Date: Wed, 23 Jun 2021 14:34:55 GMT From: Li-Wen Hsu <lwhsu@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 6954792fe916 - main - security/vuxml: Create 2021 entity Message-ID: <202106231434.15NEYt8X013921@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by lwhsu: URL: https://cgit.FreeBSD.org/ports/commit/?id=6954792fe916862afd25cf6ce961bd7062dfb21f commit 6954792fe916862afd25cf6ce961bd7062dfb21f Author: Li-Wen Hsu <lwhsu@FreeBSD.org> AuthorDate: 2021-06-23 14:34:34 +0000 Commit: Li-Wen Hsu <lwhsu@FreeBSD.org> CommitDate: 2021-06-23 14:34:34 +0000 security/vuxml: Create 2021 entity Let's create a new entity in the beginning of each year and append to it, instead of massive copying in the end of each year. --- security/vuxml/files/tidy.xsl | 1 + security/vuxml/vuln-2021.xml | 6374 ++++++++++++++++++++++++++++++++++++++++ security/vuxml/vuln.xml | 6377 +---------------------------------------- 3 files changed, 6377 insertions(+), 6375 deletions(-) diff --git a/security/vuxml/files/tidy.xsl b/security/vuxml/files/tidy.xsl index 8ca03fb4de1b..8bf948a94b6e 100644 --- a/security/vuxml/files/tidy.xsl +++ b/security/vuxml/files/tidy.xsl @@ -43,6 +43,7 @@ result in more namespace declarations than we wish. <!ENTITY vuln-2018 SYSTEM "vuln-2018.xml"> <!ENTITY vuln-2019 SYSTEM "vuln-2019.xml"> <!ENTITY vuln-2020 SYSTEM "vuln-2020.xml"> +<!ENTITY vuln-2021 SYSTEM "vuln-2021.xml"> ]> ]]></xsl:text> <xsl:apply-templates /> diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml new file mode 100644 index 000000000000..54bd2e2f0caa --- /dev/null +++ b/security/vuxml/vuln-2021.xml @@ -0,0 +1,6374 @@ + <vuln vid="f3fc2b50-d36a-11eb-a32c-00a0989e4ec1"> + <topic>dovecot-pigeonhole -- Sieve excessive resource usage</topic> + <affects> + <package> + <name>dovecot-pigeonhole</name> + <range><lt>2.3.15</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Dovecot team reports reports:</p> + <blockquote cite="https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html">; + <p>Sieve interpreter is not protected against abusive + scripts that claim excessive resource usage. Fixed by limiting the + user CPU time per single script execution and cumulatively over + several script runs within a configurable timeout period. Sufficiently + large CPU time usage is summed in the Sieve script binary and execution + is blocked when the sum exceeds the limit within that time. The block + is lifted when the script is updated after the resource usage times out.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2020-28200</cvename> + <url>https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html</url>; + </references> + <dates> + <discovery>2020-09-23</discovery> + <entry>2021-06-22</entry> + </dates> + </vuln> + + <vuln vid="d18f431d-d360-11eb-a32c-00a0989e4ec1"> + <topic>dovecot -- multiple vulnerabilities</topic> + <affects> + <package> + <name>dovecot</name> + <range><ge>2.3.11</ge><lt>2.3.14.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Dovecot team reports:</p> + <blockquote cite="https://dovecot.org/pipermail/dovecot-news/2021-June/000461.html">; + <p>CVE-2021-29157: Dovecot does not correctly escape kid and azp + fields in JWT tokens. + This may be used to supply attacker controlled keys to validate + tokens in some configurations. This requires attacker + to be able to write files to + local disk.</p> + </blockquote> + <blockquote cite="https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html">; + <p>CVE-2021-33515: On-path attacker could inject plaintext commands + before STARTTLS negotiation that would be executed after STARTTLS + finished with the client. Only the SMTP submission service is + affected.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-29157</cvename> + <url>https://dovecot.org/pipermail/dovecot-news/2021-June/000461.html</url>; + <cvename>CVE-2021-33515</cvename> + <url>>https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html</url>; + </references> + <dates> + <discovery>2021-03-22</discovery> + <entry>2021-06-22</entry> + </dates> + </vuln> + + <vuln vid="0e561c06-d13a-11eb-92be-0800273f11ea"> + <topic>gitea -- multiple vulnerabilities</topic> + <affects> + <package> + <name>gitea</name> + <range><lt>1.14.