Date: Wed, 1 Jun 2016 22:54:14 +0000 (UTC) From: Ryan Steinmetz <zi@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r416262 - branches/2016Q2/security/vuxml Message-ID: <201606012254.u51MsEat075363@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: zi Date: Wed Jun 1 22:54:14 2016 New Revision: 416262 URL: https://svnweb.freebsd.org/changeset/ports/416262 Log: MFH: r416260 - Get vuln.xml in sync with head Approved by: ports-secteam (me) Modified: branches/2016Q2/security/vuxml/vuln.xml Directory Properties: branches/2016Q2/ (props changed) Modified: branches/2016Q2/security/vuxml/vuln.xml ============================================================================== --- branches/2016Q2/security/vuxml/vuln.xml Wed Jun 1 22:50:28 2016 (r416261) +++ branches/2016Q2/security/vuxml/vuln.xml Wed Jun 1 22:54:14 2016 (r416262) @@ -58,6 +58,2391 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="65bb1858-27de-11e6-b714-74d02b9a84d5"> + <topic>h2o -- use after free on premature connection close</topic> + <affects> + <package> + <name>h2o</name> + <range><lt>1.7.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Tim Newsha reports:</p> + <blockquote cite="http://h2o.examp1e.net/vulnerabilities.html"> + <p>When H2O tries to disconnect a premature HTTP/2 connection, it + calls free(3) to release memory allocated for the connection and + immediately after then touches the memory. No malloc-related + operation is performed by the same thread between the time it calls + free and the time the memory is touched. Fixed by Frederik + Deweerdt.</p> + </blockquote> + </body> + </description> + <references> + <url>https://h2o.examp1e.net/vulnerabilities.html</url> + </references> + <dates> + <discovery>2016-05-17</discovery> + <entry>2016-06-01</entry> + </dates> + </vuln> + + <vuln vid="36cf7670-2774-11e6-af29-f0def16c5c1b"> + <topic>nginx -- a specially crafted request might result in worker process crash</topic> + <affects> + <package> + <name>nginx</name> + <range><ge>1.4.0</ge><lt>1.10.1</lt></range> + </package> + <package> + <name>nginx-devel</name> + <range><ge>1.3.9</ge><lt>1.11.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Maxim Dounin reports:</p> + <blockquote cite="http://mailman.nginx.org/pipermail/nginx-announce/2016/000179.html"> + <p>A problem was identified in nginx code responsible for saving + client request body to a temporary file. A specially crafted + request might result in worker process crash due to a NULL + pointer dereference while writing client request body to a + temporary file.</p> + </blockquote> + </body> + </description> + <references> + <url>http://mailman.nginx.org/pipermail/nginx-announce/2016/000179.html</url> + <cvename>CVE-2016-4450</cvename> + </references> + <dates> + <discovery>2016-05-31</discovery> + <entry>2016-05-31</entry> + </dates> + </vuln> + + <vuln vid="6167b341-250c-11e6-a6fb-003048f2e514"> + <topic>cacti -- multiple vulnerabilities</topic> + <affects> + <package> + <name>cacti</name> + <range><lt>0.8.8h</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The Cacti Group, Inc. reports:</p> + <blockquote cite="http://www.cacti.net/release_notes_0_8_8h.php"> + <p>Changelog</p> + <ul> + <li>bug:0002667: Cacti SQL Injection Vulnerability</li> + <li>bug:0002673: CVE-2016-3659 - Cacti graph_view.php SQL Injection + Vulnerability</li> + <li>bug:0002656: Authentication using web authentication as a user + not in the cacti database allows complete access (regression)</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-3659</cvename> + <url>http://www.cacti.net/release_notes_0_8_8h.php</url> + <url>http://bugs.cacti.net/view.php?id=2673</url> + <url>http://seclists.org/fulldisclosure/2016/Apr/4</url> + <url>http://packetstormsecurity.com/files/136547/Cacti-0.8.8g-SQL-Injection.html</url> + </references> + <dates> + <discovery>2016-04-04</discovery> + <entry>2016-05-28</entry> + </dates> + </vuln> + + <vuln vid="b53bbf58-257f-11e6-9f4d-20cf30e32f6d"> + <topic>openvswitch -- MPLS buffer overflow</topic> + <affects> + <package> + <name>openvswitch</name> + <range><le>2.3.2_1</le></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Open vSwitch reports:</p> + <blockquote cite="http://openvswitch.org/pipermail/announce/2016-March/000082.html"> + <p>Multiple versions of Open vSwitch are vulnerable to remote buffer + overflow attacks, in which crafted MPLS packets could overflow the + buffer reserved for MPLS labels in an OVS internal data structure. + The MPLS packets that trigger the vulnerability and the potential for + exploitation vary depending on version:</p> + <p>Open vSwitch 2.1.x and earlier are not vulnerable.