dates>
</vuln>
<vuln vid="1e232a0c-eb57-11e4-b595-4061861086c1">
<topic>Several vulnerabilities found in PHP</topic>
<affects>
<package>
<name>php5</name>
<range><lt>5.4.40</lt></range>
</package>
<package>
<name>php55</name>
<range><lt>5.5.24</lt></range>
</package>
<package>
<name>php56</name>
<range><lt>5.6.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PHP project reports:</p>
<blockquote cite="http://php.net/archive/2015.php#id2015-04-16-2">
<p>The PHP development team announces the immediate
availability of PHP 5.4.40. 14 security-related
bugs were fixed in this release, including
CVE-2014-9709, CVE-2015-2301, CVE-2015-2783,
CVE-2015-1352. All PHP 5.4 users are encouraged to
upgrade to this version.</p>
<p>The PHP development team announces the immediate
availability of PHP 5.5.24. Several bugs have been
fixed, some of them being security related, like
CVE-2015-1351 and CVE-2015-1352. All PHP 5.5 users
are encouraged to upgrade to this version.</p>
<p>The PHP development team announces the immediate
availability of PHP 5.6.8. Several bugs have been
fixed, some of them being security related, like
CVE-2015-1351 and CVE-2015-1352. All PHP 5.6 users
are encouraged to upgrade to this version.</p>
</blockquote>
</body>
</description>
<references>
<url>http://php.net/archive/2015.php#id2015-04-16-2</url>
<cvename>CVE-2014-9709</cvename>
<cvename>CVE-2015-2301</cvename>
<cvename>CVE-2015-2783</cvename>
<cvename>CVE-2015-1351</cvename>
<cvename>CVE-2015-1352</cvename>
<freebsdpr>ports/199585</freebsdpr>
</references>
<dates>
<discovery>2015-04-16</discovery>
<entry>2015-04-25</entry>
<modified>2015-05-22</modified>
</dates>
</vuln>
<vuln vid="505904d3-ea95-11e4-beaf-bcaec565249c">
<topic>wordpress -- multiple vulnerabilities</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>4.1.2</lt></range>
</package>
<package>
<name>de-wordpress</name>
<range><lt>4.1.2</lt></range>
</package>
<package>
<name>ja-wordpress</name>
<range><lt>4.1.2</lt></range>
</package>
<package>
<name>ru-wordpress</name>
<range><lt>4.1.2</lt></range>
</package>
<package>
<name>zh-wordpress-zh_CN</name>
<range><lt>4.1.2</lt></range>
</package>
<package>
<name>zh-wordpress-zh_TW</name>
<range><lt>4.1.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gary Pendergast reports:</p>
<blockquote cite="https://wordpress.org/news/2015/04/wordpress-4-1-2/">
<p>WordPress 4.1.2 is now available. This is a critical security
release for all previous versions and we strongly encourage you
to update your sites immediately.</p>
<p>WordPress versions 4.1.1 and earlier are affected by a critical
cross-site scripting vulnerability, which could enable anonymous
users to compromise a site. This was reported by Cedric Van
Bockhaven and fixed by Gary Pendergast, Mike Adams, and Andrew
Nacin of the WordPress security team.</p>
<p>We also fixed three other security issues:</p>
<ul>
<li>In WordPress 4.1 and higher, files with invalid or unsafe
names could be uploaded. Discovered by Michael Kapfer and
Sebastian Kraemer of HSASec.</li>
<li>In WordPress 3.9 and higher, a very limited cross-site
scripting vulnerability could be used as part of a social
engineering attack. Discovered by Jakub Zoczek.</li>
<li>Some plugins were vulnerable to an SQL injection
vulnerability. Discovered by Ben Bidner of the WordPress
security team.</li>
</ul>
<p>We also made four hardening changes, discovered by J.D. Grimes,
Divyesh Prajapati, Allan Collins, Marc-Alexandre Montpas and
Jeff Bowen.</p>
</blockquote>
</body>
</description>
<references>
<url>https://wordpress.org/news/2015/04/wordpress-4-1-2/</url>
</references>
<dates>
<discovery>2015-04-21</discovery>
<entry>2015-04-24</entry>
<modified>2015-04-24</modified>
</dates>
</vuln>
<vuln vid="82595123-e8b8-11e4-a008-047d7b492d07">
<topic>libtasn1 -- stack-based buffer overflow in asn1_der_decoding</topic>
<affects>
<package>
<name>libtasn1</name>
<range><lt>4.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Debian reports:</p>
<blockquote cite="https://www.debian.org/security/2015/dsa-3220.en.html">
<p>Hanno Boeck discovered a stack-based buffer overflow in
the asn1_der_decoding function in Libtasn1, a library to
manage ASN.1 structures. A remote attacker could take advantage
of this flaw to cause an application using the Libtasn1 library
to crash, or potentially to execute arbitrary code.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-2806</cvename>
<url>https://www.debian.org/security/2015/dsa-3220.en.html</url>
</references>
<dates>
<discovery>2015-04-11</discovery>
<entry>2015-04-22</entry>
</dates>
</vuln>
<vuln vid="738fc80d-5f13-4ccb-aa9a-7965699e5a10">
<topic>mozilla -- use-after-free</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>37.0.2,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>37.0.2,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/">
<p>MFSA 2015-45 Memory corruption during failed plugin
initialization</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-2706</cvename>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2015-45/</url>
</references>
<dates>
<discovery>2015-04-20</discovery>
<entry>2015-04-21</entry>
</dates>
</vuln>
<vuln vid="dec3164f-3121-45ef-af18-bb113ac5082f">
<topic>sqlite -- multiple vulnerabilities</topic>
<affects>
<package>
<name>sqlite3</name>
<range><lt>3.8.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NVD reports:</p>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3414">
<p>SQLite before 3.8.9 does not properly implement the
dequoting of collation-sequence names, which allows
context-dependent attackers to cause a denial of service
(uninitialized memory access and application crash) or
possibly have unspecified other impact via a crafted
COLLATE clause, as demonstrated by COLLATE"""""""" at the
end of a SELECT statement.</p>
</blockquote>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3415">
<p>The sqlite3VdbeExec function in vdbe.c in SQLite before
3.8.9 does not properly implement comparison operators,
which allows context-dependent attackers to cause a denial
of service (invalid free operation) or possibly have
unspecified other impact via a crafted CHECK clause, as
demonstrated by CHECK(0&O>O) in a CREATE TABLE statement.
</p>
</blockquote>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3416">
<p>The sqlite3VXPrintf function in printf.c in SQLite before
3.8.9 does not properly handle precision and width values
during floating-point conversions, which allows
context-dependent attackers to cause a denial of service
(integer overflow and stack-based buffer overflow) or
possibly have unspecified other impact via large integers
in a crafted printf function call in a SELECT statement.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3414</cvename>
<cvename>CVE-2015-3415</cvename>
<cvename>CVE-2015-3416</cvename>
<url>https://www.sqlite.org/src/info/eddc05e7bb31fae7</url>
<url>https://www.sqlite.org/src/info/02e3c88fbf6abdcf</url>
<url>https://www.sqlite.org/src/info/c494171f77dc2e5e</url>
<mlist>http://seclists.org/fulldisclosure/2015/Apr/31</mlist>
</references>
<dates>
<discovery>2015-04-14</discovery>
<entry>2015-04-18</entry>
<modified>2015-05-08</modified>
</dates>
</vuln>
<vuln vid="c4571ca8-053d-44c9-ab3c-89b1372ad0a5">
<topic>chrony -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chrony</name>
<range><lt>1.31.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Chrony News reports:</p>
<blockquote cite="http://chrony.tuxfamily.org/News.html">
<p>CVE-2015-1853: DoS attack on authenticated symmetric NTP
associations</p>
<p>CVE-2015-1821: Heap-based buffer overflow in access
configuration</p>
<p>CVE-2015-1822: Use of uninitialized pointer in command
processing</p>
</blockquote>
</body>
</description>
<references>
<url>http://chrony.tuxfamily.org/News.html</url>
<cvename>CVE-2015-1821</cvename>
<cvename>CVE-2015-1822</cvename>
<cvename>CVE-2015-1853</cvename>
</references>
<dates>
<discovery>2015-02-17</discovery>
<entry>2015-04-18</entry>
</dates>
</vuln>
<vuln vid="e426eda9-dae1-11e4-8107-94de806b0af9">
<topic>Dulwich -- Remote code execution</topic>
<affects>
<package>
<name>py27-dulwich</name>
<range><lt>0.9.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE reports:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0838">
<p>Buffer overflow in the C implementation of the apply_delta
function in _pack.c in Dulwich before 0.9.9 allows remote
attackers to execute arbitrary code via a crafted pack file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-0838</cvename>
</references>
<dates>
<discovery>2015-01-07</discovery>
<entry>2015-04-17</entry>
</dates>
</vuln>
<vuln vid="3364d497-e4e6-11e4-a265-c485083ca99c">
<topic>Adobe Flash Player -- critical vulnerabilities</topic>
<affects>
<package>
<name>linux-c6-flashplugin</name>
<range><le>11.2r202.451</le></range>
</package>
<package>
<name>linux-f10-flashplugin</name>
<range><le>11.2r202.451</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb15-06.html">
<p>
Adobe has released security updates for Adobe Flash Player for
Windows, Macintosh and Linux. These updates address vulnerabilities
that could potentially allow an attacker to take control of the
affected system. Adobe is aware of a report that an exploit for
CVE-2015-3043 exists in the wild, and recommends users update their
product installations to the latest versions.
</p>
<ul>
<li>
These updates resolve memory corruption vulnerabilities that could
lead to code execution (CVE-2015-0347, CVE-2015-0350, CVE-2015-0352,
CVE-2015-0353, CVE-2015-0354, CVE-2015-0355, CVE-2015-0360,
CVE-2015-3038, CVE-2015-3041, CVE-2015-3042, CVE-2015-3043).
</li>
<li>
These updates resolve a type confusion vulnerability that could lead
to code execution (CVE-2015-0356).
</li>
<li>
These updates resolve a buffer overflow vulnerability that could
lead to code execution (CVE-2015-0348).
</li>
<li>
These updates resolve use-after-free vulnerabilities that could lead
to code execution (CVE-2015-0349, CVE-2015-0351, CVE-2015-0358,
CVE-2015-3039).
</li>
<li>
These updates resolve double-free vulnerabilities that could lead to
code execution (CVE-2015-0346, CVE-2015-0359).
</li>
<li>
These updates resolve memory leak vulnerabilities that could be used
to bypass ASLR (CVE-2015-0357, CVE-2015-3040).
</li>
<li>
These updates resolve a security bypass vulnerability that could
lead to information disclosure (CVE-2015-3044).