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The Gitea Team reports for release 1.14.3:</p> + <blockquote cite="https://blog.gitea.io/2021/06/gitea-1.14.3-is-released/">; + <ul> + <li>Encrypt migration credentials at rest (#15895) (#16187)</li> + <li>Only check access tokens if they are likely to be tokens + (#16164) (#16171)</li> + <li>Add missing SameSite settings for the i_like_gitea cookie + (#16037) (#16039)</li> + <li>Fix setting of SameSite on cookies (#15989) (#15991)</li> + </ul> + </blockquote> + </body> + </description> + <references> + <url>https://github.com/go-gitea/gitea/releases/tag/v1.14.3</url>; + <freebsdpr>ports/256720</freebsdpr> + </references> + <dates> + <discovery>2021-05-16</discovery> + <entry>2021-06-19</entry> + </dates> + </vuln> + + <vuln vid="afdc7579-d023-11eb-bcad-3065ec8fd3ec"> + <topic>chromium -- multiple vulnerabilities</topic> + <affects> + <package> + <name>chromium</name> + <range><lt>91.0.4472.114</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Chrome Releases reports:</p> + <blockquote cite="https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html">; + <p>This release includes 4 security fixes, including:</p> + <ul> + <li>[1219857] High CVE-2021-30554: Use after free in WebGL. Reported + by anonymous on 2021-06-15</li> + <li>[1215029] High CVE-2021-30555: Use after free in Sharing. + Reported by David Erceg on 2021-06-01</li> + <li>[1212599] High CVE-2021-30556: Use after free in WebAudio. + Reported by Yangkang (@dnpushme) of 360 ATA on 2021-05-24</li> + <li>[1202102] High CVE-2021-30557: Use after free in TabGroups. + Reported by David Erceg on 2021-04-23</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-30554</cvename> + <cvename>CVE-2021-30555</cvename> + <cvename>CVE-2021-30556</cvename> + <cvename>CVE-2021-30557</cvename> + <url>https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html</url>; + </references> + <dates> + <discovery>2021-06-17</discovery> + <entry>2021-06-18</entry> + </dates> + </vuln> + + <vuln vid="9f27ac74-cdee-11eb-930d-fc4dd43e2b6a"> + <topic>ircII -- denial of service</topic> + <affects> + <package> + <name>ircii</name> + <range><lt>20210314</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Michael Ortmann reports:</p> + <blockquote cite="https://www.openwall.com/lists/oss-security/2021/03/24/2">; + <p>ircii has a bug in parsing CTCP UTC messages.</p> + <p>Its unknown if this could also be used for arbitrary code execution.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-29376</cvename> + <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29376</url>; + </references> + <dates> + <discovery>2021-03-02</discovery> + <entry>2021-03-30</entry> + </dates> + </vuln> + + <vuln vid="cce76eca-ca16-11eb-9b84-d4c9ef517024"> + <topic>Apache httpd -- Multiple vulnerabilities</topic> + <affects> + <package> + <name>apache24</name> + <range><lt>2.4.48</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The Apache httpd reports:</p> + <blockquote cite="https://httpd.apache.org/security/vulnerabilities_24.html">; + <ul> + <li>moderate: mod_proxy_wstunnel tunneling of non Upgraded + connections (CVE-2019-17567)</li> + <li>moderate: Improper Handling of Insufficient Privileges + (CVE-2020-13938)</li> + <li>low: mod_proxy_http NULL pointer dereference + (CVE-2020-13950)</li> + <li>low: mod_auth_digest possible stack overflow by one nul byte + (CVE-2020-35452)</li> + <li>low: mod_session NULL pointer dereference (CVE-2021-26690)</li> + <li>low: mod_session response handling heap overflow (CVE-2021-26691)</li> + <li>moderate: Unexpected URL matching with 'MergeSlashes OFF' + (CVE-2021-30641)</li> + <li>important: NULL pointer dereference on specially crafted HTTP/2 + request (CVE-2021-31618)</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2019-17567</cvename> + <cvename>CVE-2020-13938</cvename> + <cvename>CVE-2020-13950</cvename> + <cvename>CVE-2020-35452</cvename> + <cvename>CVE-2021-26690</cvename> + <cvename>CVE-2021-26691</cvename> + <cvename>CVE-2021-30641</cvename> + <cvename>CVE-2021-31618</cvename> + <url>https://httpd.apache.org/security/vulnerabilities_24.html</url>; + </references> + <dates> + <discovery>2021-06-09</discovery> + <entry>2021-06-10</entry> + </dates> + </vuln> + + <vuln vid="c9e2a1a7-caa1-11eb-904f-14dae9d5a9d2"> + <topic>dragonfly -- argument injection</topic> + <affects> + <package> + <name>rubygem-dragonfly</name> + <range><lt>2.4.