diff options
Diffstat (limited to 'security/vuxml')
| -rw-r--r-- | security/vuxml/Makefile | 4 | ||||
| -rw-r--r-- | security/vuxml/files/euvd_provider.sh | 69 | ||||
| -rw-r--r-- | security/vuxml/files/mitre_provider.sh | 61 | ||||
| -rw-r--r-- | security/vuxml/files/newentry.sh | 174 | ||||
| -rw-r--r-- | security/vuxml/files/nvd_provider.sh | 72 | ||||
| -rw-r--r-- | security/vuxml/vuln/2025.xml | 643 |
6 files changed, 945 insertions, 78 deletions
diff --git a/security/vuxml/Makefile b/security/vuxml/Makefile index 9a3ef8b7a291..243b5cd5723e 100644 --- a/security/vuxml/Makefile +++ b/security/vuxml/Makefile @@ -102,10 +102,6 @@ newentry: @${ECHO_CMD} 'Also, <gt> tags are usually wrong in ranges. Use <ge> where adequate.' @${ECHO_CMD} @${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}" "CVE_ID=${CVE_ID}" "SA_ID=${SA_ID}" - @${ECHO_CMD} - @${ECHO_CMD} 'Be sure to get versioning right for PORTEPOCH and remember possible linux-* ports!' - @${ECHO_CMD} 'Also, <gt> tags are usually wrong in ranges. Use <ge> where adequate.' - @${ECHO_CMD} .if defined(VID) && !empty(VID) html: work/${VID}.html diff --git a/security/vuxml/files/euvd_provider.sh b/security/vuxml/files/euvd_provider.sh new file mode 100644 index 000000000000..821d2fcc06a2 --- /dev/null +++ b/security/vuxml/files/euvd_provider.sh @@ -0,0 +1,69 @@ +# Provider for the European Union Vulnerability Database +# https://euvd.enisa.europa.eu/ + +tmp_euvd="" + +init_euvd() { + tmp_euvd=$(mktemp "${TMPDIR:-/tmp}"/euvd_json_data.XXXXXXXXXX) || exit 1 + fetch -q -o "${tmp_euvd}" "https://euvdservices.enisa.europa.eu/api/enisaid?id=${CVE_ID}" || exit 1 +} + +cleanup_euvd() { + rm -f "${tmp_euvd}" 2>/dev/null +} + +get_cvename_from_euvd() { + # EUVD response includes "aliases" (CVE ID if available) + jq -r '.aliases // .id' "${tmp_euvd}" +} + +get_cveurl_from_euvd() { + echo "https://euvd.enisa.europa.eu/ui/vuln/${CVE_ID}" +} + +get_details_from_euvd() { + jq -r '.description // empty | @html' "${tmp_euvd}" | fmt -p -s | sed '1!s/^/\t/' +} + +get_discovery_date_from_euvd() { + raw=$(jq -r '.datePublished // empty' "${tmp_euvd}") + if [ -n "$raw" ]; then + trimmed=$(echo "$raw" | cut -d, -f1-2) + if date -d "$trimmed" "+%Y-%m-%d" >/dev/null 2>&1; then + date -d "$trimmed" "+%Y-%m-%d" + else + date -j -f "%b %d, %Y" "$trimmed" "+%Y-%m-%d" + fi + fi +} + +get_entry_date_from_euvd() { + echo "${entry_date}" +} + + +get_product_name_from_euvd() { + jq -r ' .enisaIdProduct[]?.product?.name ' "${tmp_euvd}" +} + +get_product_range_from_euvd() { + jq -r '.enisaIdProduct[]? | "\(.product_version? | gsub("<";"<") | gsub(">";">") | gsub("&";"&"))"' "${tmp_euvd}" +} + +get_package_name_from_euvd() { + jq -r '.enisaIdProduct[0]?.product?.name // empty' "${tmp_euvd}" +} + +get_references_from_euvd() { + jq -r '.references // empty | @html' "${tmp_euvd}" | tr " " "\n" +} + +get_source_from_euvd() { + jq -r '.assigner // empty | @html' "${tmp_euvd}" +} + +get_topic_from_euvd() { + # Use first sentence of description + jq -r '.description // empty' "${tmp_euvd}" | cut -f1 -d. +} + diff --git a/security/vuxml/files/mitre_provider.sh b/security/vuxml/files/mitre_provider.sh new file mode 100644 index 000000000000..c2b1f8ffa73e --- /dev/null +++ b/security/vuxml/files/mitre_provider.sh @@ -0,0 +1,61 @@ +# Provider for MITRE +# https://www.mitre.org/ + +tmp_mitre="" + +init_mitre() +{ + tmp_mitre=$(mktemp "${TMPDIR:-/tmp}"/mitre.XXXXXXXXXX) || exit 1 + fetch -q -o "${tmp_mitre}" https://cveawg.mitre.org/api/cve/"${CVE_ID}" +} + +cleanup_mitre() +{ + rm "${tmp_mitre}" 2>/dev/null +} + +get_cvename_from_mitre() +{ + cvename="${CVE_ID}" + echo "${cvename}" +} + +get_cveurl_from_mitre() { + echo https://cveawg.mitre.org/api/cve/"${CVE_ID}" +} + +get_details_from_mitre() { + jq -r '.containers?.cna?.descriptions[0]?.value' "${tmp_mitre}" | fmt -p -s +} + +get_discovery_date_from_mitre() { + jq -r '.cveMetadata?.datePublished?' "${tmp_mitre}" | cut -f1 -dT +} + +get_entry_date_from_mitre() { + echo "${entry_date}" +} + +get_product_name_from_mitre() { + jq -r '.containers?.cna?.affected[]?.product' "${tmp_mitre}" +} + +get_product_range_from_mitre() { + jq -r '.containers?.cna?.affected[]??.versions[0]?.lessThan' "${tmp_mitre}" +} + +get_package_name_from_mitre() { + jq -r '.containers?.cna?.affected[0]?.product' "${tmp_mitre}" +} + +get_references_from_mitre() { + jq -r '.containers?.cna?.references[0]?.url' "${tmp_mitre}" | fmt -p -s +} + +get_source_from_mitre() { + jq -r '.containers?.cna?.references[0]?.url' "${tmp_mitre}" +} + +get_topic_from_mitre() { + jq -r ".containers?.cna?.problemTypes[0]?.descriptions[0]?.description" "${tmp_mitre}" +} diff --git a/security/vuxml/files/newentry.sh b/security/vuxml/files/newentry.sh index 0298a5376a9e..4c8b09636112 100644 --- a/security/vuxml/files/newentry.sh +++ b/security/vuxml/files/newentry.sh @@ -15,6 +15,9 @@ if [ -z "${vuxml_file}" ]; then show_usage fi +# ----------------- +# Process arguments +# ----------------- shift while [ $# -gt 0 ]; do case "$1" in @@ -34,27 +37,45 @@ case "$1" in esac done -tmp="`mktemp ${TMPDIR:-/tmp}/vuxml.XXXXXXXXXX`" || exit 1 +tmp=$(mktemp "${TMPDIR:-/tmp}"/vuxml.XXXXXXXXXX) || exit 1 tmp_fbsd_sa="" -tmp_mitre="" -tmp_nvd="" +# ------------------------------------- +# Define how to clean up temporal files +# ------------------------------------- +# doclean="yes" cleanup() { if [ "${doclean}" = "yes" ]; then - rm -f "${tmp}" "${tmp_fbsd_sa}" "${tmp_mitre}" "${tmp_nvd}" > /dev/null + rm -f "${tmp}" "${tmp_fbsd_sa}" > /dev/null fi + + # Call cleaners for providers + for provider in ${providers}; do + cleanup_"${provider}" + cleanup_"${provider}" + done } -trap cleanup EXIT 1 2 13 15 +trap cleanup EXIT HUP INT PIPE TERM -vid="`uuidgen | tr '[:upper:]' '[:lower:]'`" +# ----------------------------- +# Variables with default values +# ----------------------------- +vid="$(uuidgen | tr '[:upper:]' '[:lower:]')" [ -z "$vid" ] && exit 1 + +discovery_date="" cvename="INSERT CVE RECORD IF AVAILABLE" cveurl="INSERT BLOCKQUOTE URL HERE" details="." -discovery="`date -u '+%Y-%m'`-FIXME" || exit 1 -entry="`date -u '+%Y-%m-%d'`" || exit 1 +discovery_date="$(date -u '+%Y-%m')-FIXME" || exit 1 +entry_date="$(date -u '+%Y-%m-%d')" || exit 1 package_name="" +product_name="" +product_range="" +package_list="<package> +<name></name> +<range><lt></lt></range>" references="INSERT URL HERE" topic="" source="SO-AND-SO" @@ -67,38 +88,65 @@ DESC_BODY="<body xmlns=\"http://www.w3.org/1999/xhtml\"> </blockquote> </body>" - -# Try to retrieve information if a CVE identifier was provided -if [ -n "${CVE_ID}" ]; then +# -------------------------------- +# Check we have everything we need +# -------------------------------- +check_dependencies() +{ if ! command -v jq > /dev/null; then echo textproc/jq is needed for CVE automatic entry fill exit 1 fi +} + +# ------------------------------------------ +# List of CVE providers sorted by preference +# ------------------------------------------ +providers="mitre nvd euvd" + +# ------------------------------------------ +# List of fields to query for every provider +# ------------------------------------------ +fields="cvename cveurl details discovery_date entry_date product_name product_range package_name references source topic" - # NVD database only accepts uppercase CVE ids, like CVE-2022-39282, NOT - # cve-2022-39282. - CVE_ID=$(echo "${CVE_ID}" | tr '[:lower:]' '[:upper:]') || exit 1 - - # Get information from the NVD database JSON format - tmp_nvd="`mktemp ${TMPDIR:-/tmp}/nvd_json_data.XXXXXXXXXX`" || exit 1 - fetch -q -o "${tmp_nvd}" https://services.nvd.nist.gov/rest/json/cves/2.0?cveId="${CVE_ID}" || exit 1 - # Get information from MITRE database (they provide a nice "topic") - tmp_mitre="`mktemp ${TMPDIR:-/tmp}/mitre.XXXXXXXXXX`" || exit 1 - fetch -q -o "${tmp_mitre}" https://cveawg.mitre.org/api/cve/"${CVE_ID}" - - # Create variables from input and online sources - cvename="${CVE_ID}" - cveurl=https://nvd.nist.gov/vuln/detail/${CVE_ID} - pref=.vulnerabilities[0].cve - details=$(jq -r "${pref}.descriptions[0].value|@html" "${tmp_nvd}" | fmt -p -s | sed '1!s/^/\t/') || exit 1 - discovery=$(jq -r "${pref}.published|@html" "${tmp_nvd}" | cut -f1 -dT) || exit 1 - pref=.vulnerabilities[0].cve.configurations[0].nodes[0].cpeMatch[0] - package_name=$(jq -r "${pref}.criteria|@html" "${tmp_nvd}" | cut -f4 -d:) || exit 1 - upstream_fix=$(jq -r "${pref}.versionEndExcluding|@html" "${tmp_nvd}") || exit 1 - pref=.vulnerabilities[0].cve.references[0] - references=$(jq -r "${pref}.url|@html" "${tmp_nvd}" | tr " " "\n") || exit 1 - source=$(jq -r "${pref}.source|@html" "${tmp_nvd}" | tr " " "\n") || exit 1 - topic=$(jq -r ".containers.cna.title|@html" "${tmp_mitre}" ) || exit 1 +# Some providers only allow for upper case identifiers +CVE_ID=$(echo "${CVE_ID}" | tr '[:lower:]' '[:upper:]') || exit 1 + +# ----------------------------------------------------------------------------- +# Generic resolver +# +# Gets a variable name and the list of providers and returns the value of the +# variable. If the first defined provider returns empty or nullm, it tries with +# the next one until one provider returns a value or we run out of providers +# ----------------------------------------------------------------------------- +resolve_field() { + field="${1}" + shift + providers="$@" + + for provider in $providers; do + func="get_${field}_from_${provider}" + if command -v "${func}" >/dev/null 2>&1; then + value="$($func)" + if [ -n "${value}" ] && [ "${value}" != "null" ] && [ "${value}" != "n/a" ]; then + echo "${value}" + return 0 + fi + else + echo "Warning: function ${func} not implemented in provider ${provider}" + fi + done + echo "null" +} + +# -------------------------------------------------- +# Fill global variables with data from CVE databases +# -------------------------------------------------- +get_cve_info() { + for field in ${fields}; do + value=$(resolve_field "${field}" ${providers}) + eval "${field}=\$value" + done DESC_BODY="<body xmlns=\"http://www.w3.org/1999/xhtml\"> <p>${source} reports:</p> @@ -106,14 +154,17 @@ DESC_BODY="<body xmlns=\"http://www.w3.org/1999/xhtml\"> <p>${details}</p> </blockquote> </body>" -fi +} -if [ -n "${SA_ID}" ]; then +# ---------------------------------------------------------------- +# Fill global variables with data from FreeBSD Security Advisories +# ---------------------------------------------------------------- +get_sa_info() { SA_URL_BASE=https://www.freebsd.org/security/advisories/ # Get information from the Project's SA site - tmp_fbsd_sa="$(mktemp ${TMPDIR:-/tmp}/fbsd_sa_data.XXXXXXXXXX)" || exit 1 - fetch -q -o "${tmp_fbsd_sa}" ${SA_URL_BASE}${SA_ID} || exit 1 + tmp_fbsd_sa=$(mktemp "${TMPDIR:-/tmp}/fbsd_sa_data.XXXXXXXXXX") || exit 1 + fetch -q -o "${tmp_fbsd_sa}" "${SA_URL_BASE}${SA_ID}" || exit 1 # Create variables from SA note if grep -q 'CVE Name' "${tmp_fbsd_sa}"; then @@ -148,6 +199,40 @@ DESC_BODY="<body xmlns=\"http://www.w3.org/1999/xhtml\"> <h1>Impact:</h1> ${impact} </body>" +} + +init_providers() { + for provider in files/*_provider.sh; do + provider_name=$(basename "${provider}" | cut -f1 -d_) + . "files/${provider_name}_provider.sh" + init_"${provider_name}" + done +} + +create_packages_list() { + tmp_prod=$(mktemp "${TMPDIR:-/tmp}"/vuxml.prod.XXXXXXXXXX) || exit 1 + tmp_ver=$(mktemp "${TMPDIR:-/tmp}"/vuxml.ver.XXXXXXXXXX) || exit 1 + printf "%s" "${product_name}" > "${tmp_prod}" + printf "%s" "${product_range}" > "${tmp_ver}" + + package_list=$(paste "${tmp_prod}" "${tmp_ver}" | sed \ + -e 's|\t|</name>\n\t<range><lt>|g' \ + -e 's|^| <package>\n\t<name>|g' \ + -e 's|$|</lt></range>\n </package>|g') + + rm "${tmp_prod}" "${tmp_ver}" 2>/dev/null +} + +# Try to retrieve information if a CVE identifier was provided +if [ -n "${CVE_ID}" ]; then + check_dependencies + init_providers + get_cve_info "${CVE_ID}" + create_packages_list +fi + +if [ -n "${SA_ID}" ]; then + get_sa_info fi awk '/^<\?/,/^<vuxml/ { print }' "${vuxml_file}" >> "${tmp}" || exit 1 @@ -155,21 +240,18 @@ cat << EOF >> "${tmp}" || exit 1 <vuln vid="${vid}"> <topic>${package_name} -- ${topic}</topic> <affects> - <package> - <name>${package_name}</name> - <range><lt>${upstream_fix}</lt></range> - </package> +${package_list} </affects> <description> - ${DESC_BODY} + ${DESC_BODY} </description> <references> <cvename>${cvename}</cvename> <url>${cveurl}</url> </references> <dates> - <discovery>${discovery}</discovery> - <entry>${entry}</entry> + <discovery>${discovery_date}</discovery> + <entry>${entry_date}</entry> </dates> </vuln> diff --git a/security/vuxml/files/nvd_provider.sh b/security/vuxml/files/nvd_provider.sh new file mode 100644 index 000000000000..8a383a7d6752 --- /dev/null +++ b/security/vuxml/files/nvd_provider.sh @@ -0,0 +1,72 @@ +# Provider for the National Vulnerability Database +# https://nvd.nist.gov/ + +tmp_nvd="" + +init_nvd() +{ + tmp_nvd=$(mktemp "${TMPDIR:-/tmp}"/nvd_json_data.XXXXXXXXXX) || exit 1 + fetch -q -o "${tmp_nvd}" https://services.nvd.nist.gov/rest/json/cves/2.0?cveId="${CVE_ID}" || exit 1 +} + +cleanup_nvd() +{ + rm "${tmp_nvd}" 2>/dev/null +} + +get_cvename_from_nvd() +{ + cvename="${CVE_ID}" + echo "${cvename}" +} + +get_cveurl_from_nvd() { + cveurl=https://nvd.nist.gov/vuln/detail/${CVE_ID} + echo "${cveurl}" +} + +get_details_from_nvd() { + pref=".vulnerabilities[0]?.cve?" + jq -r "${pref}.descriptions[0]?.value|@html" "${tmp_nvd}" | fmt -p -s | sed '1!s/^/\t/' +} + +get_discovery_date_from_nvd() { + pref=".vulnerabilities[0]?.cve?" + jq -r "${pref}.published|@html" "${tmp_nvd}" | cut -f1 -dT +} + +get_entry_date_from_nvd() { + echo "${entry_date}" +} + +get_product_name_from_nvd() { + jq -r '.vulnerabilities[]?.cve?.configurations[]?.nodes[]?.cpeMatch[]? | + (.criteria | split(":")[4])' "${tmp_nvd}" +} + +get_product_range_from_nvd() { + jq -r '.vulnerabilities[]?.cve.configurations[]?.nodes[]?.cpeMatch[]?.versionEndExcluding ' "${tmp_nvd}" +} + +get_package_name_from_nvd() { + jq -r '.vulnerabilities[]?.cve?.configurations[]?.nodes[]?.cpeMatch[0]?.criteria' "${tmp_nvd}" | cut -f5 -d: +} + +get_references_from_nvd() { + pref=".vulnerabilities[0]?.cve?.references[0]?" + jq -r "${pref}.url|@html" "${tmp_nvd}" | tr " " "\n" +} + +get_source_from_nvd() +{ + pref=".vulnerabilities[0]?.cve?.references[0]?" + jq -r "${pref}.source|@html" "${tmp_nvd}" | tr " " "\n" +} + +get_topic_from_nvd() { + # NVD does not provide a nice summary. Let's use the first sentence from + # the details instead + pref=".vulnerabilities[0]?.cve?" + jq -r "${pref}.descriptions[0]?.value|@html" "${tmp_nvd}" | cut -f1 -d. +} + diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml index fecf38f6543c..033747a96dd5 100644 --- a/security/vuxml/vuln/2025.xml +++ b/security/vuxml/vuln/2025.xml @@ -1,3 +1,590 @@ + <vuln vid="77a0f93a-b71e-11f0-8d86-d7789240c8c2"> + <topic>python 3.9 -- end of life, not receiving security support</topic> + <affects> + <package> + <name>python39</name> + <range><ge>3</ge></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <blockquote cite="https://devguide.python.org/versions/"> + <p>Unsupported versions: [...] End of life: 2025-10-31.</p> + </blockquote> + </body> + </description> + <references> + <url>https://devguide.python.org/versions/</url> + </references> + <dates> + <discovery>2020-10-05</discovery> + <entry>2025-11-01</entry> + </dates> + </vuln> + + <vuln vid="c4fb21e4-b579-11f0-871c-6805ca2fa271"> + <topic>powerdns-recursor -- cache pollution</topic> + <affects> + <package> + <name>powerdns_recursor</name> + <range><lt>5.3.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>PowerDNS Team reports:</p> + <blockquote cite="https://blog.powerdns.com/powerdns-security-advisory-2025-06-2025-10-22"> + <p>It has been brought to our attention that the Recursor does not + apply strict enough validation of received delegation information. + The malicious delegation information can be sent by an attacker + spoofing packets.