</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://helpx.adobe.com/security/products/flash-player/apsb15-06.html</url>
<cvename>CVE-2015-3038</cvename>
<cvename>CVE-2015-3039</cvename>
<cvename>CVE-2015-3040</cvename>
<cvename>CVE-2015-3041</cvename>
<cvename>CVE-2015-3042</cvename>
<cvename>CVE-2015-3043</cvename>
<cvename>CVE-2015-3044</cvename>
<cvename>CVE-2015-0346</cvename>
<cvename>CVE-2015-0347</cvename>
<cvename>CVE-2015-0348</cvename>
<cvename>CVE-2015-0349</cvename>
<cvename>CVE-2015-0350</cvename>
<cvename>CVE-2015-0351</cvename>
<cvename>CVE-2015-0352</cvename>
<cvename>CVE-2015-0353</cvename>
<cvename>CVE-2015-0354</cvename>
<cvename>CVE-2015-0355</cvename>
<cvename>CVE-2015-0356</cvename>
<cvename>CVE-2015-0357</cvename>
<cvename>CVE-2015-0358</cvename>
<cvename>CVE-2015-0359</cvename>
<cvename>CVE-2015-0360</cvename>
</references>
<dates>
<discovery>2015-04-14</discovery>
<entry>2015-04-17</entry>
</dates>
</vuln>
<vuln vid="ba326a36-5f02-452d-a215-31e7b06d5edf">
<topic>Wesnoth -- Remote information disclosure</topic>
<affects>
<package>
<name>wesnoth</name>
<name>wesnoth-devel</name>
<range><ge>1.7.0</ge><lt>1.12.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>US-CERT/NIST reports:</p>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0844">
<p>The WML/Lua API in Battle for Wesnoth 1.7.x through
1.11.x and 1.12.x before 1.12.2 allows remote attackers to
read arbitrary files via a crafted (1) campaign or (2) map
file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-0844</cvename>
</references>
<dates>
<discovery>2015-04-11</discovery>
<entry>2015-04-17</entry>
</dates>
</vuln>
<vuln vid="5713bfda-e27d-11e4-b2ce-5453ed2e2b49">
<topic>qt4-imageformats, qt4-gui, qt5-gui -- Multiple Vulnerabilities in Qt Image Format Handling</topic>
<affects>
<package>
<name>qt4-imageformats</name>
<range><lt>4.8.6_3</lt></range>
</package>
<package>
<name>qt4-gui</name>
<range><lt>4.8.6_5</lt></range>
</package>
<package>
<name>qt5-gui</name>
<range><lt>5.4.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Richard J. Moore reports:</p>
<blockquote cite="http://lists.qt-project.org/pipermail/announce/2015-April/000067.html">
<p>Due to two recent vulnerabilities identified in the built-in image
format handling code, it was decided that this area required further
testing to determine if further issues remained. Fuzzing using
afl-fuzz located a number of issues in the handling of BMP, ICO and
GIF files. The issues exposed included denial of service and buffer
overflows leading to heap corruption. It is possible the latter could
be used to perform remote code execution.</p>
</blockquote>
</body>
</description>
<references>
<mlist>http://lists.qt-project.org/pipermail/announce/2015-April/000067.html</mlist>
<cvename>CVE-2015-1858</cvename>
<cvename>CVE-2015-1859</cvename>
<cvename>CVE-2015-1860</cvename>
</references>
<dates>
<discovery>2015-04-12</discovery>
<entry>2015-04-14</entry>
</dates>
</vuln>
<vuln vid="d4379f59-3e9b-49eb-933b-61de4d0b0fdb">
<topic>Ruby -- OpenSSL Hostname Verification Vulnerability</topic>
<affects>
<package>
<name>ruby</name>
<name>ruby20</name>
<range><ge>2.0,1</ge><lt>2.0.0.645,1</lt></range>
</package>
<package>
<name>ruby</name>
<name>ruby21</name>
<range><ge>2.1,1</ge><lt>2.1.6,1</lt></range>
</package>
<package>
<name>ruby</name>
<name>ruby22</name>
<range><ge>2.2,1</ge><lt>2.2.2,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ruby Developers report:</p>
<blockquote cite="https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/">
<p>After reviewing RFC 6125 and RFC 5280, we found multiple violations
of matching hostnames and particularly wildcard certificates.</p>
<p>Ruby’s OpenSSL extension will now provide a string-based matching
algorithm which follows more strict behavior, as recommended by
these RFCs. In particular, matching of more than one wildcard per
subject/SAN is no-longer allowed. As well, comparison of these
values are now case-insensitive.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/</url>
<cvename>CVE-2015-1855</cvename>
</references>
<dates>
<discovery>2015-04-13</discovery>
<entry>2015-04-14</entry>
<modified>2015-09-23</modified>
</dates>
</vuln>
<vuln vid="a5f160fa-deee-11e4-99f8-080027ef73ec">
<topic>mailman -- path traversal vulnerability</topic>
<affects>
<package>
<name>mailman</name>
<range><lt>2.1.20</lt></range>
</package>
<package>
<name>mailman-with-htdig</name>
<range><lt>2.1.20</lt></range>
</package>
<package>
<name>ja-mailman</name>
<range><lt>2.1.14.j7_2,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mark Sapiro reports:</p>
<blockquote cite="https://mail.python.org/pipermail/mailman-announce/2015-March/000209.html">
<p>A path traversal vulnerability has been discovered and fixed. This
vulnerability is only exploitable by a local user on a Mailman
server where the suggested Exim transport, the Postfix
postfix_to_mailman.py transport or some other programmatic MTA
delivery not using aliases is employed.</p>
</blockquote>
</body>
</description>
<references>
<url>https://mail.python.org/pipermail/mailman-announce/2015-March/000209.html</url>
<url>https://bugs.launchpad.net/mailman/+bug/1437145</url>
<cvename>CVE-2015-2775</cvename>
</references>
<dates>
<discovery>2015-03-27</discovery>
<entry>2015-04-09</entry>
<modified>2015-06-17</modified>
</dates>
</vuln>
<vuln vid="5fee3f02-de37-11e4-b7c3-001999f8d30b">
<topic>asterisk -- TLS Certificate Common name NULL byte exploit</topic>
<affects>
<package>
<name>asterisk</name>
<range><lt>1.8.32.3</lt></range>
</package>
<package>
<name>asterisk11</name>
<range><lt>11.17.1</lt></range>
</package>
<package>
<name>asterisk13</name>
<range><lt>13.3.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="http://www.asterisk.org/downloads/security-advisories">
<p>When Asterisk registers to a SIP TLS device and and
verifies the server, Asterisk will accept signed certificates
that match a common name other than the one Asterisk is
expecting if the signed certificate has a common name
containing a null byte after the portion of the common
name that Asterisk expected. For example, if Asterisk is
trying to register to www.domain.com, Asterisk will accept
certificates of the form
www.domain.com\x00www.someotherdomain.com</p>
</blockquote>
</body>
</description>
<references>
<url>http://downloads.asterisk.org/pub/security/AST-2015-003.html</url>
<cvename>CVE-2015-3008</cvename>
</references>
<dates>
<discovery>2015-04-04</discovery>
<entry>2015-04-08</entry>
</dates>
</vuln>
<vuln vid="ebd84c96-dd7e-11e4-854e-3c970e169bc2">
<topic>ntp -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ntp</name>
<range><lt>4.2.8p2</lt></range>
</package>
<package>
<name>ntp-devel</name>
<range><lt>4.3.14</lt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>10.1</ge><lt>10.1_9</lt></range>
<range><ge>9.3</ge><lt>9.3_13</lt></range>
<range><ge>8.4</ge><lt>8.4_27</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ntp.org reports:</p>
<blockquote cite="http://archive.ntp.org/ntp4/ChangeLog-stable">
<ul>
<li>[Sec 2779] ntpd accepts unauthenticated packets
with symmetric key crypto.</li>
<li>[Sec 2781] Authentication doesn't protect symmetric
associations against DoS attacks.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-15:07.ntp</freebsdsa>
<cvename>CVE-2015-1798</cvename>
<cvename>CVE-2015-1799</cvename>
<url>http://archive.ntp.org/ntp4/ChangeLog-stable</url>
</references>
<dates>
<discovery>2015-04-07</discovery>
<entry>2015-04-07</entry>
</dates>
</vuln>
<vuln vid="b8321d76-24e7-4b72-a01d-d12c4445d826">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>37.0.1,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>37.0.1,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/">
<p>MFSA 2015-44 Certificate verification bypass through the
HTTP/2 Alt-Svc header</p>
<p>MFSA 2015-43 Loading privileged content through Reader
mode</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-0798</cvename>
<cvename>CVE-2015-0799</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2015-43/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-44/</url>
<url>https://www.mozilla.org/security/advisories/</url>
</references>
<dates>
<discovery>2015-04-03</discovery>
<entry>2015-04-04</entry>
</dates>
</vuln>
<vuln vid="2f75141c-da1d-11e4-8d32-5404a68ad561">
<topic>Several vulnerabilities in libav</topic>
<affects>
<package>
<name>libav</name>
<range><lt>11.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The libav project reports:</p>
<blockquote cite="https://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v11.3">
<p>utvideodec: Handle slice_height being zero (CVE-2014-9604)</p>
<p>tiff: Check that there is no aliasing in pixel format selection (CVE-2014-8544)</p>
</blockquote>
</body>
</description>
<references>
<url>https://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v11.3</url>
<cvename>CVE-2014-8544</cvename>
<cvename>CVE-2014-9604</cvename>
</references>
<dates>
<discovery>2015-03-24</discovery>
<entry>2015-04-03</entry>
</dates>
</vuln>
<vuln vid="742563d4-d776-11e4-b595-4061861086c1">
<topic>Several vulnerabilities found in PHP</topic>
<affects>
<package>
<name>php53</name>
<range><le>5.3.29_5</le></range>
</package>
<package>
<name>php5</name>
<range><lt>5.4.39</lt></range>
</package>
<package>
<name>php55</name>
<range><lt>5.5.23</lt></range>
</package>
<package>
<name>php56</name>
<range><lt>5.6.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PHP project reports:</p>
<blockquote cite="http://php.net/archive/2015.php#id2015-03-20-2">
<p>The PHP development team announces the immediate
availability of PHP 5.6.7. Several bugs have been
fixed as well as CVE-2015-0231, CVE-2015-2305 and
CVE-2015-2331. All PHP 5.6 users are encouraged to
upgrade to this version.</p>
<p>The PHP development team announces the immediate
availability of PHP 5.5.23. Several bugs have been
fixed as well as CVE-2015-0231, CVE-2015-2305 and
CVE-2015-2331. All PHP 5.5 users are encouraged
to upgrade to this version.</p>
<p>The PHP development team announces the immediate
availability of PHP 5.4.39. Six security-related
bugs were fixed in this release, including
CVE-2015-0231, CVE-2015-2305 and CVE-2015-2331.
All PHP 5.4 users are encouraged to upgrade to
this version.</p>
</blockquote>
</body>
</description>
<references>
<url>http://php.net/archive/2015.php#id2015-03-20-2</url>
<cvename>CVE-2015-0231</cvename>
<cvename>CVE-2015-2305</cvename>
<cvename>CVE-2015-2311</cvename>
<freebsdpr>ports/198739</freebsdpr>
</references>
<dates>
<discovery>2015-03-19</discovery>
<entry>2015-04-01</entry>
</dates>
</vuln>
<vuln vid="8e887b71-d769-11e4-b1c2-20cf30e32f6d">
<topic>subversion -- DoS vulnerabilities</topic>
<affects>
<package>
<name>mod_dav_svn</name>
<range><ge>1.5.0</ge><lt>1.7.20</lt></range>
<range><ge>1.8.0</ge><lt>1.8.13</lt></range>
</package>
<package>
<name>subversion16</name>
<range><ge>1.0.0</ge><lt>1.7.20</lt></range>
</package>
<package>
<name>subversion17</name>
<range><ge>1.0.0</ge><lt>1.7.20</lt></range>
</package>
<package>
<name>subversion</name>
<range><ge>1.0.0</ge><lt>1.7.20</lt></range>
<range><ge>1.8.0</ge><lt>1.8.13</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Subversion Project reports:</p>
<blockquote cite="http://subversion.apache.org/security/">
<p>Subversion HTTP servers with FSFS repositories are vulnerable to a remotely
triggerable excessive memory use with certain REPORT requests.</p>
<p>Subversion mod_dav_svn and svnserve are vulnerable to a remotely triggerable
assertion DoS vulnerability for certain requests with dynamically evaluated
revision numbers.</p>
<p>Subversion HTTP servers allow spoofing svn:author property values for new
revisions.</p>
</blockquote>
</body>
</description>
<references>
<url>http://subversion.apache.org/security/</url>
<cvename>CVE-2015-0202</cvename>
<cvename>CVE-2015-0248</cvename>
<cvename>CVE-2015-0251</cvename>
<url>http://subversion.apache.org/security/CVE-2015-0202-advisory.txt</url>
<url>http://subversion.apache.org/security/CVE-2015-0248-advisory.txt</url>
<url>http://subversion.apache.org/security/CVE-2015-0251-advisory.txt</url>
</references>
<dates>
<discovery>2015-03-31</discovery>
<entry>2015-03-31</entry>
</dates>
</vuln>
<vuln vid="d0c97697-df2c-4b8b-bff2-cec24dc35af8">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>37.0,1</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><lt>31.6.0,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>37.0,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.34</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>31.6.0</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.34</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><lt>31.6.0</lt></range>
</package>
<package>
<name>libxul</name>
<range><lt>31.6.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/">
<p>MFSA-2015-30 Miscellaneous memory safety hazards (rv:37.0
/ rv:31.6)</p>
<p>MFSA-2015-31 Use-after-free when using the Fluendo MP3
GStreamer plugin</p>
<p>MFSA-2015-32 Add-on lightweight theme installation
approval bypassed through MITM attack</p>
<p>MFSA-2015-33 resource:// documents can load privileged
pages</p>
<p>MFSA-2015-34 Out of bounds read in QCMS library</p>
<p>MFSA-2015-35 Cursor clickjacking with flash and images</p>
<p>MFSA-2015-36 Incorrect memory management for simple-type
arrays in WebRTC</p>
<p>MFSA-2015-37 CORS requests should not follow 30x
redirections after preflight</p>
<p>MFSA-2015-38 Memory corruption crashes in Off Main Thread
Compositing</p>
<p>MFSA-2015-39 Use-after-free due to type confusion flaws</p>
<p>MFSA-2015-40 Same-origin bypass through anchor navigation</p>
<p>MFSA-2015-41 PRNG weakness allows for DNS poisoning on
Android</p>
<p>MFSA-2015-42 Windows can retain access to privileged
content on navigation to unprivileged pages</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2808</cvename>
<cvename>CVE-2015-0800</cvename>
<cvename>CVE-2015-0801</cvename>
<cvename>CVE-2015-0802</cvename>
<cvename>CVE-2015-0803</cvename>
<cvename>CVE-2015-0804</cvename>
<cvename>CVE-2015-0805</cvename>
<cvename>CVE-2015-0806</cvename>
<cvename>CVE-2015-0807</cvename>
<cvename>CVE-2015-0808</cvename>
<cvename>CVE-2015-0810</cvename>
<cvename>CVE-2015-0811</cvename>
<cvename>CVE-2015-0812</cvename>
<cvename>CVE-2015-0813</cvename>
<cvename>CVE-2015-0814</cvename>
<cvename>CVE-2015-0815</cvename>
<cvename>CVE-2015-0816</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2015-30/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-31/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-32/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-33/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-34/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-35/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-36/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-37/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-38/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-39/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-40/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-41/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-42/</url>