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>NVD reports:</p> + <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2021-33564">; + <p>An argument injection vulnerability in the Dragonfly + gem before 1.4.0 for Ruby allows remote attackers to read + and write to arbitrary files via a crafted URL when the + verify_url option is disabled. This may lead to code + execution. The problem occurs because the generate and + process features mishandle use of the ImageMagick convert + utility.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-33564</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2021-33564</url>; + <url>https://github.com/mlr0p/CVE-2021-33564</url>; + <url>https://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly/</url>; + <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33564</url>; + </references> + <dates> + <discovery>2021-05-24</discovery> + <entry>2021-06-11</entry> + </dates> + </vuln> + + <vuln vid="e4cd0b38-c9f9-11eb-87e1-08002750c711"> + <topic>cacti -- SQL Injection was possible due to incorrect validation order</topic> + <affects> + <package> + <name>cacti</name> + <range><ge>1.2</ge><lt>1.2.17</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Cati team reports:</p> + <blockquote cite="https://github.com/Cacti/cacti/issues/4022">; + <p>Due to a lack of validation, data_debug.php can be the source of a SQL injection.</p> + </blockquote> + </body> + </description> + <references> + <cvename>2020-35701</cvename> + <url>https://github.com/Cacti/cacti/issues/4022</url>; + </references> + <dates> + <discovery>2020-12-24</discovery> + <entry>2021-06-10</entry> + </dates> + </vuln> + + <vuln vid="20b3ab21-c9df-11eb-8558-3065ec8fd3ec"> + <topic>chromium -- multiple vulnerabilities</topic> + <affects> + <package> + <name>chromium</name> + <range><lt>91.0.4472.101</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Chrome Releases reports:</p> + <blockquote cite="https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.html">; + <p>This release contains 14 security fixes, including:</p> + <ul> + <li>[1212618] Critical CVE-2021-30544: Use after free in BFCache. + Reported by Rong Jian and Guang Gong of 360 Alpha Lab on + 2021-05-24</li> + <li>[1201031] High CVE-2021-30545: Use after free in Extensions. + Reported by kkwon with everpall and kkomdal on 2021-04-21</li> + <li>[1206911] High CVE-2021-30546: Use after free in Autofill. + Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability + Research on 2021-05-08</li> + <li>[1210414] High CVE-2021-30547: Out of bounds write in ANGLE. + Reported by Seong-Hwan Park (SeHwa) of SecunologyLab on + 2021-05-18</li> + <li>[1210487] High CVE-2021-30548: Use after free in Loader. + Reported by Yangkang(@dnpushme) & Wanglu of Qihoo360 Qex Team + on 2021-05-18</li> + <li>[1212498] High CVE-2021-30549: Use after free in Spell check. + Reported by David Erceg on 2021-05-23</li> + <li>[1212500] High CVE-2021-30550: Use after free in Accessibility. + Reported by David Erceg on 2021-05-23</li> + <li>[1216437] High CVE-2021-30551: Type Confusion in V8. Reported by + Sergei Glazunov of Google Project Zero on 2021-06-04</li> + <li>[1200679] Medium CVE-2021-30552: Use after free in Extensions. + Reported by David Erceg on 2021-04-20</li> + <li>[1209769] Medium CVE-2021-30553: Use after free in Network + service. Reported by Anonymous on 2021-05-17</li> + </ul> + <p>Google is aware that an exploit for CVE-2021-30551 exists in the + wild.