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-59023</cvename> + <cvename>CVE-2025-59024</cvename> + <url>https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html</url> + </references> + <dates> + <discovery>2025-10-15</discovery> + <entry>2025-10-30</entry> + </dates> + </vuln> + + <vuln vid="7c09fcb7-b5d6-11f0-b3f7-a8a1599412c6"> + <topic>chromium -- multiple security fixes</topic> + <affects> + <package> + <name>chromium</name> + <range><lt>142.0.7444.59</lt></range> + </package> + <package> + <name>ungoogled-chromium</name> + <range><lt>142.0.7444.59</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Chrome Releases reports:</p> + <blockquote cite="https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_28.html"> + <p>This update includes 20 security fixes:</p> + <ul> + <li>[447613211] High CVE-2025-12428: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2025-09-26</li> + <li>[450618029] High CVE-2025-12429: Inappropriate implementation in V8. Reported by Aorui Zhang on 2025-10-10</li> + <li>[442860743] High CVE-2025-12430: Object lifecycle issue in Media. Reported by round.about on 2025-09-04</li> + <li>[436887350] High CVE-2025-12431: Inappropriate implementation in Extensions. Reported by Alesandro Ortiz on 2025-08-06</li> + <li>[439522866] High CVE-2025-12432: Race in V8. Reported by Google Big Sleep on 2025-08-18</li> + <li>[449760249] High CVE-2025-12433: Inappropriate implementation in V8. Reported by Google Big Sleep on 2025-10-07</li> + <li>[452296415] High CVE-2025-12036: Inappropriate implementation in V8. Reported by Google Big Sleep on 2025-10-15</li> + <li>[337356054] Medium CVE-2025-12434: Race in Storage. Reported by Lijo A.T on 2024-04-27</li> + <li>[446463993] Medium CVE-2025-12435: Incorrect security UI in Omnibox. Reported by Hafiizh on 2025-09-21</li> + <li>[40054742] Medium CVE-2025-12436: Policy bypass in Extensions. Reported by Luan Herrera (@lbherrera_) on 2021-02-08</li> + <li>[446294487] Medium CVE-2025-12437: Use after free in PageInfo. Reported by Umar Farooq on 2025-09-20</li> + <li>[433027577] Medium CVE-2025-12438: Use after free in Ozone. Reported by Wei Yuan of MoyunSec VLab on 2025-07-20</li> + <li>[382234536] Medium CVE-2025-12439: Inappropriate implementation in App-Bound Encryption. Reported by Ari Novick on 2024-12-04</li> + <li>[430555440] Low CVE-2025-12440: Inappropriate implementation in Autofill. Reported by Khalil Zhani on 2025-07-09</li> + <li>[444049512] Medium CVE-2025-12441: Out of bounds read in V8. Reported by Google Big Sleep on 2025-09-10</li> + <li>[452071845] Medium CVE-2025-12443: Out of bounds read in WebXR. Reported by Aisle Research on 2025-10-15</li> + <li>[390571618] Low CVE-2025-12444: Incorrect security UI in Fullscreen UI. Reported by syrf on 2025-01-18</li> + <li>[428397712] Low CVE-2025-12445: Policy bypass in Extensions. Reported by Thomas Greiner on 2025-06-29</li> + <li>[444932667] Low CVE-2025-12446: Incorrect security UI in SplitView. Reported by Hafiizh on 2025-09-14</li> + <li>[442636157] Low CVE-2025-12447: Incorrect security UI in Omnibox. Reported by Khalil Zhani on 2025-09-03</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-12036</cvename> + <cvename>CVE-2025-12428</cvename> + <cvename>CVE-2025-12429</cvename> + <cvename>CVE-2025-12430</cvename> + <cvename>CVE-2025-12431</cvename> + <cvename>CVE-2025-12432</cvename> + <cvename>CVE-2025-12433</cvename> + <cvename>CVE-2025-12434</cvename> + <cvename>CVE-2025-12435</cvename> + <cvename>CVE-2025-12436</cvename> + <cvename>CVE-2025-12437</cvename> + <cvename>CVE-2025-12438</cvename> + <cvename>CVE-2025-12439</cvename> + <cvename>CVE-2025-12440</cvename> + <cvename>CVE-2025-12441</cvename> + <cvename>CVE-2025-12443</cvename> + <cvename>CVE-2025-12444</cvename> + <cvename>CVE-2025-12445</cvename> + <cvename>CVE-2025-12446</cvename> + <cvename>CVE-2025-12447</cvename> + <url>https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_28.html</url> + </references> + <dates> + <discovery>2025-10-29</discovery> + <entry>2025-10-30</entry> + </dates> + </vuln> + + <vuln vid="291773e6-b5b2-11f0-8f61-b42e991fc52e"> + <topic>Firefox -- use-after-free in the GPU or browser process</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>144.0.2,2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://bugzilla.mozilla.org/show_bug.cgi?id=1993113 reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1993113"> + <p>Starting with Firefox 142, it was possible for a + compromised child process to trigger a use-after-free in the + GPU or browser process using WebGPU-related IPC calls. + This may have been usable to escape the child process + sandbox.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-12380</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-12380</url> + </references> + <dates> + <discovery>2025-10-28</discovery> + <entry>2025-10-30</entry> + </dates> + </vuln> + + <vuln vid="237f4f57-b50f-11f0-ae9b-b42e991fc52e"> + <topic>Erlang - Absolute Path in Zip Module</topic> + <affects> + <package> + <name>erlang</name> + <range><ge>17.0</ge><lt>26.2.5.13,4</lt></range> + </package> + <package> + <name>erlang-runtime26</name> + <range><lt>26.2.5.13</lt></range> + </package> + <package> + <name>erlang-runtime27</name> + <range><lt>27.3.4.1</lt></range> + </package> + <package> + <name>erlang-runtime28</name> + <range><lt>28.0.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://github.com/erlang/otp/security/advisories/GHSA-9g37-pgj9-wrhc reports:</p> + <blockquote cite="https://github.com/erlang/otp/security/advisories/GHSA-9g37-pgj9-wrhc"> + <p>Improper Limitation of a Pathname to a Restricted + Directory ('Path Traversal') vulnerability in Erlang OTP + (stdlib modules) allows Absolute Path Traversal, File Manipulation. + This vulnerability is associated with program files lib/stdlib/src/zip.erl + and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, + zip:extract/2unless the memory option is passed. This issue + affects OTP from OTP 17.0 until OTP28.0.1, OTP27.3.4.1 and + OTP26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, + 6.2.2.1 and 5.2.3.4.