<url>https://www.mozilla.org/security/advisories/</url>
</references>
<dates>
<discovery>2015-03-31</discovery>
<entry>2015-03-31</entry>
</dates>
</vuln>
<vuln vid="f450587b-d7bd-11e4-b5a4-14dae9d5a9d2">
<topic>osc -- shell command injection via crafted _service files</topic>
<affects>
<package>
<name>osc</name>
<range><lt>0.151.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SUSE Security Update reports:</p>
<blockquote cite="https://www.suse.com/security/cve/CVE-2015-0778.html">
<p>osc before 0.151.0 allows remote attackers to execute
arbitrary commands via shell metacharacters in a _service
file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-0778</cvename>
<url>https://www.suse.com/security/cve/CVE-2015-0778.html</url>
<url>https://bugzilla.suse.com/show_bug.cgi?id=901643</url>
<url>http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00012.html</url>
</references>
<dates>
<discovery>2015-03-16</discovery>
<entry>2015-03-31</entry>
</dates>
</vuln>
<vuln vid="72ee9707-d7b2-11e4-8d8e-f8b156b6dcc8">
<topic>cpio -- multiple vulnerabilities</topic>
<affects>
<package>
<name>gcpio</name>
<range><lt>2.11_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>From the Debian Security Team:</p>
<blockquote cite="https://security-tracker.debian.org/tracker/CVE-2014-9112">
<p>Heap-based buffer overflow in the process_copy_in
function in GNU Cpio 2.11 allows remote attackers to cause
a denial of service via a large block value in a cpio
archive.</p>
</blockquote>
<blockquote cite="https://security-tracker.debian.org/tracker/CVE-2015-1197">
<p>cpio 2.11, when using the --no-absolute-filenames
option, allows local users to write to arbitrary files
via a symlink attack on a file in an archive.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-9112</cvename>
<url>https://security-tracker.debian.org/tracker/CVE-2014-9112</url>
<cvename>CVE-2015-1197</cvename>
<url>https://bugzilla.suse.com/show_bug.cgi?id=658010</url>
</references>
<dates>
<discovery>2015-03-27</discovery>
<entry>2015-03-31</entry>
</dates>
</vuln>
<vuln vid="264749ae-d565-11e4-b545-00269ee29e57">
<topic>libzip -- integer overflow</topic>
<affects>
<package>
<name>libzip</name>
<range><lt>0.11.2_2</lt></range>
</package>
<package>
<name>ppsspp</name>
<range><lt>1.0.1_5</lt></range>
</package>
<package>
<name>ppsspp-devel</name>
<range><lt>1.0.1.2668_1</lt></range>
</package>
<package>
<name>radare2</name>
<range><lt>0.9.8_1</lt></range>
</package>
<package>
<name>openlierox</name>
<range><lt>0.58.r3_5,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>libzip developers report:</p>
<blockquote cite="http://hg.nih.at/libzip/rev/9f11d54f692e">
<p>Avoid integer overflow. Fixed similarly to patch used in PHP copy of libzip.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugs.php.net/bug.php?id=69253</url>
<url>https://github.com/php/php-src/commit/ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5</url>
<url>http://hg.nih.at/libzip/rev/9f11d54f692e</url>
<cvename>CVE-2015-2331</cvename>
</references>
<dates>
<discovery>2015-03-18</discovery>
<entry>2015-03-28</entry>
<modified>2015-09-20</modified>
</dates>
</vuln>
<vuln vid="62287f51-d43d-11e4-879c-00e0814cab4e">
<topic>django -- multiple vulnerabilities</topic>
<affects>
<package>
<name>py27-django</name>
<range><ge>1.4</ge><lt>1.4.20</lt></range>
<range><ge>1.6</ge><lt>1.6.11</lt></range>
<range><ge>1.7</ge><lt>1.7.7</lt></range>
</package>
<package>
<name>py32-django</name>
<range><ge>1.4</ge><lt>1.4.20</lt></range>
<range><ge>1.6</ge><lt>1.6.11</lt></range>
<range><ge>1.7</ge><lt>1.7.7</lt></range>
</package>
<package>
<name>py33-django</name>
<range><ge>1.4</ge><lt>1.4.20</lt></range>
<range><ge>1.6</ge><lt>1.6.11</lt></range>
<range><ge>1.7</ge><lt>1.7.7</lt></range>
</package>
<package>
<name>py34-django</name>
<range><ge>1.4</ge><lt>1.4.20</lt></range>
<range><ge>1.6</ge><lt>1.6.11</lt></range>
<range><ge>1.7</ge><lt>1.7.7</lt></range>
</package>
<package>
<name>py27-django-devel</name>
<range><lt>20150326,1</lt></range>
</package>
<package>
<name>py32-django-devel</name>
<range><lt>20150326,1</lt></range>
</package>
<package>
<name>py33-django-devel</name>
<range><lt>20150326,1</lt></range>
</package>
<package>
<name>py34-django-devel</name>
<range><lt>20150326,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Django project reports:</p>
<blockquote cite="https://www.djangoproject.com/weblog/2015/mar/18/security-releases/">
<p>In accordance with our security release policy, the Django team
is issuing multiple releases -- Django 1.4.20, 1.6.11, 1.7.7 and
1.8c1. These releases are now available on PyPI and our download
page. These releases address several security issues detailed
below. We encourage all users of Django to upgrade as soon as
possible. The Django master branch has also been updated.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.djangoproject.com/weblog/2015/mar/18/security-releases/</url>
<cvename>CVE-2015-2316</cvename>
<cvename>CVE-2015-2317</cvename>
</references>
<dates>
<discovery>2015-03-18</discovery>
<entry>2015-03-27</entry>
</dates>
</vuln>
<vuln vid="f6a014cd-d268-11e4-8339-001e679db764">
<topic>GNU binutils -- multiple vulnerabilities</topic>
<affects>
<package>
<name>cross-binutils</name>
<range><lt>2.25</lt></range>
</package>
<package>
<name>x86_64-pc-mingw32-binutils</name>
<range><lt>2.25</lt></range>
</package>
<package>
<name>m6811-binutils</name>
<range><lt>2.25</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>US-CERT/NIST reports:</p>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8501">
<p>The _bfd_XXi_swap_aouthdr_in function in bfd/peXXigen.c in GNU
binutils 2.24 and earlier allows remote attackers to cause a
denial of service (out-of-bounds write) and possibly have other
unspecified impact via a crafted NumberOfRvaAndSizes field in the
AOUT header in a PE executable.</p>
</blockquote>
<p>US-CERT/NIST reports:</p>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8502">
<p>Heap-based buffer overflow in the pe_print_edata function in
bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote
attackers to cause a denial of service (crash) and possibly have
other unspecified impact via a truncated export table in a PE
file.</p>
</blockquote>
<p>US-CERT/NIST reports:</p>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8503">
<p>Stack-based buffer overflow in the ihex_scan function in
bfd/ihex.c in GNU binutils 2.24 and earlier allows remote
attackers to cause a denial of service (crash) and possibly have
other unspecified impact via a crafted ihex file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-8501</cvename>
<cvename>CVE-2014-8502</cvename>
<cvename>CVE-2014-8503</cvename>
<url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8501</url>
<url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8502</url>
<url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8503</url>
</references>
<dates>
<discovery>2014-12-09</discovery>
<entry>2015-03-24</entry>
<modified>2016-01-08</modified>
</dates>
</vuln>
<vuln vid="996bce94-d23d-11e4-9463-9cb654ea3e1c">
<topic>libuv -- incorrect revocation order while relinquishing privileges</topic>
<affects>
<package>
<name>node010</name>
<range><lt>0.10.36</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Nodejs releases reports:</p>
<blockquote cite="http://blog.nodejs.org/2015/03/14/node-v0-10-37-stable">
<h5>CVE-2015-0278</h5>
<p>This may potentially allow an attacker to gain elevated privileges.</p>
</blockquote>
</body>
</description>
<references>
<url>http://blog.nodejs.org/2015/03/14/node-v0-10-37-stable</url>
<freebsdpr>ports/198861</freebsdpr>
<cvename>CVE-2015-0278</cvename>
</references>
<dates>
<discovery>2015-03-14</discovery>
<entry>2015-03-24</entry>
</dates>
</vuln>
<vuln vid="22dc4a22-d1e5-11e4-879c-00e0814cab4e">
<topic>jenkins -- multiple vulnerabilities</topic>
<affects>
<package>
<name>jenkins</name>
<range><le>1.605</le></range>
</package>
<package>
<name>jenkins-lts</name>
<range><le>1.596.1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jenkins Security Advisory:</p>
<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23">
<h1>Description</h1>
<h5>SECURITY-171, SECURITY-177 (Reflective XSS vulnerability)</h5>
<p>An attacker without any access to Jenkins can navigate the user
to a carefully crafted URL and have the user execute unintended
actions. This vulnerability can be used to attack Jenkins inside
firewalls from outside so long as the location of Jenkins is known
to the attacker.</p>
<h5>SECURITY-180 (forced API token change)</h5>
<p>The part of Jenkins that issues a new API token was not
adequately protected against anonymous attackers. This allows an
attacker to escalate privileges on Jenkins.</p>
</blockquote>
</body>
</description>
<references>
<url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23</url>
</references>
<dates>
<discovery>2015-03-23</discovery>
<entry>2015-03-24</entry>
</dates>
</vuln>
<vuln vid="76ff65f4-17ca-4d3f-864a-a3d6026194fb">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>36.0.4,1</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><lt>31.5.3,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>36.0.4,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.33.1</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.33.1</lt></range>
</package>
<package>
<name>libxul</name>
<range><lt>31.5.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/">
<p>MFSA-2015-28 Privilege escalation through SVG navigation</p>
<p>MFSA-2015-29 Code execution through incorrect JavaScript
bounds checking elimination</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-0817</cvename>
<cvename>CVE-2015-0818</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2015-28/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-29/</url>
<url>https://www.mozilla.org/security/advisories/</url>
</references>
<dates>
<discovery>2015-03-20</discovery>
<entry>2015-03-22</entry>
</dates>
</vuln>
<vuln vid="9d15355b-ce7c-11e4-9db0-d050992ecde8">
<topic>OpenSSL -- multiple vulnerabilities</topic>
<affects>
<package>
<name>openssl</name>
<range><ge>1.0.1</ge><lt>1.0.1_19</lt></range>
</package>
<package>
<name>mingw32-openssl</name>
<range><ge>1.0.1</ge><lt>1.0.1m</lt></range>
</package>
<package>
<name>linux-c6-openssl</name>
<range><lt>1.0.1e_4</lt></range>
</package>
<package>
<name>libressl</name>
<range><le>2.1.5_1</le></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>10.1</ge><lt>10.1_8</lt></range>
<range><ge>9.3</ge><lt>9.3_12</lt></range>
<range><ge>8.4</ge><lt>8.4_26</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenSSL project reports:</p>
<blockquote cite="https://www.openssl.org/news/secadv_20150319.txt">
<ul>
<li>Reclassified: RSA silently downgrades to EXPORT_RSA
[Client] (CVE-2015-0204). OpenSSL only.</li>
<li>Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286)</li>
<li>ASN.1 structure reuse memory corruption (CVE-2015-0287)</li>
<li>PKCS#7 NULL pointer dereferences (CVE-2015-0289)</li>
<li>Base64 decode (CVE-2015-0292). OpenSSL only.</li>
<li>DoS via reachable assert in SSLv2 servers
(CVE-2015-0293). OpenSSL only.</li>
<li>Use After Free following d2i_ECPrivatekey error
(CVE-2015-0209)</li>
<li>X509_to_X509_REQ NULL pointer deref (CVE-2015-0288)</li>
</ul>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-15:06.openssl</freebsdsa>
<freebsdpr>ports/198681</freebsdpr>
<cvename>CVE-2015-0204</cvename>
<cvename>CVE-2015-0286</cvename>
<cvename>CVE-2015-0287</cvename>
<cvename>CVE-2015-0289</cvename>
<cvename>CVE-2015-0292</cvename>
<cvename>CVE-2015-0293</cvename>
<cvename>CVE-2015-0209</cvename>
<cvename>CVE-2015-0288</cvename>
<url>https://www.openssl.org/news/secadv_20150319.txt</url>
</references>
<dates>
<discovery>2015-03-19</discovery>
<entry>2015-03-19</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="f7d79fac-cd49-11e4-898f-bcaec565249c">
<topic>libXfont -- BDF parsing issues</topic>
<affects>
<package>
<name>libXfont</name>
<range><lt>1.5.1</lt></range>
</package>
<package>
<name>linux-c6-xorg-libs</name>
<range><lt>7.4_4</lt></range>
</package>
<package>
<name>linux-f10-xorg-libs</name>
<range><lt>7.4_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Alan Coopersmith reports:</p>
<blockquote cite="http://lists.x.org/archives/xorg-announce/2015-March/002550.html">
<p>Ilja van Sprundel, a security researcher with IOActive, has
discovered an issue in the parsing of BDF font files by libXfont.
Additional testing by Alan Coopersmith and William Robinet with
the American Fuzzy Lop (afl) tool uncovered two more issues in
the parsing of BDF font files.</p>
<p>As libXfont is used by the X server to read font files, and an
unprivileged user with access to the X server can tell the X
server to read a given font file from a path of their choosing,
these vulnerabilities have the potential to allow unprivileged
users to run code with the privileges of the X server
(often root access).</p>
</blockquote>
</body>
</description>
<references>
<url>http://lists.x.org/archives/xorg-announce/2015-March/002550.html</url>
<cvename>CVE-2015-1802</cvename>
<cvename>CVE-2015-1803</cvename>
<cvename>CVE-2015-1804</cvename>
</references>
<dates>
<discovery>2015-03-17</discovery>
<entry>2015-03-18</entry>
<modified>2016-01-31</modified>
</dates>
</vuln>
<vuln vid="8b3ecff5-c9b2-11e4-b71f-00bd5af88c00">
<topic>Adobe Flash Player -- critical vulnerabilities</topic>
<affects>
<package>
<name>linux-c6-flashplugin</name>
<range><le>11.2r202.442</le></range>
</package>
<package>
<name>linux-f10-flashplugin</name>
<range><le>11.2r202.442</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb15-05.html">
<p>
Adobe has released security updates for Adobe Flash Player for
Windows, Macintosh and Linux. These updates address vulnerabilities
that could potentially allow an attacker to take control of the
affected system.
These updates resolve memory corruption vulnerabilities that could
lead to code execution (CVE-2015-0332, CVE-2015-0333, CVE-2015-0335,
CVE-2015-0339).
These updates resolve type confusion vulnerabilities that could lead
to code execution (CVE-2015-0334, CVE-2015-0336).
These updates resolve a vulnerability that could lead to a
cross-domain policy bypass (CVE-2015-0337).
These updates resolve a vulnerability that could lead to a file
upload restriction bypass (CVE-2015-0340).
These updates resolve an integer overflow vulnerability that could
lead to code execution (CVE-2015-0338).
These updates resolve use-after-free vulnerabilities that could lead
to code execution (CVE-2015-0341, CVE-2015-0342).