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-30544</cvename> + <cvename>CVE-2021-30545</cvename> + <cvename>CVE-2021-30546</cvename> + <cvename>CVE-2021-30547</cvename> + <cvename>CVE-2021-30548</cvename> + <cvename>CVE-2021-30549</cvename> + <cvename>CVE-2021-30550</cvename> + <cvename>CVE-2021-30551</cvename> + <cvename>CVE-2021-30552</cvename> + <cvename>CVE-2021-30553</cvename> + <url>https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.html</url>; + </references> + <dates> + <discovery>2021-06-10</discovery> + <entry>2021-06-10</entry> + </dates> + </vuln> + + <vuln vid="fc1bcbca-c88b-11eb-9120-f02f74d0e4bd"> + <topic>dino -- Path traversal in Dino file transfers</topic> + <affects> + <package> + <name>dino</name> + <range><lt>0.2.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Dino team reports:</p> + <blockquote cite="https://dino.im/security/cve-2021-33896/">; + <p>It was discovered that when a user receives and downloads + a file in Dino, URI-encoded path separators in the file name + will be decoded, allowing an attacker to traverse + directories and create arbitrary files in the context of the + user.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-33896</cvename> + <mlist msgid="392f934a-f937-7b29-5f7f-5df3ee60d8a8@.larma.de">https://marc.info/?l=oss-security&m=162308719412719</mlist>; + <url>https://dino.im/security/cve-2021-33896/</url>; + </references> + <dates> + <discovery>2021-06-07</discovery> + <entry>2021-06-08</entry> + </dates> + </vuln> + + <vuln vid="45b8716b-c707-11eb-b9a0-6805ca0b3d42"> + <topic>pglogical -- shell command injection in pglogical.create_subscription()</topic> + <affects> + <package> + <name>pglogical</name> + <range><lt>2.3.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>2ndQuadrant reports:</p> + <blockquote cite="https://github.com/2ndQuadrant/pglogical/releases/tag/REL2_3_4">; + <ul> + <li> + Fix pg_dump/pg_restore execution (CVE-2021-3515)<br /> + <br /> + Correctly escape the connection string for both pg_dump + and pg_restore so that exotic database and user names are + handled correctly.<br /> + <br /> + Reported by Pedro Gallegos + </li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-3515</cvename> + <url>https://github.com/2ndQuadrant/pglogical/releases/tag/REL2_3_4</url>; + <url>https://bugzilla.redhat.com/show_bug.cgi?id=1954112</url>; + </references> + <dates> + <discovery>2021-06-01</discovery> + <entry>2021-06-06</entry> + </dates> + </vuln> + + <vuln vid="f70ab05e-be06-11eb-b983-000c294bb613"> + <topic>drupal7 -- fix possible CSS</topic> + <affects> + <package> + <name>drupal7</name> + <range><gt>7.0</gt><lt>7.80</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Drupal Security team reports:</p> + <blockquote cite="https://www.drupal.org/sa-core-2021-002">; + <p>Drupal core's sanitization API fails to properly filter + cross-site scripting under certain circumstances. + Not all sites and users are affected, but configuration + changes to prevent the exploit might be impractical + and will vary between sites. Therefore, we recommend + all sites update to this release as soon as + possible. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2020-13672</cvename> + </references> + <dates> + <discovery>2021-04-21</discovery> + <entry>2021-06-06</entry> + </dates> + </vuln> + + <vuln vid="36a35d83-c560-11eb-84ab-e0d55e2a8bf9"> + <topic>polkit -- local privilege escalation using polkit_system_bus_name_get_creds_sync</topic> + <affects> + <package> + <name>polkit</name> + <range><lt>0.119</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Cedric Buissart reports:</p> + <blockquote cite="https://seclists.org/oss-sec/2021/q2/180">; + <p>The function <code>polkit_system_bus_name_get_creds_sync</code> is used to get the + uid and pid of the process requesting the action. It does this by + sending the unique bus name of the requesting process, which is + typically something like ":1.96", to <code>dbus-daemon</code>. These unique names + are assigned and managed by <code>dbus-daemon</code> and cannot be forged, so this + is a good way to check the privileges of the requesting process.