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-4748</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-4748</url> + </references> + <dates> + <discovery>2025-06-16</discovery> + <entry>2025-10-29</entry> + </dates> + </vuln> + + <vuln vid="55c4e822-b4e4-11f0-8438-001b217e4ee5"> + <topic>ISC KEA -- Invalid characters cause assert</topic> + <affects> + <package> + <name>kea</name> + <range><ge>3.0.1</ge><lt>3.0.2</lt></range> + </package> + <package> + <name>kea-devel</name> + <range><ge>3.1.1</ge><lt>3.1.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Internet Systems Consortium, Inc. reports:</p> + <blockquote cite="https://kb.isc.org/docs/cve-2025-11232"> + <p>To trigger the issue, three configuration parameters + must have specific settings: "hostname-char-set" must be + left at the default setting, which is "[^A-Za-z0-9.-]"; + "hostname-char-replacement" must be empty (the default); + and "ddns-qualifying-suffix" must NOT be empty (the default is empty). + DDNS updates do not need to be enabled for this issue to manifest. + A client that sends certain option content would then + cause kea-dhcp4 to exit unexpectedly. + This addresses CVE-2025-11232 [#4142, #4155].</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11232</cvename> + <url>https://kb.isc.org/docs/cve-2025-11232</url> + </references> + <dates> + <discovery>2025-10-29</discovery> + <entry>2025-10-29</entry> + </dates> + </vuln> + + <vuln vid="c5889223-b4e1-11f0-ae9b-b42e991fc52e"> + <topic>SQLite -- CWE-190 Integer Overflow or Wraparound</topic> + <affects> + <package> + <name>sqlite3</name> + <range><lt>3.50.3,1</lt></range> + </package> + <package> + <name>linux_base-rl9-9.6</name> + <range><le>9.6_1</le></range> + </package> + <package> + <name>linux-c7-sqlite</name> + <range><lt>3.50.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://github.com/google/security-research/security/advisories/GHSA-v2c8-vqqp-hv3g reports:</p> + <blockquote cite="https://github.com/google/security-research/security/advisories/GHSA-v2c8-vqqp-hv3g"> + <p>An integer overflow exists in the FTS5 https://sqlite.org/fts5.html + extension. It occurs when the size of an array of tombstone + pointers is calculated and truncated into a 32-bit integer. + A pointer to partially controlled data can then be written + out of bounds.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-7709</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-7709</url> + </references> + <dates> + <discovery>2025-09-08</discovery> + <entry>2025-10-29</entry> + </dates> + </vuln> + + <vuln vid="3116b6f3-b433-11f0-82ac-901b0edee044"> + <topic>py-social-auth-app-django -- Unsafe account association</topic> + <affects> + <package> + <name>py39-social-auth-app-django</name> + <name>py310-social-auth-app-django</name> + <name>py311-social-auth-app-django</name> + <name>py312-social-auth-app-django</name> + <range><lt>5.4.3_1</lt></range> + </package> + <package> + <name>py310-dj51-social-auth-app-django</name> + <name>py311-dj51-social-auth-app-django</name> + <name>py312-dj51-social-auth-app-django</name> + <range><lt>5.6.0</lt></range> + </package> + <package> + <name>py310-dj52-social-auth-app-django</name> + <name>py311-dj52-social-auth-app-django</name> + <name>py312-dj52-social-auth-app-django</name> + <range><lt>5.6.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Michal Čihař reports:</p> + <blockquote cite="https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-wv4w-6qv2-qqfg"> + <p>Upon authentication, the user could be associated by e-mail even if the + associate_by_email pipeline was not included. This could lead to account + compromise when a third-party authentication service does not validate + provided e-mail addresses or doesn't require unique e-mail addresses.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-61783</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-61783</url> + </references> + <dates> + <discovery>2025-10-09</discovery> + <entry>2025-10-29</entry> + </dates> + </vuln> + + <vuln vid="2cd61f76-b41b-11f0-bf21-b42e991fc52e"> + <topic>SQLite -- Integer Overflow vulnerability</topic> + <affects> + <package> + <name>sqlite3</name> + <range><lt>3.50.1,1</lt></range> + </package> + <package> + <name>linux_base-rl9-9.6</name> + <range><le>9.6_1</le></range> + </package> + <package> + <name>linux-c7-sqlite</name> + <range><lt>3.50.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>http://sqlite3.com reports:</p> + <blockquote cite="http://sqlite3.com"> + <p>Integer Overflow vulnerability in SQLite SQLite3 v.3.50.0 + allows a remote attacker to cause a denial of service via + the setupLookaside function</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-52099</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-52099</url> + </references> + <dates> + <discovery>2025-10-24</discovery> + <entry>2025-10-28</entry> + </dates> + </vuln> + + <vuln vid="a8dacd4b-b416-11f0-9f23-ecf4bbefc954"> + <topic>privatebin - Missing HTML sanitisation of attached filename in file size hint enabling persistent XSS</topic> + <affects> + <package> + <name>privatebin</name> + <range><lt>2.0.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>PrivateBin reports:</p> + <blockquote cite="https://privatebin.info/reports/vulnerability-2025-10-28.html"> + <p>We've identified an HTML injection/XSS vulnerability in the PrivateBin + service that allows the injection of arbitrary HTML markup via the attached + filename.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-62796</cvename> + <url>https://www.cve.org/CVERecord?id=CVE-2025-62796</url> + </references> + <dates> + <discovery>2025-10-23</discovery> + <entry>2025-10-28</entry> + </dates> + </vuln> + + <vuln vid="1f1cf967-b35c-11f0-bce7-bc2411002f50"> + <topic>strongSwan -- Heap-based buffer overflow in eap-mschapv2 plugin due to improper handling of failure request packets</topic> + <affects> + <package> + <name>strongswan</name> + <range><ge>4.2.12</ge><lt>6.0.