</p>
</blockquote>
</body>
</description>
<references>
<url>https://helpx.adobe.com/security/products/flash-player/apsb15-05.html</url>
<cvename>CVE-2015-0332</cvename>
<cvename>CVE-2015-0333</cvename>
<cvename>CVE-2015-0334</cvename>
<cvename>CVE-2015-0335</cvename>
<cvename>CVE-2015-0336</cvename>
<cvename>CVE-2015-0337</cvename>
<cvename>CVE-2015-0338</cvename>
<cvename>CVE-2015-0339</cvename>
<cvename>CVE-2015-0340</cvename>
<cvename>CVE-2015-0341</cvename>
<cvename>CVE-2015-0342</cvename>
</references>
<dates>
<discovery>2015-03-12</discovery>
<entry>2015-03-13</entry>
</dates>
</vuln>
<vuln vid="451a6c79-c92b-11e4-a835-000c292ee6b8">
<topic>sympa -- Remote attackers can read arbitrary files</topic>
<affects>
<package>
<name>sympa</name>
<range><lt>6.1.24</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Sympa Project reports:</p>
<blockquote cite="https://www.sympa.org/security_advisories">
<p>The newsletter posting area in the web interface in Sympa 6.0.x before 6.0.10 and 6.1.x before 6.1.24 allows remote attackers to read arbitrary files via unspecified vectors.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.sympa.org/security_advisories</url>
<cvename>CVE-2015-1306</cvename>
</references>
<dates>
<discovery>2015-01-13</discovery>
<entry>2015-03-13</entry>
</dates>
</vuln>
<vuln vid="d08f6002-c588-11e4-8495-6805ca0b3d42">
<topic>rt -- Remote DoS, Information disclosure and Session Hijackingvulnerabilities</topic>
<affects>
<package>
<name>rt42</name>
<range><ge>4.2.0</ge><lt>4.2.10</lt></range>
</package>
<package>
<name>rt40</name>
<range><ge>4.0.0</ge><lt>4.0.23</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Best Practical reports:</p>
<blockquote cite="http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.html">
<p>RT 3.0.0 and above, if running on Perl 5.14.0 or higher,
are vulnerable to a remote denial-of-service via the email
gateway; any installation which accepts mail from untrusted
sources is vulnerable, regardless of the permissions
configuration inside RT. This denial-of-service may
encompass both CPU and disk usage, depending on RT's logging
configuration. This vulnerability is assigned
CVE-2014-9472.</p>
<p>RT 3.8.8 and above are vulnerable to an information
disclosure attack which may reveal RSS feeds URLs, and thus
ticket data; this vulnerability is assigned
CVE-2015-1165. RSS feed URLs can also be leveraged to
perform session hijacking, allowing a user with the URL to
log in as the user that created the feed; this vulnerability
is assigned CVE-2015-1464.</p>
</blockquote>
</body>
</description>
<references>
<url>http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.html</url>
<cvename>CVE-2014-9472</cvename>
<cvename>CVE-2015-1165</cvename>
<cvename>CVE-2015-1464</cvename>
</references>
<dates>
<discovery>2015-02-26</discovery>
<entry>2015-03-08</entry>
</dates>
</vuln>
<vuln vid="81b4c118-c586-11e4-8495-6805ca0b3d42">
<topic>phpMyAdmin -- Risk of BREACH attack due to reflected parameter</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><ge>4.3.0</ge><lt>4.3.11.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2015-1.php">
<p>Risk of BREACH attack due to reflected parameter.</p>
<p>With a large number of crafted requests it was possible to infer
the CSRF token by a BREACH attack.</p>
<p>Mitigation factor: this vulnerability can only be exploited in
the presence of another vulnerability that allows the attacker to
inject JavaScript into victim's browser.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2015-1.php</url>
<cvename>CVE-2015-2206</cvename>
</references>
<dates>
<discovery>2015-03-04</discovery>
<entry>2015-03-08</entry>
</dates>
</vuln>
<vuln vid="c0cae920-c4e9-11e4-898e-90e6ba741e35">
<topic>mono -- TLS bugs</topic>
<affects>
<package>
<name>mono</name>
<range><lt>3.10.1</lt></range>
<range><ge>3.12</ge><lt>3.12.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mono project reports:</p>
<blockquote cite="http://www.mono-project.com/docs/about-mono/vulnerabilities/#tls-bugs">
<p>Mono’s implementation of the SSL/TLS stack failed to check the order of the handshake messages. Which would allow various attacks on the protocol to succeed. Details of this vulnerability are discussed in <a href="https://www.smacktls.com/#skip">SKIP-TLS post</a>.</p>
<p>Mono’s implementation of SSL/TLS also contained support for the weak EXPORT cyphers and was susceptible to the <a href="https://www.smacktls.com/#freak">FREAK</a> attack.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.mono-project.com/docs/about-mono/vulnerabilities/#tls-bugs</url>
</references>
<dates>
<discovery>2015-03-06</discovery>
<entry>2015-03-07</entry>
</dates>
</vuln>
<vuln vid="92fc2e2b-c383-11e4-8ef7-080027ef73ec">
<topic>PuTTY -- fails to scrub private keys from memory after use</topic>
<affects>
<package>
<name>putty</name>
<range><lt>0.64</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Simon Tatham reports:</p>
<blockquote cite="http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html">
<p>When PuTTY has sensitive data in memory and has no further need for
it, it should wipe the data out of its memory, in case malware later
gains access to the PuTTY process or the memory is swapped out to
disk or written into a crash dump file. An obvious example of this
is the password typed during SSH login; other examples include
obsolete session keys, public-key passphrases, and the private
halves of public keys.</p>
<p>PuTTY 0.63 and earlier versions, after loading a private key
from a disk file, mistakenly leak a memory buffer containing a
copy of the private key, in the function ssh2_load_userkey. The
companion function ssh2_save_userkey (only called by PuTTYgen) can
also leak a copy, but only in the case where the file it tried to
save to could not be created.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html</url>
<cvename>CVE-2015-2157</cvename>
</references>
<dates>
<discovery>2015-02-28</discovery>
<entry>2015-03-05</entry>
</dates>
</vuln>
<vuln vid="8505e013-c2b3-11e4-875d-000c6e25e3e9">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>41.0.2272.76</lt></range>
</package>
<package>
<name>chromium-npapi</name>
<range><lt>41.0.2272.76</lt></range>
</package>
<package>
<name>chromium-pulse</name>
<range><lt>41.0.2272.76</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl">
<p>51 security fixes in this release, including:</p>
<ul>
<li>[456516] High CVE-2015-1212: Out-of-bounds write in media.
Credit to anonymous.</li>
<li>[448423] High CVE-2015-1213: Out-of-bounds write in skia
filters. Credit to cloudfuzzer.</li>
<li>[445810] High CVE-2015-1214: Out-of-bounds write in skia
filters. Credit to cloudfuzzer.</li>
<li>[445809] High CVE-2015-1215: Out-of-bounds write in skia
filters. Credit to cloudfuzzer.</li>
<li>[454954] High CVE-2015-1216: Use-after-free in v8 bindings.
Credit to anonymous.</li>
<li>[456192] High CVE-2015-1217: Type confusion in v8 bindings.
Credit to anonymous.</li>
<li>[456059] High CVE-2015-1218: Use-after-free in dom.
Credit to cloudfuzzer.</li>
<li>[446164] High CVE-2015-1219: Integer overflow in webgl.
Credit to Chen Zhang (demi6od) of NSFOCUS Security Team.</li>
<li>[437651] High CVE-2015-1220: Use-after-free in gif decoder.
Credit to Aki Helin of OUSPG.</li>
<li>[455368] High CVE-2015-1221: Use-after-free in web databases.
Credit to Collin Payne.</li>
<li>[448082] High CVE-2015-1222: Use-after-free in service workers.
Credit to Collin Payne.</li>
<li>[454231] High CVE-2015-1223: Use-after-free in dom.
Credit to Maksymillian Motyl.</li>
<li>High CVE-2015-1230: Type confusion in v8.
Credit to Skylined working with HP's Zero Day Initiative.</li>
<li>[449958] Medium CVE-2015-1224: Out-of-bounds read in vpxdecoder.
Credit to Aki Helin of OUSPG.</li>
<li>[446033] Medium CVE-2015-1225: Out-of-bounds read in pdfium.
Credit to cloudfuzzer.</li>
<li>[456841] Medium CVE-2015-1226: Validation issue in debugger.
Credit to Rob Wu.</li>
<li>[450389] Medium CVE-2015-1227: Uninitialized value in blink.
Credit to Christoph Diehl.</li>
<li>[444707] Medium CVE-2015-1228: Uninitialized value in rendering.
Credit to miaubiz.</li>
<li>[431504] Medium CVE-2015-1229: Cookie injection via proxies.
Credit to iliwoy.</li>
<li>[463349] CVE-2015-1231: Various fixes from internal audits,
fuzzing, and other initiatives.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-1212</cvename>
<cvename>CVE-2015-1213</cvename>
<cvename>CVE-2015-1214</cvename>
<cvename>CVE-2015-1215</cvename>
<cvename>CVE-2015-1216</cvename>
<cvename>CVE-2015-1217</cvename>
<cvename>CVE-2015-1218</cvename>
<cvename>CVE-2015-1219</cvename>
<cvename>CVE-2015-1220</cvename>
<cvename>CVE-2015-1221</cvename>
<cvename>CVE-2015-1222</cvename>
<cvename>CVE-2015-1223</cvename>
<cvename>CVE-2015-1224</cvename>
<cvename>CVE-2015-1225</cvename>
<cvename>CVE-2015-1226</cvename>
<cvename>CVE-2015-1227</cvename>
<cvename>CVE-2015-1228</cvename>
<cvename>CVE-2015-1229</cvename>
<cvename>CVE-2015-1230</cvename>
<cvename>CVE-2015-1231</cvename>
<url>http://googlechromereleases.blogspot.nl</url>
</references>
<dates>
<discovery>2015-03-03</discovery>
<entry>2015-03-04</entry>
</dates>
</vuln>
<vuln vid="c9c3374d-c2c1-11e4-b236-5453ed2e2b49">
<topic>qt4-gui, qt5-gui -- DoS vulnerability in the BMP image handler</topic>
<affects>
<package>
<name>qt4-gui</name>
<range><lt>4.8.6_4</lt></range>
</package>
<package>
<name>qt5-gui</name>
<range><lt>5.3.2_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Richard J. Moore reports:</p>
<blockquote cite="http://lists.qt-project.org/pipermail/announce/2015-February/000059.html">
<p>The builtin BMP decoder in QtGui prior to Qt 5.5 contained a bug
that would lead to a division by zero when loading certain corrupt
BMP files. This in turn would cause the application loading these
hand crafted BMPs to crash.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-0295</cvename>
<mlist>http://lists.qt-project.org/pipermail/announce/2015-February/000059.html</mlist>
</references>
<dates>
<discovery>2015-02-22</discovery>
<entry>2015-03-05</entry>
</dates>
</vuln>
<vuln vid="7480b6ac-adf1-443e-a33c-3a3c0becba1e">
<topic>jenkins -- multiple vulnerabilities</topic>
<affects>
<package>
<name>jenkins</name>
<range><le>1.600</le></range>
</package>
<package>
<name>jenkins-lts</name>
<range><le>1.580.3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Kohsuke Kawaguchi from Jenkins team reports:</p>
<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27">
<h1>Description</h1>
<h5>SECURITY-125 (Combination filter Groovy script unsecured)</h5>
<p>This vulnerability allows users with the job configuration
privilege to escalate his privileges, resulting in arbitrary code
execution to the master.</p>
<h5>SECURITY-162 (directory traversal from artifacts via symlink)</h5>
<p>This vulnerability allows users with the job configuration
privilege or users with commit access to the build script to
access arbitrary files/directories on the master, resulting in
the exposure of sensitive information, such as encryption keys.</p>
<h5>SECURITY-163 (update center metadata retrieval DoS attack)</h5>
<p>This vulnerability allows authenticated users to disrupt the
operation of Jenkins by feeding malicious update center data into
Jenkins, affecting plugin installation and tool installation.</p>
<h5>SECURITY-165 (external entity injection via XPath)</h5>
<p>This vulnerability allows users with the read access to Jenkins
to retrieve arbitrary XML document on the server, resulting in
the exposure of sensitive information inside/outside Jenkins.</p>
<h5>SECURITY-166 (HudsonPrivateSecurityRealm allows creation of
reserved names)</h5>
<p>For users using "Jenkins' own user database" setting, Jenkins
doesn't refuse reserved names, thus allowing privilege escalation.</p>
<h5>SECURITY-167 (External entity processing in XML can reveal
sensitive local files)</h5>
<p>This vulnerability allows attackers to create malicious XML
documents and feed that into Jenkins, which causes Jenkins to
retrieve arbitrary XML document on the server, resulting in the
exposure of sensitive information inside/outside Jenkins.</p>
<h1>Severity</h1>
<p>SECURITY-125 is rated <strong>critical</strong>. This attack can be
only mounted by users with some trust, but it results in arbitrary
code execution on the master.</p>
<p>SECURITY-162 is rated <strong>critical</strong>. This attack can be
only mounted by users with some trust, but it results in the
exposure of sensitive information.</p>
<p>SECURITY-163 is rated <strong>medium</strong>, as it results in the
loss of functionality.</p>
<p>SECURITY-165 is rated <strong>critical</strong>. This attack is
easy to mount, and it results in the exposure of sensitive
information.</p>
<p>SECURITY-166 is rated <strong>critical</strong>. For users who use
the affected feature, this attack results in arbitrary code
execution on the master.</p>
<p>SECURITY-167 is rated <strong>critical</strong>. This attack is
easy to mount, and it results in the exposure of sensitive information.</p>
</blockquote>
</body>
</description>
<references>
<url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27</url>
</references>
<dates>
<discovery>2015-03-01</discovery>
<entry>2015-03-01</entry>
</dates>
</vuln>
<vuln vid="99029172-8253-407d-9d8b-2cfeab9abf81">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>36.0,1</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><lt>31.5.0,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>36.0,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.33</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>31.5.0</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.33</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><lt>31.5.0</lt></range>
</package>
<package>
<name>libxul</name>
<range><lt>31.5.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/">
<p>MFSA-2015-11 Miscellaneous memory safety hazards (rv:36.0
/ rv:31.5)</p>
<p>MFSA-2015-12 Invoking Mozilla updater will load locally
stored DLL files</p>
<p>MFSA-2015-13 Appended period to hostnames can bypass HPKP
and HSTS protections</p>
<p>MFSA-2015-14 Malicious WebGL content crash when writing
strings</p>
<p>MFSA-2015-15 TLS TURN and STUN connections silently fail
to simple TCP connections</p>
<p>MFSA-2015-16 Use-after-free in IndexedDB</p>
<p>MFSA-2015-17 Buffer overflow in libstagefright during MP4
video playback</p>
<p>MFSA-2015-18 Double-free when using non-default memory
allocators with a zero-length XHR</p>
<p>MFSA-2015-19 Out-of-bounds read and write while rendering
SVG content</p>
<p>MFSA-2015-20 Buffer overflow during CSS restyling</p>
<p>MFSA-2015-21 Buffer underflow during MP3 playback</p>
<p>MFSA-2015-22 Crash using DrawTarget in Cairo graphics
library</p>
<p>MFSA-2015-23 Use-after-free in Developer Console date
with OpenType Sanitiser</p>
<p>MFSA-2015-24 Reading of local files through manipulation
of form autocomplete</p>
<p>MFSA-2015-25 Local files or privileged URLs in pages can
be opened into new tabs</p>
<p>MFSA-2015-26 UI Tour whitelisted sites in background tab
can spoof foreground tabs</p>
<p>MFSA-2015-27 Caja Compiler JavaScript sandbox bypass</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-0819</cvename>
<cvename>CVE-2015-0820</cvename>
<cvename>CVE-2015-0821</cvename>
<cvename>CVE-2015-0822</cvename>
<cvename>CVE-2015-0823</cvename>
<cvename>CVE-2015-0824</cvename>
<cvename>CVE-2015-0825</cvename>
<cvename>CVE-2015-0826</cvename>
<cvename>CVE-2015-0827</cvename>
<cvename>CVE-2015-0828</cvename>
<cvename>CVE-2015-0829</cvename>
<cvename>CVE-2015-0830</cvename>
<cvename>CVE-2015-0831</cvename>
<cvename>CVE-2015-0832</cvename>
<cvename>CVE-2015-0833</cvename>
<cvename>CVE-2015-0834</cvename>
<cvename>CVE-2015-0835</cvename>
<cvename>CVE-2015-0836</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2015-11/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-12/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-13/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-14/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-15/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-16/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-17/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-18/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-19/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-20/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-21/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-22/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-23/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-24/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-25/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-26/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2015-27/</url>
<url>https://www.mozilla.org/security/advisories/</url>
</references>
<dates>
<discovery>2015-02-24</discovery>
<entry>2015-02-27</entry>
</dates>
</vuln>
<vuln vid="f7a9e415-bdca-11e4-970c-000c292ee6b8">
<topic>php5 -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php5</name>
<range><lt>5.4.38</lt></range>
</package>
<package>
<name>php55</name>
<range><lt>5.5.22</lt></range>
</package>
<package>
<name>php56</name>
<range><lt>5.6.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PHP Project reports:</p>
<blockquote cite="http://www.php.net/ChangeLog-5.php">
<p>Use after free vulnerability in unserialize() with DateTimeZone.</p>
<p>Mitigation for CVE-2015-0235 -- GHOST: glibc gethostbyname buffer
overflow.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-0235</cvename>
<cvename>CVE-2015-0273</cvename>
<url>http://php.net/ChangeLog-5.php#5.4.38</url>
<url>http://php.net/ChangeLog-5.php#5.5.22</url>
<url>http://php.net/ChangeLog-5.php#5.6.6</url>
</references>
<dates>
<discovery>2015-02-18</discovery>
<entry>2015-02-26</entry>
</dates>
</vuln>
<vuln vid="dbf9e66c-bd50-11e4-a7ba-206a8a720317">
<topic>krb5 1.11 -- New release/fix multiple vulnerabilities</topic>
<affects>
<package>
<name>krb5-111</name>
<range><lt>1.11.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MIT Kerberos team announces the availability of MIT Kerberos 5 Release 1.11.6:</p>
<blockquote cite="http://web.mit.edu/kerberos/krb5-1.11/README-1.11.6.txt">
<p>Handle certain invalid RFC 1964 GSS tokens correctly to avoid
invalid memory reference vulnerabilities. [CVE-2014-4341</p>
<p>Fix memory management vulnerabilities in GSSAPI SPNEGO.