</p> + <p>The vulnerability happens when the requesting process disconnects from + <code>dbus-daemon</code> just before the call to + <code>polkit_system_bus_name_get_creds_sync</code> starts. In this scenario, the + unique bus name is no longer valid, so <code>dbus-daemon</code> sends back an error + reply. This error case is handled in + <code>polkit_system_bus_name_get_creds_sync</code> by setting the value of the + <code>error</code> parameter, but it still returns <code>TRUE</code>, rather than <code>FALSE</code>. + This behavior means that all callers of + <code>polkit_system_bus_name_get_creds_sync</code> need to carefully check whether + an error was set. If the calling function forgets to check for errors + then it will think that the uid of the requesting process is 0 (because + the <code>AsyncGetBusNameCredsData</code> struct is zero initialized). In other + words, it will think that the action was requested by a root process, + and will therefore allow it.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-3560</cvename> + <url>https://seclists.org/oss-sec/2021/q2/180</url>; + <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3560</url>; + <url>https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13a</url>; + </references> + <dates> + <discovery>2021-06-03</discovery> + <entry>2021-06-04</entry> + </dates> + </vuln> + + <vuln vid="69815a1d-c31d-11eb-9633-b42e99a1b9c3"> + <topic>SOGo -- SAML user authentication impersonation</topic> + <affects> + <package> + <name>sogo</name> + <range><lt>5.1.1</lt></range> + </package> + <package> + <name>sogo-activesync</name> + <range><lt>5.1.1</lt></range> + </package> + <package> + <name>sogo2</name> + <range><lt>2.4.1</lt></range> + </package> + <package> + <name>sogo2-activesync</name> + <range><lt>2.4.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>sogo.nu reports:</p> + <blockquote cite="https://www.sogo.nu/news/2021/saml-vulnerability.html">; + <p>SOGo was not validating the signatures of any SAML assertions it received.</p> + <p>This means any actor with network access to the deployment could impersonate</p> + <p>users when SAML was the authentication method.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-33054</cvename> + <url>https://www.sogo.nu/news/2021/saml-vulnerability.html</url>; + <url>https://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html</url>; + </references> + <dates> + <discovery>2021-06-01</discovery> + <entry>2021-06-02</entry> + </dates> + </vuln> + + <vuln vid="c7855866-c511-11eb-ae1d-b42e991fc52e"> + <topic>tauthon -- Regular Expression Denial of Service</topic> + <affects> + <package> + <name>tauthon</name> + <range><lt>2.8.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p></p> + <blockquote cite="https://github.com/naftaliharris/tauthon/blob/master/Misc/NEWS.d/2.8.3.rst">; + <p>The :class:`~urllib.request.AbstractBasicAuthHandler` class + of the :mod:`urllib.request` module uses an inefficient + regular expression which can be exploited by an + attacker to cause a denial of service</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2020-8492</cvename> + <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8492</url>; + </references> + <dates> + <discovery>2020-01-30</discovery> + <entry>2021-06-04</entry> + </dates> + </vuln> + + <vuln vid="417de1e6-c31b-11eb-9633-b42e99a1b9c3"> + <topic>lasso -- signature checking failure</topic> + <affects> + <package> + <name>lasso</name> + <range><lt>2.7.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>entrouvert reports:</p> + <blockquote cite="https://git.entrouvert.org/lasso.git/tree/NEWS?id=v2.7.0">; + <p>When AuthnResponse messages are not signed (which is + permitted by the specifiation), all assertion's signatures should be + checked, but currently after the first signed assertion is checked all + following assertions are accepted without checking their signature, and + the last one is considered the main assertion.