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Xu Biang reports:</p> + <blockquote cite="https://www.strongswan.org/blog/2025/10/27/strongswan-vulnerability-(cve-2025-62291).html"> + <p>The eap-mschapv2 plugin doesn't correctly check the length of an EAP-MSCHAPv2 Failure Request packet on the client, + which can cause an integer underflow that leads to a crash and, depending on the compiler options, even a heap-based + buffer overflow that's potentially exploitable for remote code execution. Affected are all strongSwan versions since 4.2.12.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-62291</cvename> + <url>https://www.cve.org/CVERecord?id=CVE-2025-62291</url> + </references> + <dates> + <discovery>2025-10-27</discovery> + <entry>2025-10-27</entry> + </dates> + </vuln> + + <vuln vid="823b4e48-b340-11f0-b3f7-a8a1599412c6"> + <topic>chromium -- security fix</topic> + <affects> + <package> + <name>chromium</name> + <range><lt>141.0.7390.122</lt></range> + </package> + <package> + <name>ungoogled-chromium</name> + <range><lt>141.0.7390.122</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Chrome Releases reports:</p> + <blockquote cite="https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_21.html"> + <p>This update includes 1 security fix:</p> + <ul> + <li>[452296415] High CVE-2025-12036: Inappropriate implementation in V8. Reported by Google Big Sleep on 2025-10-15</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-12036</cvename> + <url>https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_21.html</url> + </references> + <dates> + <discovery>2025-10-21</discovery> + <entry>2025-10-27</entry> + </dates> + </vuln> + + <vuln vid="ea1c485f-b025-11f0-bce7-bc2411002f50"> + <topic>unbound -- Possible domain hijacking via promiscuous records in the authority section</topic> + <affects> + <package> + <name>unbound</name> + <range><lt>1.24.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>sep@nlnetlabs.nl reports:</p> + <blockquote cite="https://www.nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt"> + <p>NLnet Labs Unbound up to and including version 1.24.0 is vulnerable + to possible domain hijack attacks. Promiscuous NS RRSets that + complement positive DNS replies in the authority section can be + used to trick resolvers to update their delegation information for + the zone. Usually these RRSets are used to update the resolver's + knowledge of the zone's name servers. A malicious actor can + exploit the possible poisonous effect by injecting NS RRSets (and + possibly their respective address records) in a reply. This could + be done for example by trying to spoof a packet or fragmentation + attacks. Unbound would then proceed to update the NS RRSet data + it already has since the new data has enough trust for it, i.e., + in-zone data for the delegation point. Unbound 1.24.1 includes a + fix that scrubs unsolicited NS RRSets (and their respective address + records) from replies mitigating the possible poison effect.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11411</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-11411</url> + </references> + <dates> + <discovery>2025-10-22</discovery> + <entry>2025-10-23</entry> + </dates> + </vuln> + + <vuln vid="269c2de7-afaa-11f0-b4c8-792b26d8a051"> + <topic>RT -- XSS via calendar invitations</topic> + <affects> + <package> + <name>rt60</name> + <name>rt50</name> + <range><ge>6.0.0</ge><lt>6.0.2</lt></range> + <range><ge>5.0.4</ge><lt>5.0.9</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Mateusz Szymaniec and CERT Polska Reports:</p> + <blockquote cite="https://github.com/bestpractical/rt/releases/tag/rt-6.0.2"> + <p>RT is vulnerable to XSS via calendar invitations added to a + ticket. Thanks to Mateusz Szymaniec and CERT Polska for + reporting this finding.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-9158</cvename> + <url>https://github.com/bestpractical/rt/releases/tag/rt-6.0.2</url> + </references> + <dates> + <discovery>2025-10-23</discovery> + <entry>2025-10-23</entry> + </dates> + </vuln> + + <vuln vid="b374df95-afa8-11f0-b4c8-792b26d8a051"> + <topic>RT -- CSV injection</topic> + <affects> + <package> + <name>rt60</name> + <name>rt50</name> + <name>rt44</name> + <range><ge>6.0.0</ge><lt>6.0.2</lt></range> + <range><ge>5.0.0</ge><lt>5.0.9</lt></range> + <range><ge>4.4.0</ge><lt>4.4.9</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Gareth Watkin-Jones from 4armed reports:</p> + <blockquote cite="https://github.com/bestpractical/rt/releases/tag/rt-6.0.2"> + <p>RT is vulnerable to CSV injection via ticket values with + special characters that are exported to a TSV from search + results. Thanks to Gareth Watkin-Jones from 4armed for + reporting this finding.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-61873</cvename> + <url>https://github.com/bestpractical/rt/releases/tag/rt-6.0.2</url> + </references> + <dates> + <discovery>2025-10-23</discovery> + <entry>2025-10-23</entry> + </dates> + </vuln> + + <vuln vid="114cc98b-afad-11f0-af12-bc241121aa0a"> + <topic>FreeBSD -- SO_REUSEPORT_LB breaks connect(2) for UDP sockets</topic> + <affects> + <package> + <name>FreeBSD-kernel</name> + <range><ge>14.3</ge><lt>14.3_5</lt></range> + <range><ge>13.5</ge><lt>13.5_6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <h1>Problem Description:</h1> + <p>Connected sockets are not intended to belong to load-balancing + groups. However, the kernel failed to check the connection state + of sockets when adding them to load-balancing groups. Furthermore, + when looking up the destination socket for an incoming packet, the + kernel will match a socket belonging to a load-balancing group even + if it is connected.