[CVE-2014-4343 CVE-2014-4344]</p>
<p>Fix buffer overflow vulnerability in LDAP KDB back end.
[CVE-2014-4345]</p>
<p>Fix multiple vulnerabilities in the LDAP KDC back end.
[CVE-2014-5354 CVE-2014-5353]</p>
<p>Fix multiple kadmind vulnerabilities, some of which are based
in the gssrpc library. [CVE-2014-5352 CVE-2014-9421
CVE-2014-9422 CVE-2014-9423]</p>
</blockquote>
</body>
</description>
<references>
<url>http://web.mit.edu/kerberos/krb5-1.11/README-1.11.6.txt</url>
</references>
<dates>
<discovery>2015-02-25</discovery>
<entry>2015-02-25</entry>
</dates>
</vuln>
<vuln vid="996c219c-bbb1-11e4-88ae-d050992ecde8">
<topic>samba -- Unexpected code execution in smbd</topic>
<affects>
<package>
<name>samba4</name>
<range><ge>4.0.0</ge><lt>4.0.25</lt></range>
</package>
<package>
<name>samba41</name>
<range><ge>4.1.0</ge><lt>4.1.17</lt></range>
</package>
<package>
<name>samba36</name>
<range><ge>3.6.0</ge><lt>3.6.25</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Samba development team reports:</p>
<blockquote cite="https://www.samba.org/samba/security/CVE-2015-0240">
<p>All versions of Samba from 3.5.0 to 4.2.0rc4 are
vulnerable to an unexpected code execution vulnerability
in the smbd file server daemon.</p>
<p>A malicious client could send packets that may set up the
stack in such a way that the freeing of memory in a
subsequent anonymous netlogon packet could allow execution
of arbitrary code. This code would execute with root
privileges.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-0240</cvename>
<url>https://www.samba.org/samba/security/CVE-2015-0240</url>
</references>
<dates>
<discovery>2015-02-23</discovery>
<entry>2015-02-23</entry>
</dates>
</vuln>
<vuln vid="0f488b7b-bbb9-11e4-903c-080027ef73ec">
<topic>e2fsprogs -- buffer overflow if s_first_meta_bg too big</topic>
<affects>
<package>
<name>e2fsprogs</name>
<range><lt>1.42.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Theodore Ts'o reports:</p>
<blockquote cite="http://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=f66e6ce4">
<p>If s_first_meta_bg is greater than the of number block group descriptor blocks, then reading or writing the block group descriptors will end up overruning the memory buffer allocated for the descriptors.</p>
<p>The finding is credited to a vulnerability report from Jose Duart of Google Security Team <jduart AT google.com> and was reported through oCERT-2015-002.</p>
</blockquote>
</body>
</description>
<references>
<url>http://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=f66e6ce4</url>
<url>http://www.ocert.org/advisories/ocert-2015-002.html</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1187032</url>
<cvename>CVE-2015-0247</cvename>
</references>
<dates>
<discovery>2014-08-09</discovery>
<entry>2015-02-24</entry>
</dates>
</vuln>
<vuln vid="2a4bcd7d-bbb8-11e4-903c-080027ef73ec">
<topic>e2fsprogs -- potential buffer overflow in closefs()</topic>
<affects>
<package>
<name>e2fsprogs</name>
<range><lt>1.42.12_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Theodore Ts'o reports:</p>
<blockquote cite="http://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?h=maint&id=49d0fe2a14f2a23da2fe299643379b8c1d37df73">
<p>On a carefully crafted filesystem that gets modified through
tune2fs or debugfs, it is possible to trigger a buffer overrun when
the file system is closed via closefs().</p>
</blockquote>
</body>
</description>
<references>
<url>http://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?h=maint&id=49d0fe2a14f2a23da2fe299643379b8c1d37df73</url>
<cvename>CVE-2015-1572</cvename>
</references>
<dates>
<discovery>2015-02-06</discovery>
<entry>2015-02-24</entry>
</dates>
</vuln>
<vuln vid="58033a95-bba8-11e4-88ae-d050992ecde8">
<topic>bind -- denial of service vulnerability</topic>
<affects>
<package>
<name>bind910</name>
<name>bind910-base</name>
<range><lt>9.10.1P2</lt></range>
</package>
<package>
<name>bind99</name>
<name>bind99-base</name>
<range><lt>9.9.6P2</lt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>9.3</ge><lt>9.3_10</lt></range>
<range><ge>8.4</ge><lt>8.4_24</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://kb.isc.org/article/AA-01235">
<p>When configured to perform DNSSEC validation, named can
crash when encountering a rare set of conditions in the
managed trust anchors.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-15:05.bind</freebsdsa>
<cvename>CVE-2015-1349</cvename>
<url>https://kb.isc.org/article/AA-01235</url>
</references>
<dates>
<discovery>2015-02-18</discovery>
<entry>2015-02-23</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="63527d0d-b9de-11e4-8a48-206a8a720317">
<topic>krb5 1.12 -- New release/fix multiple vulnerabilities</topic>
<affects>
<package>
<name>krb5-112</name>
<range><lt>1.12.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MIT Kerberos team announces the availability of MIT Kerberos 5 Release 1.12.3:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2015-001.txt">
<p>Fix multiple vulnerabilities in the LDAP KDC back end.
[CVE-2014-5354] [CVE-2014-5353]</p>
<p>Fix multiple kadmind vulnerabilities, some of which are based
in the gssrpc library. [CVE-2014-5352 CVE-2014-5352
CVE-2014-9421 CVE-2014-9422 CVE-2014-9423]</p>
</blockquote>
</body>
</description>
<references>
<url>http://web.mit.edu/kerberos/krb5-1.12/README-1.12.3.txt</url>
</references>
<dates>
<discovery>2015-02-20</discovery>
<entry>2015-02-21</entry>
</dates>
</vuln>
<vuln vid="3680b234-b6f0-11e4-b7cc-d050992ecde8">
<topic>unzip -- heap based buffer overflow in iconv patch</topic>
<affects>
<package>
<name>unzip</name>
<range><lt>6.0_5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ubuntu Security Notice USN-2502-1 reports:</p>
<blockquote cite="http://www.ubuntu.com/usn/usn-2502-1/">
<p>unzip could be made to run programs if it opened a specially crafted file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-1315</cvename>
<url>http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1315.html</url>
<url>https://security-tracker.debian.org/tracker/CVE-2015-1315</url>
<url>http://www.ubuntu.com/usn/usn-2502-1/</url>
</references>
<dates>
<discovery>2015-02-17</discovery>
<entry>2015-02-17</entry>
</dates>
</vuln>
<vuln vid="3a888a1e-b321-11e4-83b2-206a8a720317">
<topic>krb5 -- Vulnerabilities in kadmind, libgssrpc, gss_process_context_token VU#540092</topic>
<affects>
<package>
<name>krb5</name>
<range><lt>1.13.1</lt></range>
</package>
<package>
<name>krb5-112</name>
<range><lt>1.12.2_2</lt></range>
</package>
<package>
<name>krb5-111</name>
<range><lt>1.11.5_5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MIT Kerberos team reports:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2015-001.txt">
<p>CVE-2014-5353: The krb5_ldap_get_password_policy_from_dn
function in plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c in
MIT Kerberos 5 (aka krb5) before 1.13.1, when the KDC uses LDAP,
allows remote authenticated users to cause a denial of service
(daemon crash) via a successful LDAP query with no results, as
demonstrated by using an incorrect object type for a password
policy.</p>
<p>CVE-2014-5354: plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in
MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.1, when
the KDC uses LDAP, allows remote authenticated users to cause a
denial of service (NULL pointer dereference and daemon crash) by
creating a database entry for a keyless principal, as
demonstrated by a kadmin "add_principal -nokey" or "purgekeys
-all" command.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-5353</cvename>
<cvename>CVE-2014-5354</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2015-001.txt</url>
</references>
<dates>
<discovery>2015-02-12</discovery>
<entry>2015-02-12</entry>
<modified>2015-02-13</modified>
</dates>
</vuln>
<vuln vid="54a69cf7-b2ef-11e4-b1f1-bcaec565249c">
<topic>xorg-server -- Information leak in the XkbSetGeometry request of X servers.</topic>
<affects>
<package>
<name>xorg-server</name>
<range><lt>1.14.7_2,1</lt></range>
</package>
<package>
<name>xorg-server</name>
<range><ge>1.15.0,1</ge><lt>1.16.4,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Peter Hutterer reports:</p>
<blockquote cite="http://lists.freedesktop.org/archives/xorg/2015-February/057158.html">
<p>Olivier Fourdan from Red Hat has discovered a protocol handling
issue in the way the X server code base handles the XkbSetGeometry
request.</p>
<p>The issue stems from the server trusting the client to send valid
string lengths in the request data. A malicious client with string
lengths exceeding the request length can cause the server to copy
adjacent memory data into the XKB structs. This data is then
available to the client via the XkbGetGeometry request. The
data length is at least up to 64k, it is possible to obtain
more data by chaining strings, each string length is then
determined by whatever happens to be in that 16-bit region of
memory.</p>
<p>A similarly crafted request can likely cause the X server
to crash.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-0255</cvename>
<url>http://lists.freedesktop.org/archives/xorg/2015-February/057158.html</url>
</references>
<dates>
<discovery>2015-02-10</discovery>
<entry>2015-02-12</entry>
</dates>
</vuln>
<vuln vid="a0c45e53-ae51-11e4-8ac7-d050992ecde8">
<topic>openldap -- two remote denial of service vulnerabilities</topic>
<affects>
<package>
<name>openldap-server</name>
<range><lt>2.4.40_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ryan Tandy reports:</p>
<blockquote cite="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776988">
<p>With the deref overlay enabled, ldapsearch with '-E deref=member:'
causes slapd to crash.</p>
</blockquote>
<blockquote cite="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776991">
<p>Bill MacAllister discovered that certain queries cause slapd
to crash while freeing operation controls. This is a 2.4.40 regression.