</p> + <p>In Open vSwitch 2.2.x and 2.3.x, the MPLS buffer overflow can be + exploited for arbitrary remote code execution.</p> + <p>In Open vSwitch 2.4.x, the MPLS buffer overflow does not obviously lead + to a remote code execution exploit, but testing shows that it can allow a + remote denial of service. See the mitigation section for details.</p> + <p>Open vSwitch 2.5.x is not vulnerable.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-2074</cvename> + </references> + <dates> + <discovery>2016-03-28</discovery> + <entry>2016-05-29</entry> + </dates> + </vuln> + + <vuln vid="1a6bbb95-24b8-11e6-bd31-3065ec8fd3ec"> + <topic>chromium -- multiple vulnerabilities</topic> + <affects> + <package> + <name>chromium</name> + <name>chromium-npapi</name> + <name>chromium-pulse</name> + <range><lt>51.0.2704.63</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Google Chrome Releases reports:</p> + <blockquote cite="http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update_25.html"> + <p>42 security fixes in this release, including:</p> + <ul> + <li>[590118] High CVE-2016-1672: Cross-origin bypass in extension + bindings. Credit to Mariusz Mlynski.</li> + <li>[597532] High CVE-2016-1673: Cross-origin bypass in Blink. + Credit to Mariusz Mlynski.</li> + <li>[598165] High CVE-2016-1674: Cross-origin bypass in extensions.i + Credit to Mariusz Mlynski.</li> + <li>[600182] High CVE-2016-1675: Cross-origin bypass in Blink. + Credit to Mariusz Mlynski.</li> + <li>[604901] High CVE-2016-1676: Cross-origin bypass in extension + bindings. Credit to Rob Wu.</li> + <li>[602970] Medium CVE-2016-1677: Type confusion in V8. Credit to + Guang Gong of Qihoo 360.</li> + <li>[595259] High CVE-2016-1678: Heap overflow in V8. Credit to + Christian Holler.</li> + <li>[606390] High CVE-2016-1679: Heap use-after-free in V8 + bindings. Credit to Rob Wu.</li> + <li>[589848] High CVE-2016-1680: Heap use-after-free in Skia. + Credit to Atte Kettunen of OUSPG.</li> + <li>[613160] High CVE-2016-1681: Heap overflow in PDFium. Credit to + Aleksandar Nikolic of Cisco Talos.</li> + <li>[579801] Medium CVE-2016-1682: CSP bypass for ServiceWorker. + Credit to KingstonTime.</li> + <li>[583156] Medium CVE-2016-1683: Out-of-bounds access in libxslt. + Credit to Nicolas Gregoire.</li> + <li>[583171] Medium CVE-2016-1684: Integer overflow in libxslt. + Credit to Nicolas Gregoire.</li> + <li>[601362] Medium CVE-2016-1685: Out-of-bounds read in PDFium. + Credit to Ke Liu of Tencent's Xuanwu LAB.</li> + <li>[603518] Medium CVE-2016-1686: Out-of-bounds read in PDFium. + Credit to Ke Liu of Tencent's Xuanwu LAB.</li> + <li>[603748] Medium CVE-2016-1687: Information leak in extensions. + Credit to Rob Wu.</li> + <li>[604897] Medium CVE-2016-1688: Out-of-bounds read in V8. + Credit to Max Korenko.</li> + <li>[606185] Medium CVE-2016-1689: Heap buffer overflow in media. + Credit to Atte Kettunen of OUSPG.</li> + <li>[608100] Medium CVE-2016-1690: Heap use-after-free in Autofill. + Credit to Rob Wu.</li> + <li>[597926] Low CVE-2016-1691: Heap buffer-overflow in Skia. + Credit to Atte Kettunen of OUSPG.</li> + <li>[598077] Low CVE-2016-1692: Limited cross-origin bypass in + ServiceWorker. Credit to Til Jasper Ullrich.</li> + <li>[598752] Low CVE-2016-1693: HTTP Download of Software Removal + Tool. Credit to Khalil Zhani.</li> + <li>[603682] Low CVE-2016-1694: HPKP pins removed on cache + clearance. Credit to Ryan Lester and Bryant Zadegan.</li> + <li>[614767] CVE-2016-1695: Various fixes from internal audits, + fuzzing and other initiatives.