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-28091</cvename> + <url>https://git.entrouvert.org/lasso.git/tree/NEWS?id=v2.7.0</url>; + </references> + <dates> + <discovery>2021-06-01</discovery> + <entry>2021-06-01</entry> + </dates> + </vuln> + + <vuln vid="079b3641-c4bd-11eb-a22a-693f0544ae52"> + <topic>go -- multiple vulnerabilities</topic> + <affects> + <package> + <name>go</name> + <range><lt>1.16.5,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The Go project reports:</p> + <blockquote cite="https://github.com/golang/go/issues/45910">; + <p>The SetString and UnmarshalText methods of math/big.Rat may cause a + panic or an unrecoverable fatal error if passed inputs with very + large exponents.</p> + </blockquote> + <blockquote cite="https://github.com/golang/go/issues/46313">; + <p>ReverseProxy in net/http/httputil could be made to forward certain + hop-by-hop headers, including Connection. In case the target of the + ReverseProxy was itself a reverse proxy, this would let an attacker + drop arbitrary headers, including those set by the + ReverseProxy.Director.</p> + </blockquote> + <blockquote cite="https://github.com/golang/go/issues/46241">; + <p>The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr + functions in net, and their respective methods on the Resolver type + may return arbitrary values retrieved from DNS which do not follow + the established RFC 1035 rules for domain names. If these names are + used without further sanitization, for instance unsafely included in + HTML, they may allow for injection of unexpected content. Note that + LookupTXT may still return arbitrary values that could require + sanitization before further use.</p> + </blockquote> + <blockquote cite="https://github.com/golang/go/issues/46242">; + <p>The NewReader and OpenReader functions in archive/zip can cause a + panic or an unrecoverable fatal error when reading an archive that + claims to contain a large number of files, regardless of its actual + size.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-33198</cvename> + <url>https://github.com/golang/go/issues/45910</url>; + <cvename>CVE-2021-33197</cvename> + <url>https://github.com/golang/go/issues/46313</url>; + <cvename>CVE-2021-33195</cvename> + <url>https://github.com/golang/go/issues/46241</url>; + <cvename>CVE-2021-33196</cvename> + <url>https://github.com/golang/go/issues/46242</url>; + </references> + <dates> + <discovery>2021-05-01</discovery> + <entry>2021-06-03</entry> + </dates> + </vuln> + + <vuln vid="3000acee-c45d-11eb-904f-14dae9d5a9d2"> + <topic>aiohttp -- open redirect vulnerability</topic> + <affects> + <package> + <name>py36-aiohttp</name> + <name>py37-aiohttp</name> + <name>py38-aiohttp</name> + <name>py39-aiohttp</name> + <range><le>3.7.3</le></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Sviatoslav Sydorenko reports:</p> + <blockquote cite="https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg">; + <p>Open redirect vulnerability — a maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website.</p> + <p>It is caused by a bug in the <code>aiohttp.web_middlewares.normalize_path_middleware</code> middleware.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-21330</cvename> + <url>https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg</url>; + <url>https://nvd.nist.gov/vuln/detail/CVE-2021-21330</url>; + </references> + <dates> + <discovery>2021-02-25</discovery> + <entry>2021-06-03</entry> + <modified>2021-06-23</modified> + </dates> + </vuln> + + <vuln vid="a550d62c-f78d-4407-97d9-93876b6741b9"> + <topic>zeek -- several potential DoS vulnerabilities</topic> + <affects> + <package> + <name>zeek</name> + <range><lt>4.0.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Tim Wojtulewicz of Corelight reports:</p> + <blockquote cite="https://github.com/zeek/zeek/releases/tag/v4.0.2">; + <p> Fix potential Undefined Behavior in decode_netbios_name() + and decode_netbios_name_type() BIFs. The latter has a + possibility of a remote heap-buffer-overread, making this + a potential DoS vulnerability.