Earlier releases are not affected.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776988</url>
<url>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776991</url>
</references>
<dates>
<discovery>2015-02-02</discovery>
<entry>2015-02-06</entry>
</dates>
</vuln>
<vuln vid="a6eb239f-adbe-11e4-9fce-080027593b9a">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>40.0.2214.111</lt></range>
</package>
<package>
<name>chromium-pulse</name>
<range><lt>40.0.2214.111</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl">
<p>11 security fixes in this release, including:</p>
<ul>
<li>[447906] High CVE-2015-1209: Use-after-free in DOM. Credit to
Maksymillian.</li>
<li>[453979] High CVE-2015-1210: Cross-origin-bypass in V8
bindings. Credit to anonymous.</li>
<li>[453982] High CVE-2015-1211: Privilege escalation using service
workers. Credit to anonymous.</li>
<li>[455225] CVE-2015-1212: Various fixes from internal audits,
fuzzing and other initiatives.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-1209</cvename>
<cvename>CVE-2015-1210</cvename>
<cvename>CVE-2015-1211</cvename>
<cvename>CVE-2015-1212</cvename>
<url>http://googlechromereleases.blogspot.nl</url>
</references>
<dates>
<discovery>2015-02-05</discovery>
<entry>2015-02-06</entry>
</dates>
</vuln>
<vuln vid="3b40bf2c-ad83-11e4-a2b2-0026551a22dc">
<topic>PostgreSQL -- multiple buffer overflows and memory issues</topic>
<affects>
<package>
<name>postgresql90-server</name>
<range><ge>9.0.0</ge><lt>9.0.19</lt></range>
</package>
<package>
<name>postgresql91-server</name>
<range><ge>9.1.0</ge><lt>9.1.15</lt></range>
</package>
<package>
<name>postgresql92-server</name>
<range><ge>9.2.0</ge><lt>9.2.10</lt></range>
</package>
<package>
<name>postgresql93-server</name>
<range><ge>9.3.0</ge><lt>9.3.6</lt></range>
</package>
<package>
<name>postgresql94-server</name>
<range><ge>9.4.0</ge><lt>9.4.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PostgreSQL Project reports:</p>
<blockquote cite="http://www.postgresql.org/about/news/1569/">
<p>This update fixes multiple security issues reported in PostgreSQL
over the past few months. All of these issues require prior
authentication, and some require additional conditions, and as such
are not considered generally urgent. However, users should examine
the list of security holes patched below in case they are particularly
vulnerable.</p>
<ol>
<li>CVE-2015-0241 Buffer overruns in "to_char" functions.</li>
<li>CVE-2015-0242 Buffer overrun in replacement printf family of
functions.</li>
<li>CVE-2015-0243 Memory errors in functions in the pgcrypto extension.</li>
<li>CVE-2015-0244 An error in extended protocol message reading.</li>
<li>CVE-2014-8161 Constraint violation errors can cause display of values in columns
which the user would not normally have rights to see.</li>
</ol>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-0241</cvename>
<cvename>CVE-2015-0242</cvename>
<cvename>CVE-2015-0243</cvename>
<cvename>CVE-2015-0244</cvename>
<cvename>CVE-2014-8161</cvename>
</references>
<dates>
<discovery>2015-02-05</discovery>
<entry>2015-02-05</entry>
</dates>
</vuln>
<vuln vid="24ce5597-acab-11e4-a847-206a8a720317">
<topic>krb5 -- Vulnerabilities in kadmind, libgssrpc, gss_process_context_token VU#540092</topic>
<affects>
<package>
<name>krb5</name>
<range><lt>1.13_1</lt></range>
</package>
<package>
<name>krb5-112</name>
<range><lt>1.12.2_1</lt></range>
</package>
<package>
<name>krb5-111</name>
<range><lt>1.11.5_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SO-AND-SO reports:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2015-001.txt">
<p>CVE-2014-5352: In the MIT krb5 libgssapi_krb5 library, after
gss_process_context_token() is used to process a valid context
deletion token, the caller is left with a security context handle
containing a dangling pointer. Further uses of this handle will
result in use-after-free and double-free memory access violations.
libgssrpc server applications such as kadmind are vulnerable as
they can be instructed to call gss_process_context_token().</p>
<p>CVE-2014-9421: If the MIT krb5 kadmind daemon receives invalid XDR
data from an authenticated user, it may perform use-after-free and
double-free memory access violations while cleaning up the partial
deserialization results. Other libgssrpc server applications may
also be vulnerable if they contain insufficiently defensive XDR
functions.</p>
<p>CVE-2014-9422: The MIT krb5 kadmind daemon incorrectly accepts
authentications to two-component server principals whose first
component is a left substring of "kadmin" or whose realm is a left
prefix of the default realm.</p>
<p>CVE-2014-9423: libgssrpc applications including kadmind output
four or eight bytes of uninitialized memory to the network as
part of an unused "handle" field in replies to clients.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-5352</cvename>
<cvename>CVE-2014-9421</cvename>
<cvename>CVE-2014-9422</cvename>
<cvename>CVE-2014-9423</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2015-001.txt</url>
</references>
<dates>
<discovery>2015-02-03</discovery>
<entry>2015-02-04</entry>
</dates>
</vuln>
<vuln vid="e543c6f8-abf2-11e4-8ac7-d050992ecde8">
<topic>unzip -- out of boundary access issues in test_compr_eb</topic>
<affects>
<package>
<name>unzip</name>
<range><lt>6.0_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ubuntu Security Notice USN-2489-1 reports:</p>
<blockquote cite="http://www.ubuntu.com/usn/usn-2489-1/">
<p>Michal Zalewski discovered that unzip incorrectly handled
certain malformed zip archives. If a user or automated system
were tricked into processing a specially crafted zip archive,
an attacker could possibly execute arbitrary code.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-9636</cvename>
<url>http://www.ubuntu.com/usn/usn-2489-1/</url>
<url>http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9636.html</url>
<url>http://seclists.org/oss-sec/2014/q4/489</url>
<url>http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450</url>
</references>
<dates>
<discovery>2014-11-02</discovery>
<entry>2015-02-03</entry>
</dates>
</vuln>
<vuln vid="1c7cfd05-aaee-11e4-83b4-14dae9d210b8">
<topic>Xymon -- buffer overrun</topic>
<affects>
<package>
<name>xymon-server</name>
<range><ge>4.3.4</ge><lt>4.3.18</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Debian reports:</p>
<blockquote cite="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776007">
<p>web/acknowledge.c uses a string twice in a format string, but only
allocates memory for one copy.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openwall.com/lists/oss-security/2015/01/31/4</url>
<url>https://security-tracker.debian.org/tracker/CVE-2015-1430</url>
<cvename>CVE-2015-1430</cvename>
</references>
<dates>
<discovery>2014-09-28</discovery>
<entry>2015-02-02</entry>
</dates>
</vuln>
<vuln vid="8469d41c-a960-11e4-b18e-bcaec55be5e5">
<topic>rabbitmq -- Security issues in management plugin</topic>
<affects>
<package>
<name>rabbitmq</name>
<range><lt>3.4.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The RabbitMQ project reports:</p>
<blockquote cite="http://www.rabbitmq.com/news.html#2015-01-08T10:14:05+0100">
<p>Some user-controllable content was not properly HTML-escaped
before being presented to a user in the management web UI:</p>
<ul>
<li>When a user unqueued a message from the management UI,
message details (header names, arguments, etc.) were displayed
unescaped. An attacker could publish a specially crafted
message to add content or execute arbitrary Javascript code on
behalf of a user, if this user unqueued the message from the
management UI.</li>
<li>When viewing policies, their name was displayed unescaped.
An attacker could create a policy with a specially crafted name
to add content or execute arbitrary Javascript code on behalf
of a user who is viewing policies.</li>
<li>When listing connected AMQP network clients, client details
such as its version were displayed unescaped. An attacker could
use a client with a specially crafted version field to add
content or execute arbitrary Javascript code on behalf of a
user who is viewing connected clients.</li>
</ul>
<p>In all cases, the attacker needs a valid user account on the
targeted RabbitMQ cluster.</p>
<p>Furthermore, some admin-controllable content was not properly
escaped:</p>
<ul>
<li>user names;</li>
<li>the cluster name.</li>
</ul>
<p>Likewise, an attacker could add content or execute arbitrary
Javascript code on behalf of a user using the management web UI.
However, the attacker must be an administrator on the RabbitMQ
cluster, thus a trusted user.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.rabbitmq.com/news.html#2015-01-08T10:14:05+0100</url>
<url>http://www.rabbitmq.com/release-notes/README-3.4.3.txt</url>
<cvename>CVE-2015-0862</cvename>
</references>
<dates>
<discovery>2015-01-08</discovery>
<entry>2015-01-31</entry>
</dates>
</vuln>
<vuln vid="5804b9d4-a959-11e4-9363-20cf30e32f6d">
<topic>apache24 -- several vulnerabilities</topic>
<affects>
<package>
<name>apache24</name>
<range><lt>2.4.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Apache HTTP SERVER PROJECT reports:</h1>
<blockquote cite="http://www.apache.org/dist/httpd/Announcement2.4.html">
<p>mod_proxy_fcgi: Fix a potential crash due to buffer over-read,
with response headers' size above 8K.</p>
<p>mod_cache: Avoid a crash when Content-Type has an empty value. PR 56924.</p>
<p>mod_lua: Fix handling of the Require line when a LuaAuthzProvider is used
in multiple Require directives with different arguments. PR57204.</p>
<p>core: HTTP trailers could be used to replace HTTP headers late during
request processing, potentially undoing or otherwise confusing modules
that examined or modified request headers earlier. Adds "MergeTrailers"
directive to restore legacy behavior.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-3583</cvename>
<cvename>CVE-2014-3581</cvename>
<cvename>CVE-2014-8109</cvename>
<cvename>CVE-2013-5704</cvename>
</references>
<dates>
<discovery>2015-01-29</discovery>
<entry>2015-01-31</entry>
</dates>
</vuln>
<vuln vid="7656fc62-a7a7-11e4-96ba-001999f8d30b">
<topic>asterisk -- Mitigation for libcURL HTTP request injection vulnerability</topic>
<affects>
<package>
<name>asterisk</name>
<range><lt>1.8.32.2</lt></range>
</package>
<package>
<name>asterisk11</name>
<range><lt>11.15.1</lt></range>
</package>
<package>
<name>asterisk13</name>
<range><lt>13.1.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="http://www.asterisk.org/downloads/security-advisories">
<p>CVE-2014-8150 reported an HTTP request injection
vulnerability in libcURL. Asterisk uses libcURL in its
func_curl.so module (the CURL() dialplan function), as
well as its res_config_curl.so (cURL realtime backend)
modules.</p>
<p>Since Asterisk may be configured to allow for user-supplied
URLs to be passed to libcURL, it is possible that an
attacker could use Asterisk as an attack vector to inject
unauthorized HTTP requests if the version of libcURL
installed on the Asterisk server is affected by
CVE-2014-8150.</p>
</blockquote>
</body>
</description>
<references>
<url>http://downloads.asterisk.org/pub/security/AST-2015-002.html</url>
</references>
<dates>
<discovery>2015-01-12</discovery>
<entry>2015-01-29</entry>
</dates>
</vuln>
<vuln vid="2eeb6652-a7a6-11e4-96ba-001999f8d30b">
<topic>asterisk -- File descriptor leak when incompatible codecs are offered</topic>
<affects>
<package>
<name>asterisk13</name>
<range><lt>13.1.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="http://www.asterisk.org/downloads/security-advisories">
<p>Asterisk may be configured to only allow specific audio
or video codecs to be used when communicating with a
particular endpoint. When an endpoint sends an SDP offer
that only lists codecs not allowed by Asterisk, the offer
is rejected. However, in this case, RTP ports that are
allocated in the process are not reclaimed.</p>
<p>This issue only affects the PJSIP channel driver in
Asterisk. Users of the chan_sip channel driver are not
affected.</p>
<p>As the resources are allocated after authentication,
this issue only affects communications with authenticated
endpoints.</p>
</blockquote>
</body>
</description>
<references>
<url>http://downloads.asterisk.org/pub/security/AST-2015-001.html</url>
<cvename>CVE-2015-1558</cvename>
</references>
<dates>
<discovery>2015-01-06</discovery>
<entry>2015-01-29</entry>
<modified>2015-02-17</modified>
</dates>
</vuln>
<vuln vid="0765de84-a6c1-11e4-a0c1-c485083ca99c">
<topic>glibc -- gethostbyname buffer overflow</topic>
<affects>
<package>
<name>linux_base-c6</name>
<range><lt>6.6_2</lt></range>
</package>
<package>
<name>linux_base-f10</name>
<range><ge>0</ge></range>
</package>
<package>
<name>linux-c6-devtools</name>
<range><lt>6.6_3</lt></range>
</package>
<package>
<name>linux-f10-devtools</name>
<range><ge>0</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Robert Krátký reports:</p>
<blockquote cite="https://access.redhat.com/discussions/1332403">
<p>
GHOST is a 'buffer overflow' bug affecting the gethostbyname() and
gethostbyname2() function calls in the glibc library. This
vulnerability allows a remote attacker that is able to make an
application call to either of these functions to execute arbitrary
code with the permissions of the user running the application.