</p> + <p>Connected sockets are only supposed to receive packets originating + from the connected host. The above behavior violates this contract.</p> + <h1>Impact:</h1> + <p>Software which sets SO_REUSEPORT_LB on a socket and then connects + it to a host will not observe any problems. However, due to its + membership in a load-balancing group, that socket will receive + packets originating from any host. This breaks the contract of the + connect(2) and implied connect via sendto(2), and may leave the + application vulnerable to spoofing attacks.</p> + </body> + </description> + <references> + <cvename>CVE-2025-24934</cvename> + <freebsdsa>SA-25:09.netinet</freebsdsa> + </references> + <dates> + <discovery>2025-10-22</discovery> + <entry>2025-10-23</entry> + </dates> + </vuln> + <vuln vid="f741ea93-af61-11f0-98b5-2cf05da270f3"> <topic>Gitlab -- vulnerabilities</topic> <affects> @@ -2501,7 +3088,7 @@ <affects> <package> <name>sqlite3</name> - <range><lt>3.49.1</lt></range> + <range><lt>3.49.1,1</lt></range> </package> <package> <name>linux_base-rl9-9.6</name> @@ -3161,7 +3748,7 @@ <affects> <package> <name>sqlite3</name> - <range><lt>3.49.1</lt></range> + <range><lt>3.49.1,1</lt></range> </package> <package> <name>linux-c7-sqlite</name> @@ -3180,7 +3767,7 @@ function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap - Buffer overflow of size ~4GB can be triggered. This can result in + Buffer overflow of size ~4GB can be triggered. This can result in arbitrary code execution.</p> </blockquote> </body> @@ -4304,7 +4891,7 @@ i.e., at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options is used. Resolvers supporting ECS need to segregate outgoing - queries to accommodate for different outgoing ECS information. This + queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies.</p> @@ -5959,7 +6546,7 @@ by ClamAV on an affected device. A successful exploit could allow the attacker to trigger a buffer overflow, likely resulting in the termination of the ClamAV scanning process and a DoS condition on - the affected software. Although unproven, there is also a possibility + the affected software. Although unproven, there is also a possibility that an attacker could leverage the buffer overflow to execute arbitrary code with the privileges of the ClamAV process.</p> </blockquote> @@ -6317,7 +6904,7 @@ <body xmlns="http://www.w3.org/1999/xhtml"> <p>secalert@redhat.com reports:</p> <blockquote cite="https://access.redhat.com/errata/RHSA-2025:4450"> - <p>A flaw was found in Yelp. The Gnome user help application allows + <p>A flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment.</p> @@ -6346,7 +6933,7 @@ <body xmlns="http://www.w3.org/1999/xhtml"> <p>secalert@redhat.com reports:</p> <blockquote cite="https://access.redhat.com/errata/RHSA-2025:4450"> - <p>A flaw was found in Yelp. The Gnome user help application allows + <p>A flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment.</p> @@ -6764,7 +7351,7 @@ <p>zdi-disclosures@trendmicro.com reports:</p> <blockquote cite="https://www.zerodayinitiative.com/advisories/ZDI-25-204/"> <p>GIMP FLI File Parsing Out-Of-Bounds Write Remote Code Execution - Vulnerability. This vulnerability allows remote attackers to execute + Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. @@ -6799,7 +7386,7 @@ <p>zdi-disclosures@trendmicro.com reports:</p> <blockquote cite="https://www.zerodayinitiative.com/advisories/ZDI-25-203/"> <p>GIMP XWD File Parsing Integer Overflow Remote Code Execution - Vulnerability. This vulnerability allows remote attackers to execute + Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. @@ -6970,7 +7557,7 @@ <li>[417169470] High CVE-2025-5280: Out of bounds write in V8. Reported by [pwn2car] on 2025-05-12</li> <li>[40058068] Medium CVE-2025-5064: Inappropriate implementation in Background Fetch API. Reported by Maurice Dauer on 2021-11-29</li> <li>[40059071] Medium CVE-2025-5065: Inappropriate implementation in FileSystemAccess API. Reported by NDevTK on 2022-03-11</li> - <li>[356658477] Medium CVE-2025-5066: Inappropriate implementation in Messages. Reported by Mohit Raj (shadow2639) on 2024-07-31</li> + <li>[356658477] Medium CVE-2025-5066: Inappropriate implementation in Messages. Reported by Mohit Raj (shadow2639) on 2024-07-31</li> <li>[417215501] Medium CVE-2025-5281: Inappropriate implementation in BFCache. Reported by Jesper van den Ende (Pelican Party Studios) on 2025-05-12</li> <li>[419467315] Medium CVE-2025-5283: Use after free in libvpx. Reported by Mozilla on 2025-05-22</li> <li>[40075024] Low CVE-2025-5067: Inappropriate implementation in Tab Strip. Reported by Khalil Zhani on 2023-10-17</li> @@ -7201,7 +7788,7 @@ special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` action. A patch is available - at pull request 3389 and expected to be part of version 2.9.9. No + at pull request 3389 and expected to be part of version 2.9.9. No known workarounds are available.