</p> + <p> Add some extra length checking when parsing mobile + ipv6 packets. Due to the possibility of reading invalid + headers from remote sources, this is a potential DoS + vulnerability. </p> + </blockquote> + </body> + </description> + <references> + <url>https://github.com/zeek/zeek/releases/tag/v4.0.2</url>; + </references> + <dates> + <discovery>2021-04-30</discovery> + <entry>2021-06-02</entry> + </dates> + </vuln> + + <vuln vid="c7ec6375-c3cf-11eb-904f-14dae9d5a9d2"> + <topic>PyYAML -- arbitrary code execution</topic> + <affects> + <package> + <name>py36-yaml</name> + <name>py37-yaml</name> + <name>py38-yaml</name> + <name>py39-yaml</name> + <range><lt>5.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>A vulnerability was discovered in the PyYAML library + in versions before 5.4, where it is susceptible to arbitrary + code execution when it processes untrusted YAML files + through the full_load method or with the FullLoader loader. + Applications that use the library to process untrusted + input may be vulnerable to this flaw. This flaw allows + an attacker to execute arbitrary code on the system by + abusing the python/object/new constructor. This flaw is + due to an incomplete fix for CVE-2020-1747.</p> + </body> + </description> + <references> + <cvename>CVE-2020-14343</cvename> + <url>https://github.com/yaml/pyyaml/issues/420</url>; + <url>https://access.redhat.com/security/cve/CVE-2020-14343</url>; + <url>https://bugzilla.redhat.com/show_bug.cgi?id=1860466</url>; + </references> + <dates> + <discovery>2020-07-22</discovery> + <entry>2021-06-02</entry> + </dates> + </vuln> + + <vuln vid="e24fb8f8-c39a-11eb-9370-b42e99a1b9c3"> + <topic>isc-dhcp -- remotely exploitable vulnerability</topic> + <affects> + <package> + <name>isc-dhcp44-relay</name> + <range><lt>4.4.2-P1</lt></range> + </package> + <package> + <name>isc-dhcp44-server</name> + <range><lt>4.4.2-P1</lt></range> + </package> + <package> + <name>isc-dhcp44-client</name> + <range><lt>4.4.2-P1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Michael McNally reports:</p> + <blockquote cite="https://seclists.org/oss-sec/2021/q2/170">; + <p>Program code used by the ISC DHCP package to read and parse stored leases</p> + <p>has a defect that can be exploited by an attacker to cause one of several + undesirable outcomes</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-25217</cvename> + <url>https://kb.isc.org/docs/cve-2021-25217</url>; + </references> + <dates> + <discovery>2021-05-26</discovery> + <entry>2021-06-02</entry> + </dates> + </vuln> + + <vuln vid="5f52d646-c31f-11eb-8dcf-001b217b3468"> + <topic>Gitlab -- Multiple Vulnerabilities</topic> + <affects> + <package> + <name>gitlab-ce</name> + <range><ge>13.12.0</ge><lt>13.12.2</lt></range> + <range><ge>13.11.0</ge><lt>13.11.5</lt></range> + <range><ge>7.10.0</ge><lt>13.10.5</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Gitlab reports:</p> + <blockquote cite="https://about.gitlab.com/releases/2021/06/01/security-release-gitlab-13-12-2-released/">; + <p>Stealing GitLab OAuth access tokens using XSLeaks in Safari</p> + <p>Denial of service through recursive triggered pipelines</p> + <p>Unauthenticated CI lint API may lead to information disclosure and SSRF</p> + <p>Server-side DoS through rendering crafted Markdown documents</p> + <p>Issue and merge request length limit is not being enforced</p> + <p>Insufficient Expired Password Validation</p> + <p>XSS in blob viewer of notebooks</p> + <p>Logging of Sensitive Information</p> + <p>On-call rotation information exposed when removing a member</p> + <p>Spoofing commit author for signed commits</p> + <p>Enable qsh verification for Atlassian Connect</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-22181</cvename> + <url>https://about.gitlab.com/releases/2021/06/01/security-release-gitlab-13-12-2-released/</url>; + </references> + <dates> + <discovery>2021-06-01</discovery> + <entry>2021-06-01</entry> + </dates> + </vuln> + + <vuln vid="8eb69cd0-c2ec-11eb-b6e7-8c164567ca3c"> + <topic>redis -- integer overflow</topic> + <affects> + <package> + <name>redis</name> + <range><ge>6.0.0</ge><lt>6.0.14</lt></range> + </package> + <package> + <name>redis-devel</name> + <range><ge>6.2.0</ge><lt>6.2.