The gethostbyname() function calls are used for DNS resolving, which
is a very common event. To exploit this vulnerability, an attacker
must trigger a buffer overflow by supplying an invalid hostname
argument to an application that performs a DNS resolution.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-0235</cvename>
<url>https://access.redhat.com/articles/1332213</url>
<url>http://www.openwall.com/lists/oss-security/2015/01/27/9</url>
</references>
<dates>
<discovery>2015-01-27</discovery>
<entry>2015-01-28</entry>
<modified>2015-02-02</modified>
</dates>
</vuln>
<vuln vid="37a87ade-a59f-11e4-958e-0011d823eebd">
<topic>Adobe Flash Player -- critical vulnerability</topic>
<affects>
<package>
<name>linux-c6-flashplugin</name>
<range><le>11.2r202.438</le></range>
</package>
<package>
<name>linux-f10-flashplugin</name>
<range><le>11.2r202.438</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsa15-01.html">
<p>Successful exploitation could cause a crash and potentially allow
an attacker to take control of the affected system. We are aware
of reports that this vulnerability is being actively exploited in
the wild via drive-by-download attacks against systems running
Internet Explorer and Firefox on Windows 8.1 and below.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-0311</cvename>
<url>https://helpx.adobe.com/security/products/flash-player/apsa15-01.html</url>
</references>
<dates>
<discovery>2015-01-22</discovery>
<entry>2015-01-26</entry>
</dates>
</vuln>
<vuln vid="dc2d76df-a595-11e4-9363-20cf30e32f6d">
<topic>Bugzilla multiple security issues</topic>
<affects>
<package>
<name>bugzilla44</name>
<range><lt>4.4.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Bugzilla Security Advisory</p>
<blockquote cite="http://www.bugzilla.org/security/4.0.15/">
<h5>Command Injection</h5>
<p>Some code in Bugzilla does not properly utilize 3 arguments form
for open() and it is possible for an account with editcomponents
permissions to inject commands into product names and other
attributes.</p>
<h5>Information Leak</h5>
<p>Using the WebServices API, a user can possibly execute imported
functions from other non-WebService modules. A whitelist has now
been added that lists explicit methods that can be executed via the
API.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-8630</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=1079065</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=1090275</url>
</references>
<dates>
<discovery>2015-01-21</discovery>
<entry>2015-01-26</entry>
</dates>
</vuln>
<vuln vid="9c7b6c20-a324-11e4-879c-00e0814cab4e">
<topic>django -- multiple vulnerabilities</topic>
<affects>
<package>
<name>py27-django</name>
<range><ge>1.4</ge><lt>1.4.18</lt></range>
<range><ge>1.5</ge><le>1.5.12</le></range>
<range><ge>1.6</ge><lt>1.6.10</lt></range>
<range><ge>1.7</ge><lt>1.7.3</lt></range>
</package>
<package>
<name>py32-django</name>
<range><ge>1.4</ge><lt>1.4.18</lt></range>
<range><ge>1.5</ge><le>1.5.12</le></range>
<range><ge>1.6</ge><lt>1.6.10</lt></range>
<range><ge>1.7</ge><lt>1.7.3</lt></range>
</package>
<package>
<name>py33-django</name>
<range><ge>1.4</ge><lt>1.4.18</lt></range>
<range><ge>1.5</ge><le>1.5.12</le></range>
<range><ge>1.6</ge><lt>1.6.10</lt></range>
<range><ge>1.7</ge><lt>1.7.3</lt></range>
</package>
<package>
<name>py34-django</name>
<range><ge>1.4</ge><lt>1.4.18</lt></range>
<range><ge>1.5</ge><le>1.5.12</le></range>
<range><ge>1.6</ge><lt>1.6.10</lt></range>
<range><ge>1.7</ge><lt>1.7.3</lt></range>
</package>
<package>
<name>py27-django-devel</name>
<range><lt>20150124,1</lt></range>
</package>
<package>
<name>py32-django-devel</name>
<range><lt>20150124,1</lt></range>
</package>
<package>
<name>py33-django-devel</name>
<range><lt>20150124,1</lt></range>
</package>
<package>
<name>py34-django-devel</name>
<range><lt>20150124,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Django project reports:</p>
<blockquote cite="https://www.djangoproject.com/weblog/2015/jan/13/security/">
<p>Today the Django team is issuing multiple releases --
Django 1.4.18, Django 1.6.10, and Django 1.7.3 -- as part of our
security process. These releases are now available on PyPI and our
download page.</p>
<p>These releases address several security issues. We encourage all
users of Django to upgrade as soon as possible.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.djangoproject.com/weblog/2015/jan/13/security/</url>
<cvename>CVE-2015-0219</cvename>
<cvename>CVE-2015-0220</cvename>
<cvename>CVE-2015-0221</cvename>
<cvename>CVE-2015-0222</cvename>
</references>
<dates>
<discovery>2015-01-13</discovery>
<entry>2015-01-23</entry>
<modified>2015-01-24</modified>
</dates>
</vuln>
<vuln vid="0523fb7e-8444-4e86-812d-8de05f6f0dce">
<topic>libutp -- remote denial of service or arbitrary code execution</topic>
<affects>
<package>
<name>bittorrent-libutp</name>
<range><lt>0.20130514_1</lt></range>
</package>
<package>
<name>transmission-cli</name>
<name>transmission-deamon</name>
<name>transmission-gtk</name>
<name>transmission-qt4</name>
<range><lt>2.74</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NVD reports:</p>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6129">
<p>Stack-based buffer overflow in utp.cpp in libutp, as used
in Transmission before 2.74 and possibly other products,
allows remote attackers to cause a denial of service (crash)
and possibly execute arbitrary code via crafted "micro
transport protocol packets."</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-6129</cvename>
<url>https://github.com/bittorrent/libutp/issues/38</url>
<url>https://trac.transmissionbt.com/ticket/5002</url>
</references>
<dates>
<discovery>2012-08-01</discovery>
<entry>2014-12-29</entry>
</dates>
</vuln>
<vuln vid="f9c388c5-a256-11e4-992a-7b2a515a1247">
<topic>LibreSSL -- DTLS vulnerability</topic>
<affects>
<package>
<name>libressl</name>
<range><lt>2.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenSSL Security Advisory:</p>
<blockquote cite="https://www.openssl.org/news/secadv_20150108.txt">
<p>
A memory leak can occur in the dtls1_buffer_record function under certain
conditions. In particular this could occur if an attacker sent repeated DTLS
records with the same sequence number but for the next epoch. The memory leak
could be exploited by an attacker in a Denial of Service attack through memory
exhaustion.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-0206</cvename>
<url>https://www.openssl.org/news/secadv_20150108.txt</url>
</references>
<dates>
<discovery>2015-01-08</discovery>
<entry>2015-01-22</entry>
</dates>
</vuln>
<vuln vid="cc294a2c-a232-11e4-8e9f-0011d823eebd">
<topic>Adobe Flash Player -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-c6-flashplugin</name>
<range><lt>11.2r202.429</lt></range>
</package>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>11.2r202.429</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="http://helpx.adobe.com/security/products/flash-player/apsb15-01.html">
<p>These updates address vulnerabilities that could potentially allow
an attacker to take control of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-0301</cvename>
<cvename>CVE-2015-0302</cvename>
<cvename>CVE-2015-0303</cvename>
<cvename>CVE-2015-0304</cvename>
<cvename>CVE-2015-0305</cvename>
<cvename>CVE-2015-0306</cvename>
<cvename>CVE-2015-0307</cvename>
<cvename>CVE-2015-0308</cvename>
<cvename>CVE-2015-0309</cvename>
<url>http://helpx.adobe.com/security/products/flash-player/apsb15-01.html</url>
</references>
<dates>
<discovery>2015-01-13</discovery>
<entry>2015-01-22</entry>
</dates>
</vuln>
<vuln vid="e30e0c99-a1b7-11e4-b85c-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>40.0.2214.91</lt></range>
</package>
<package>
<name>chromium-pulse</name>
<range><lt>40.0.2214.91</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/">
<p>62 security fixes in this release, including:</p>
<ul>
<li>[430353] High CVE-2014-7923: Memory corruption in ICU. Credit
to yangdingning.</li>
<li>[435880] High CVE-2014-7924: Use-after-free in IndexedDB.
Credit to Collin Payne.</li>
<li>[434136] High CVE-2014-7925: Use-after-free in WebAudio. Credit
to mark.buer.</li>
<li>[422824] High CVE-2014-7926: Memory corruption in ICU. Credit
to yangdingning.</li>
<li>[444695] High CVE-2014-7927: Memory corruption in V8. Credit to
Christian Holler.</li>
<li>[435073] High CVE-2014-7928: Memory corruption in V8. Credit to
Christian Holler.</li>
<li>[442806] High CVE-2014-7930: Use-after-free in DOM. Credit to
cloudfuzzer.</li>
<li>[442710] High CVE-2014-7931: Memory corruption in V8. Credit to
cloudfuzzer.</li>
<li>[443115] High CVE-2014-7929: Use-after-free in DOM. Credit to
cloudfuzzer.</li>
<li>[429666] High CVE-2014-7932: Use-after-free in DOM. Credit to
Atte Kettunen of OUSPG.</li>
<li>[427266] High CVE-2014-7933: Use-after-free in FFmpeg. Credit
to aohelin.</li>
<li>[427249] High CVE-2014-7934: Use-after-free in DOM. Credit to
cloudfuzzer.</li>
<li>[402957] High CVE-2014-7935: Use-after-free in Speech. Credit
to Khalil Zhani.</li>
<li>[428561] High CVE-2014-7936: Use-after-free in Views. Credit
to Christoph Diehl.</li>
<li>[419060] High CVE-2014-7937: Use-after-free in FFmpeg. Credit
to Atte Kettunen of OUSPG.</li>
<li>[416323] High CVE-2014-7938: Memory corruption in Fonts. Credit
to Atte Kettunen of OUSPG.</li>
<li>[399951] High CVE-2014-7939: Same-origin-bypass in V8. Credit
to Takeshi Terada.</li>
<li>[433866] Medium CVE-2014-7940: Uninitialized-value in ICU.
Credit to miaubiz.</li>
<li>[428557] Medium CVE-2014-7941: Out-of-bounds read in UI. Credit
to Atte Kettunen of OUSPG and Christoph Diehl.</li>
<li>[426762] Medium CVE-2014-7942: Uninitialized-value in Fonts.
Credit to miaubiz.</li>
<li>[422492] Medium CVE-2014-7943: Out-of-bounds read in Skia.
Credit to Atte Kettunen of OUSPG.</li>
<li>[418881] Medium CVE-2014-7944: Out-of-bounds read in PDFium.
Credit to cloudfuzzer.</li>
<li>[414310] Medium CVE-2014-7945: Out-of-bounds read in PDFium.
Credit to cloudfuzzer.</li>
<li>[414109] Medium CVE-2014-7946: Out-of-bounds read in Fonts.
Credit to miaubiz.</li>
<li>[430566] Medium CVE-2014-7947: Out-of-bounds read in PDFium.
Credit to fuzztercluck.</li>
<li>[414026] Medium CVE-2014-7948: Caching error in AppCache.
Credit to jiayaoqijia.</li>
<li>[449894] CVE-2015-1205: Various fixes from internal audits,
fuzzing and other initiatives.</li>
<li>Multiple vulnerabilities in V8 fixed at the tip of the 3.30
branch (currently 3.30.33.15).</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-7923</cvename>
<cvename>CVE-2014-7924</cvename>
<cvename>CVE-2014-7925</cvename>
<cvename>CVE-2014-7926</cvename>
<cvename>CVE-2014-7927</cvename>
<cvename>CVE-2014-7928</cvename>
<cvename>CVE-2014-7929</cvename>
<cvename>CVE-2014-7930</cvename>
<cvename>CVE-2014-7931</cvename>
<cvename>CVE-2014-7932</cvename>
<cvename>CVE-2014-7933</cvename>
<cvename>CVE-2014-7934</cvename>
<cvename>CVE-2014-7935</cvename>
<cvename>CVE-2014-7936</cvename>
<cvename>CVE-2014-7937</cvename>
<cvename>CVE-2014-7938</cvename>
<cvename>CVE-2014-7939</cvename>
<cvename>CVE-2014-7940</cvename>
<cvename>CVE-2014-7941</cvename>
<cvename>CVE-2014-7942</cvename>
<cvename>CVE-2014-7943</cvename>
<cvename>CVE-2014-7944</cvename>
<cvename>CVE-2014-7945</cvename>
<cvename>CVE-2014-7946</cvename>
<cvename>CVE-2014-7947</cvename>
<cvename>CVE-2014-7948</cvename>
<cvename>CVE-2015-1205</cvename>
<url>http://googlechromereleases.blogspot.nl</url>
</references>
<dates>
<discovery>2015-01-21</discovery>
<entry>2015-01-21</entry>
</dates>
</vuln>
<vuln vid="a5856eba-a015-11e4-a680-1c6f65c3c4ff">
<topic>polarssl -- Remote attack using crafted certificates</topic>
<affects>
<package>
<name>polarssl</name>
<range><ge>1.2.0</ge><lt>1.2.12_1</lt></range>
</package>
<package>
<name>polarssl13</name>
<range><ge>1.3.0</ge><lt>1.3.9_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PolarSSL team reports:</p>
<blockquote cite="https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-04">
<p>During the parsing of a ASN.1 sequence, a pointer in the linked list of asn1_sequence is not
initialized by asn1_get_sequence_of(). In case an error occurs during parsing of the list, a
situation is created where the uninitialized pointer is passed to polarssl_free().</p>
<p>This sequence can be triggered when a PolarSSL entity is parsing a certificate. So practically this
means clients when receiving a certificate from the server or servers in case they are actively
asking for a client certificate.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-1182</cvename>
<url>https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-04</url>
<url>https://www.certifiedsecure.com/polarssl-advisory/</url>
</references>
<dates>
<discovery>2015-01-14</discovery>
<entry>2015-01-19</entry>
</dates>
</vuln>
<vuln vid="d9360908-9d52-11e4-87fd-10bf48e1088e">
<topic>unzip -- input sanitization errors</topic>
<affects>
<package>
<name>unzip</name>
<range><le>6.0_2</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>oCERT reports:</p>
<blockquote cite="http://www.ocert.org/advisories/ocert-2014-011.html">
<p>The UnZip tool is an open source extraction utility for archives
compressed in the zip format.</p>
<p>The unzip command line tool is affected by heap-based buffer
overflows within the CRC32 verification, the test_compr_eb() and
the getZip64Data() functions. The input errors may result in
arbitrary code execution.</p>
<p>A specially crafted zip file, passed to unzip -t, can be used to
trigger the vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-8139</cvename>
<cvename>CVE-2014-8140</cvename>
<cvename>CVE-2014-8141</cvename>
<url>http://www.info-zip.org/UnZip.html</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1174844</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8140</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1174856</url>
</references>
<dates>
<discovery>2014-12-03</discovery>
<entry>2015-01-16</entry>
</dates>
</vuln>
<vuln vid="d4f45676-9d33-11e4-8275-000c292e4fd8">
<topic>samba -- Elevation of privilege to Active Directory Domain Controller</topic>
<affects>
<package>
<name>samba4</name>
<range><ge>4.0.0</ge><lt>4.0.23</lt></range>
</package>
<package>
<name>samba41</name>
<range><ge>4.1.0</ge><lt>4.1.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Samba team reports:</p>
<blockquote cite="https://www.samba.org/samba/security/CVE-2014-8143">
<p>In Samba's AD DC we neglected to ensure that
attempted modifications of the userAccountControl attribute
did not allow the UF_SERVER_TRUST_ACCOUNT bit to be set.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-8143</cvename>
<url>https://www.samba.org/samba/security/CVE-2014-8143</url>
</references>
<dates>
<discovery>2015-01-15</discovery>
<entry>2015-01-16</entry>
</dates>
</vuln>
<vuln vid="7a8a74d1-9c34-11e4-a40b-5453ed2e2b49">
<topic>kde-runtime -- incorrect CBC encryption handling</topic>
<affects>
<package>
<name>kde-runtime</name>
<range><lt>4.12_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Valentin Rusu reports:</p>
<blockquote cite="https://www.kde.org/info/security/advisory-20150109-1.txt">
<p>Until KDE Applications 14.12.0, kwalletd incorrectly handled CBC
encryption blocks when encrypting secrets in kwl files. The secrets
were still encrypted, but the result binary data corresponded to an
ECB encrypted block instead of CBC.</p>
<p>The ECB encryption algorithm, even if it'll scramble user data,
will produce same encrypted byte sequence for the same input text.