</p> </blockquote> </body> @@ -7454,7 +8041,7 @@ <p>A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend - plugin that will execute arbitrary JavaScript. This vulnerability + plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve @@ -7503,7 +8090,7 @@ `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding or an error handler your - usage is not affected. To work-around this issue you may stop + usage is not affected. To work-around this issue you may stop using the error= handler and instead wrap the bytes.decode() call in a try-except catching the DecodeError.</p> </blockquote> @@ -9877,7 +10464,7 @@ <p>cna@mongodb.com reports:</p> <blockquote cite="https://jira.mongodb.org/browse/SERVER-103153"> <p>When run on commands with certain arguments set, explain may fail - to validate these arguments before using them. This can lead to + to validate these arguments before using them. This can lead to crashes in router servers. This affects MongoDB Server v5.0 prior to 5.0.31, MongoDB Server v6.0 prior to 6.0.20, MongoDB Server v7.0 prior to 7.0.16 and MongoDB Server v8.0 prior to 8.0.4</p> @@ -10030,8 +10617,8 @@ responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit its identity, there are network connectivity - issues, or the client was configured with aggressive timeouts. The - problem occurs for multiple use cases. For sticky connections, you + issues, or the client was configured with aggressive timeouts. The + problem occurs for multiple use cases. For sticky connections, you receive persistent out-of-order responses for the lifetime of the connection. All commands in the pipeline receive incorrect responses. When used with the default ConnPool once a connection is returned @@ -10048,7 +10635,7 @@ Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's - argument), with a constant factor of about 16. This issue is fixed + argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.</p> </blockquote> </body> @@ -10097,12 +10684,12 @@ <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1945392"> <p>An inconsistent comparator in xslt/txNodeSorter could have resulted in potentially exploitable out-of-bounds access. Only affected - version 122 and later. This vulnerability affects Firefox < + version 122 and later. This vulnerability affects Firefox < 136, Firefox ESR < 128.8, Thunderbird < 136, and Thunderbird < 128.8.</p> <p>Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed - (distinct from CVE-2025-0245). This vulnerability affects Firefox + (distinct from CVE-2025-0245). This vulnerability affects Firefox < 136.</p> <p>When String.toUpperCase() caused a string to get longer it was possible for uninitialized memory to be incorporated into the result @@ -10703,7 +11290,7 @@ <p>LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was - added. In the affected versions of LibreOffice a link in a browser + added. In the affected versions of LibreOffice a link in a browser using that scheme could be constructed with an embedded inner URL that when passed to LibreOffice could call internal macros with arbitrary arguments. This issue affects LibreOffice: from 24.8 @@ -10858,13 +11445,13 @@ <body xmlns="http://www.w3.org/1999/xhtml"> <p>security-advisories@github.com reports:</p> <blockquote cite="https://github.com/pallets/jinja/commit/90457bbf33b8662926ae65cdde4c4c32e756e403"> - <p>Jinja is an extensible templating engine. Prior to 3.1.6, an + <p>Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using - Jinja. This vulnerability impacts users of applications which + Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference @@ -11094,9 +11681,9 @@ <blockquote cite="https://github.com/spotipy-dev/spotipy/blob/master/spotipy/cache_handler.py#L93-L98"> <p>Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth - token. Prior to version 2.25.1, the file created has `rw-r--r--` + token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to - `rw-------` (600) permissions. This leads to overly broad exposure + `rw-------` (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify @@ -11947,7 +12534,7 @@ opened in normal browsing windows. This could have resulted in a potential privacy leak.</p> <p>Certificate length was not properly checked when added to a certificate - store. In practice only trusted data was processed.</p> + store. In practice only trusted data was processed.</p> <p>Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 128.6, and Thunderbird 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some @@ -12037,7 +12624,7 @@ use-after-free.</p> <p>Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird - 128.6. Some of these bugs showed evidence of memory corruption and + 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.</p> </blockquote> @@ -12148,7 +12735,7 @@ <li>CVE-2018-20547: Illegal READ memory access at caca/dither.c</li> <li>CVE-2018-20548: Illegal WRITE memory access at common-image.c</li> <li>CVE-2018-20549: Illegal WRITE memory access at caca/file.c</li> - <li>CVE-2021-3410: Buffer overflow in libcaca/caca/canvas.c in function caca_resize</li> + <li>CVE-2021-3410: Buffer overflow in libcaca/caca/canvas.c in function caca_resize</li> <li>CVE-2021-30498: Heap buffer overflow in export.c in function export_tga</li> <li>CVE-2021-30499: Buffer overflow in export.c in function export_troff</li> </ul> @@ -12436,7 +13023,7 @@ can be made to panic by mounting and accessing the export with an NFS client. Further exploitation (e.g., bypassing file permission checking or remote kernel code execution) is potentially possible, - though this has not been demonstrated. In particular, release + though this has not been demonstrated. In particular, release kernels are compiled with stack protection enabled, and some instances of the overflow are caught by this mechanism, causing a panic.</p> </body> |