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Redis development team reports:</p> + <blockquote cite="https://groups.google.com/g/redis-db/c/RLTwi1kKsCI">; + <p>An integer overflow bug in Redis version 6.0 or newer can be + exploited using the STRALGO LCS command to corrupt the heap and + potentially result with remote code execution. This is a result + of an incomplete fix by CVE-2021-29477.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-32625</cvename> + <url>https://groups.google.com/g/redis-db/c/RLTwi1kKsCI</url>; + </references> + <dates> + <discovery>2021-06-01</discovery> + <entry>2021-06-01</entry> + </dates> + </vuln> + + <vuln vid="58d6ed66-c2e8-11eb-9fb0-6451062f0f7a"> + <topic>libX11 -- Arbitrary code execution</topic> + <affects> + <package> + <name>libX11</name> + <range><lt>1.7.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The X.org project reports:</p> + <blockquote cite="https://lists.freedesktop.org/archives/xorg/2021-May/060699.html">; + <p>XLookupColor() and other X libraries function lack proper validation + of the length of their string parameters. If those parameters can be + controlled by an external application (for instance a color name that + can be emitted via a terminal control sequence) it can lead to the + emission of extra X protocol requests to the X server.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-31535</cvename> + <url>https://lists.freedesktop.org/archives/xorg/2021-May/060699.html</url>; + <url>https://nvd.nist.gov/vuln/detail/CVE-2021-31535</url>; + </references> + <dates> + <discovery>2021-05-11</discovery> + <entry>2021-06-01</entry> + </dates> + </vuln> + + <vuln vid="59ab72fb-bccf-11eb-a38d-6805ca1caf5c"> + <topic>Prometheus -- arbitrary redirects</topic> + <affects> + <package> + <name>prometheus2</name> + <range><ge>2.23.0</ge><lt>2.26.1</lt></range> + <range><eq>2.27.0</eq></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Prometheus reports:</p> + <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2021-29622">; + <p> + Prometheus is an open-source monitoring system and time series + database. In 2.23.0, Prometheus changed its default UI to the New + ui. To ensure a seamless transition, the URL's prefixed by /new + redirect to /. Due to a bug in the code, it is possible for an + attacker to craft an URL that can redirect to any other URL, in the + /new endpoint. If a user visits a prometheus server with a + specially crafted address, they can be redirected to an arbitrary + URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In + 2.28.0, the /new endpoint will be removed completely. The + workaround is to disable access to /new via a reverse proxy in + front of Prometheus. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-29622</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2021-29622</url>; + </references> + <dates> + <discovery>2021-05-18</discovery> + <entry>2021-06-01</entry> + </dates> + </vuln> + + <vuln vid="fd24a530-c202-11eb-b217-b42e99639323"> + <topic>wayland -- integer overflow</topic> + <affects> + <package> + <name>wayland</name> + <range><lt>1.19.0_1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Tobias Stoeckmann reports:</p> + <blockquote + cite="https://gitlab.freedesktop.org/wayland/wayland/-/merge_requests/133">; + <p>The libXcursor fix for CVE-2013-2003 has never been imported into wayland, leaving it vulnerable to it.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2013-2003</cvename> + <url>https://gitlab.freedesktop.org/wayland/wayland/-/merge_requests/133</url>; + <freebsdpr>ports/256273</freebsdpr> + </references> + <dates> + <discovery>2021-05-02</discovery> + <entry>2021-05-31</entry> + </dates> *** 11820 LINES SKIPPED ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202106231434.15NEYt8X013921>