As a result, attackers may eventually find-out the encrypted
text.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-7252</cvename>
<url>https://www.kde.org/info/security/advisory-20150109-1.txt</url>
</references>
<dates>
<discovery>2015-01-09</discovery>
<entry>2015-01-14</entry>
</dates>
</vuln>
<vuln vid="bd62c640-9bb9-11e4-a5ad-000c297fb80f">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>35.0,1</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><lt>31.4.0,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>35.0,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.32</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>31.4.0</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.32</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><lt>31.4.0</lt></range>
</package>
<package>
<name>libxul</name>
<range><lt>31.4.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/">
<p>MFSA-2015-01 Miscellaneous memory safety hazards (rv:35.0
/ rv:31.4)</p>
<p>MFSA-2015-02 Uninitialized memory use during bitmap
rendering</p>
<p>MFSA-2015-03 sendBeacon requests lack an Origin header</p>
<p>MFSA-2015-04 Cookie injection through Proxy Authenticate
responses</p>
<p>MFSA-2015-05 Read of uninitialized memory in Web Audio</p>
<p>MFSA-2015-06 Read-after-free in WebRTC</p>
<p>MFSA-2015-07 Gecko Media Plugin sandbox escape</p>
<p>MFSA-2015-08 Delegated OCSP responder certificates failure
with id-pkix-ocsp-nocheck extension</p>
<p>MFSA-2015-09 XrayWrapper bypass through DOM objects</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-8634</cvename>
<cvename>CVE-2014-8635</cvename>
<cvename>CVE-2014-8637</cvename>
<cvename>CVE-2014-8638</cvename>
<cvename>CVE-2014-8639</cvename>
<cvename>CVE-2014-8640</cvename>
<cvename>CVE-2014-8641</cvename>
<cvename>CVE-2014-8642</cvename>
<cvename>CVE-2014-8643</cvename>
<cvename>CVE-2014-8636</cvename>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2015-01/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2015-02/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2015-03/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2015-04/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2015-05/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2015-06/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2015-07/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2015-08/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2015-09/</url>
<url>https://www.mozilla.org/security/advisories/</url>
</references>
<dates>
<discovery>2015-01-13</discovery>
<entry>2015-01-14</entry>
</dates>
</vuln>
<vuln vid="daa8a49b-99b9-11e4-8f66-3085a9a4510d">
<topic>libevent -- integer overflow in evbuffers</topic>
<affects>
<package>
<name>libevent</name>
<range><lt>1.4.15</lt></range>
<range><ge>2.0</ge><lt>2.0.22</lt></range>
</package>
<package>
<name>libevent2</name>
<range><lt>2.0.22</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Debian Security Team reports:</p>
<blockquote cite="https://www.debian.org/security/2015/dsa-3119">
<p>Andrew Bartlett of Catalyst reported a defect affecting certain
applications using the Libevent evbuffer API. This defect leaves
applications which pass insanely large inputs to evbuffers open
to a possible heap overflow or infinite loop. In order to exploit
this flaw, an attacker needs to be able to find a way to provoke
the program into trying to make a buffer chunk larger than what
will fit into a single size_t or off_t.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-6272</cvename>
<url>https://www.debian.org/security/2015/dsa-3119</url>
</references>
<dates>
<discovery>2015-01-05</discovery>
<entry>2015-01-11</entry>
<modified>2017-02-20</modified>
</dates>
</vuln>
<vuln vid="caa98ffd-0a92-40d0-b234-fd79b429157e">
<topic>cURL -- URL request injection vulnerability</topic>
<affects>
<package>
<name>curl</name>
<range><lt>7.40.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>cURL reports:</p>
<blockquote cite="http://curl.haxx.se/docs/adv_20150108B.html">
<p>When libcurl sends a request to a server via a HTTP proxy, it
copies the entire URL into the request and sends if off.
If the given URL contains line feeds and carriage returns those will
be sent along to the proxy too, which allows the program to for
example send a separate HTTP request injected embedded in the URL.
Many programs allow some kind of external sources to set the URL or
provide partial pieces for the URL to ask for, and if the URL as
received from the user is not stripped good enough this flaw allows
malicious users to do additional requests in a way that was not
intended, or just to insert request headers into the request that
the program didn't intend.
We are not aware of any exploit of this flaw.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-8150</cvename>
<url>http://curl.haxx.se/docs/adv_20150108B.html</url>
</references>
<dates>
<discovery>2014-12-25</discovery>
<entry>2015-01-09</entry>
</dates>
</vuln>
<vuln vid="e9ccdb28-9802-11e4-9d9c-bcaec565249c">
<topic>WebKit-gtk -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>webkit-gtk2</name>
<range><lt>1.4.8</lt></range>
</package>
<package>
<name>webkit-gtk3</name>
<range><lt>1.4.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Webkit release team reports:</p>
<blockquote cite="http://webkitgtk.org/2015/01/07/webkitgtk2.4.8-released.html">
<p>This release fixes the following security issues:
CVE-2014-1344, CVE-2014-1384, CVE-2014-1385, CVE-2014-1386,
CVE-2014-1387, CVE-2014-1388, CVE-2014-1389, CVE-2014-1390.</p>
</blockquote>
</body>
</description>
<references>
<url>http://webkitgtk.org/2015/01/07/webkitgtk2.4.8-released.html</url>
<cvename>CVE-2014-1344</cvename>
<cvename>CVE-2014-1384</cvename>
<cvename>CVE-2014-1385</cvename>
<cvename>CVE-2014-1386</cvename>
<cvename>CVE-2014-1387</cvename>
<cvename>CVE-2014-1388</cvename>
<cvename>CVE-2014-1389</cvename>
<cvename>CVE-2014-1390</cvename>
</references>
<dates>
<discovery>2015-01-07</discovery>
<entry>2015-01-09</entry>
</dates>
</vuln>
<vuln vid="4e536c14-9791-11e4-977d-d050992ecde8">
<topic>OpenSSL -- multiple vulnerabilities</topic>
<affects>
<package>
<name>openssl</name>
<range><ge>1.0.1</ge><lt>1.0.1_17</lt></range>
</package>
<package>
<name>mingw32-openssl</name>
<range><ge>1.0.1</ge><lt>1.0.1k</lt></range>
</package>
<package>
<name>linux-c6-openssl</name>
<range><lt>1.0.1e_3</lt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>10.1</ge><lt>10.1_4</lt></range>
<range><ge>10.0</ge><lt>10.0_16</lt></range>
<range><ge>9.3</ge><lt>9.3_8</lt></range>
<range><ge>8.4</ge><lt>8.4_22</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenSSL project reports:</p>
<blockquote cite="https://www.openssl.org/news/secadv_20150108.txt">
<p>DTLS segmentation fault in dtls1_get_record (CVE-2014-3571)</p>
<p>DTLS memory leak in dtls1_buffer_record (CVE-2015-0206)</p>
<p>no-ssl3 configuration sets method to NULL (CVE-2014-3569)</p>
<p>ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572)</p>
<p>RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)</p>
<p>DH client certificates accepted without verification [Server] (CVE-2015-0205)</p>
<p>Certificate fingerprints can be modified (CVE-2014-8275)</p>
<p>Bignum squaring may produce incorrect results (CVE-2014-3570)</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-15:01.openssl</freebsdsa>
<cvename>CVE-2014-3569</cvename>
<cvename>CVE-2014-3570</cvename>
<cvename>CVE-2014-3571</cvename>
<cvename>CVE-2014-3572</cvename>
<cvename>CVE-2014-8275</cvename>
<cvename>CVE-2015-0204</cvename>
<cvename>CVE-2015-0205</cvename>
<cvename>CVE-2015-0206</cvename>
<url>https://www.openssl.org/news/secadv_20150108.txt</url>
</references>
<dates>
<discovery>2015-01-08</discovery>
<entry>2015-01-08</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="5e135178-8aeb-11e4-801f-0022156e8794">
<topic>wordpress -- multiple vulnerabilities</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>3.7.5,1</lt></range>
<range><ge>3.8,1</ge><lt>3.8.5,1</lt></range>
<range><ge>3.9,1</ge><lt>3.9.3,1</lt></range>
<range><ge>4.0,1</ge><lt>4.0.1,1</lt></range>
</package>
<package>
<name>zh-wordpress</name>
<range><lt>3.7.5</lt></range>
<range><ge>3.8</ge><lt>3.8.5</lt></range>
<range><ge>3.9</ge><lt>3.9.3</lt></range>
<range><ge>4.0</ge><lt>4.0.1</lt></range>
</package>
<package>
<name>de-wordpress</name>
<range><lt>3.7.5</lt></range>
<range><ge>3.8</ge><lt>3.8.5</lt></range>
<range><ge>3.9</ge><lt>3.9.3</lt></range>
<range><ge>4.0</ge><lt>4.0.1</lt></range>
</package>
<package>
<name>ja-wordpress</name>
<range><lt>3.7.5</lt></range>
<range><ge>3.8</ge><lt>3.8.5</lt></range>
<range><ge>3.9</ge><lt>3.9.3</lt></range>
<range><ge>4.0</ge><lt>4.0.1</lt></range>
</package>
<package>
<name>ru-wordpress</name>
<range><lt>3.7.5</lt></range>
<range><ge>3.8</ge><lt>3.8.5</lt></range>
<range><ge>3.9</ge><lt>3.9.3</lt></range>
<range><ge>4.0</ge><lt>4.0.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9039">
<p>wp-login.php in WordPress before 3.7.5, 3.8.x before
3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow
remote attackers to reset passwords by leveraging access to
an e-mail account that received a password-reset message.</p>
</blockquote>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9038">
<p>wp-includes/http.php in WordPress before 3.7.5, 3.8.x
before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1
allows remote attackers to conduct server-side request
forgery (SSRF) attacks by referring to a 127.0.0.0/8
resource.</p>
</blockquote>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9037">
<p>WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before
3.9.3, and 4.x before 4.0.1 might allow remote attackers to
obtain access to an account idle since 2008 by leveraging an
improper PHP dynamic type comparison for an MD5 hash.</p>
</blockquote>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9036">
<p>Cross-site scripting (XSS) vulnerability in WordPress
before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and
4.x before 4.0.1 allows remote attackers to inject arbitrary
web script or HTML via a crafted Cascading Style Sheets
(CSS) token sequence in a post.</p>
</blockquote>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9035">
<p>Cross-site scripting (XSS) vulnerability in Press This in
WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before
3.9.3, and 4.x before 4.0.1 allows remote attackers to
inject arbitrary web script or HTML via unspecified
vectors</p>
</blockquote>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9034">
<p>wp-includes/class-phpass.php in WordPress before 3.7.5,
3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1
allows remote attackers to cause a denial of service (CPU
consumption) via a long password that is improperly handled
during hashing, a similar issue to CVE-2014-9016.</p>
</blockquote>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9033">
<p>Cross-site request forgery (CSRF) vulnerability in
wp-login.php in WordPress 3.7.4, 3.8.4, 3.9.2, and 4.0
allows remote attackers to hijack the authentication of
arbitrary users for requests that reset passwords.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-9033</cvename>
<cvename>CVE-2014-9034</cvename>
<cvename>CVE-2014-9035</cvename>
<cvename>CVE-2014-9036</cvename>
<cvename>CVE-2014-9037</cvename>
<cvename>CVE-2014-9038</cvename>
<cvename>CVE-2014-9039</cvename>
</references>
<dates>
<discovery>2014-11-25</discovery>
<entry>2015-01-05</entry>
</dates>
</vuln>
<vuln vid="c564f9bd-8ba7-11e4-801f-0022156e8794">
<topic>png -- heap overflow for 32-bit builds</topic>
<affects>
<package>
<name>png</name>
<range><ge>1.2.6</ge><lt>1.5.21</lt></range>
<range><ge>1.6</ge><lt>1.6.16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>32-bit builds of PNG library are vulnerable to an unsigned
integer overflow that is triggered by a crafted wide
interlaced images.
Overflow results in a heap corruption that will crash the
application and may lead to the controlled overwrite of a
selected portions of process address space.</p>
</body>
</description>
<references>
<url>http://tfpwn.com/files/libpng_heap_overflow_1.6.15.txt</url>
<url>http://codelabs.ru/security/vulns/analysis/libpng/2014-dec-libpng-1.6.15/</url>
</references>
<dates>
<discovery>2014-12-23</discovery>
<entry>2015-01-05</entry>
</dates>
</vuln>
<vuln vid="9575259a-92d5-11e4-bce6-d050992ecde8">
<topic>file -- multiple vulnerabilities</topic>
<affects>
<package>
<name>file</name>
<range><lt>5.21</lt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>8.4</ge><lt>8.4_20</lt></range>
<range><ge>9.1</ge><lt>9.1_23</lt></range>
<range><ge>9.2</ge><lt>9.2_16</lt></range>
<range><ge>9.3</ge><lt>9.3_6</lt></range>
<range><ge>10.0</ge><lt>10.0_13</lt></range>
<range><ge>10.1</ge><lt>10.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>RedHat reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2014/q4/1056">
<p>Thomas Jarosch of Intra2net AG reported a number of
denial of service issues (resource consumption) in
the ELF parser used by file(1). These issues were
fixed in the 5.21 release of file(1), but by mistake
are missing from the changelog.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-3710</cvename>
<cvename>CVE-2014-8116</cvename>
<cvename>CVE-2014-8117</cvename>
<freebsdsa>SA-14:28.file</freebsdsa>
<url>http://seclists.org/oss-sec/2014/q4/1056</url>
</references>
<dates>
<discovery>2014-12-16</discovery>
<entry>2015-01-02</entry>
</dates>
</vuln>