</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-1672</cvename> + <cvename>CVE-2016-1673</cvename> + <cvename>CVE-2016-1674</cvename> + <cvename>CVE-2016-1675</cvename> + <cvename>CVE-2016-1672</cvename> + <cvename>CVE-2016-1677</cvename> + <cvename>CVE-2016-1678</cvename> + <cvename>CVE-2016-1679</cvename> + <cvename>CVE-2016-1680</cvename> + <cvename>CVE-2016-1681</cvename> + <cvename>CVE-2016-1682</cvename> + <cvename>CVE-2016-1683</cvename> + <cvename>CVE-2016-1684</cvename> + <cvename>CVE-2016-1685</cvename> + <cvename>CVE-2016-1686</cvename> + <cvename>CVE-2016-1687</cvename> + <cvename>CVE-2016-1688</cvename> + <cvename>CVE-2016-1689</cvename> + <cvename>CVE-2016-1690</cvename> + <cvename>CVE-2016-1691</cvename> + <cvename>CVE-2016-1692</cvename> + <cvename>CVE-2016-1693</cvename> + <cvename>CVE-2016-1694</cvename> + <cvename>CVE-2016-1695</cvename> + <url>http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update_25.html</url> + </references> + <dates> + <discovery>2016-05-25</discovery> + <entry>2016-05-28</entry> + </dates> + </vuln> + + <vuln vid="4dfafa16-24ba-11e6-bd31-3065ec8fd3ec"> + <topic>chromium -- multiple vulnerabilities</topic> + <affects> + <package> + <name>chromium</name> + <name>chromium-npapi</name> + <name>chromium-pulse</name> + <range><lt>50.0.2661.102</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Google Chrome Releases reports:</p> + <blockquote cite="http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update.html"> + <p>5 security fixes in this release, including:</p> + <ul> + <li>[605766] High CVE-2016-1667: Same origin bypass in DOM. Credit + to Mariusz Mlynski.</li> + <li>[605910] High CVE-2016-1668: Same origin bypass in Blink V8 + bindings. Credit to Mariusz Mlynski.</li> + <li>[606115] High CVE-2016-1669: Buffer overflow in V8. Credit to + Choongwoo Han.</li> + <li>[578882] Medium CVE-2016-1670: Race condition in loader. Credit + to anonymous.</li> + <li>[586657] Medium CVE-2016-1671: Directory traversal using the + file scheme on Android. Credit to Jann Horn.</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-1667</cvename> + <cvename>CVE-2016-1668</cvename> + <cvename>CVE-2016-1669</cvename> + <cvename>CVE-2016-1670</cvename> + <cvename>CVE-2016-1671</cvename> + <url>http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update.html</url> + </references> + <dates> + <discovery>2016-05-11</discovery> + <entry>2016-05-28</entry> + </dates> + </vuln> + + <vuln vid="7da1da96-24bb-11e6-bd31-3065ec8fd3ec"> + <topic>chromium -- multiple vulnerablities</topic> + <affects> + <package> + <name>chromium</name> + <name>chromium-npapi</name> + <name>chromium-pulse</name> + <range><lt>50.0.2661.94</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Google Chrome Releases reports:</p> + <blockquote cite="http://googlechromereleases.blogspot.nl/2016/04/stable-channel-update_28.html"> + <p>9 security fixes in this release, including:</p> + <ul> + <li>[574802] High CVE-2016-1660: Out-of-bounds write in Blink. + Credit to Atte Kettunen of OUSPG.</li> + <li>[601629] High CVE-2016-1661: Memory corruption in cross-process + frames. Credit to Wadih Matar.</li> + <li>[603732] High CVE-2016-1662: Use-after-free in extensions. + Credit to Rob Wu.</li> + <li>[603987] High CVE-2016-1663: Use-after-free in Blink's V8 + bindings. Credit to anonymous.</li> + <li>[597322] Medium CVE-2016-1664: Address bar spoofing. Credit to + Wadih Matar.</li> + <li>[606181] Medium CVE-2016-1665: Information leak in V8. Credit + to HyungSeok Han.</li> + <li>[607652] CVE-2016-1666: Various fixes from internal audits, + fuzzing and other initiatives.</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-1660</cvename> + <cvename>CVE-2016-1661</cvename> + <cvename>CVE-2016-1662</cvename> + <cvename>CVE-2016-1663</cvename> + <cvename>CVE-2016-1664</cvename> + <cvename>CVE-2016-1665</cvename> + <cvename>CVE-2016-1666</cvename> + <url>http://googlechromereleases.blogspot.nl/2016/04/stable-channel-update_28.html</url> + </references> + <dates> + <discovery>2016-04-28</discovery> + <entry>2016-05-28</entry> + </dates> + </vuln> + + <vuln vid="6b110175-246d-11e6-8dd3-002590263bf5"> + <topic>php -- multiple vulnerabilities</topic> + <affects> + <package> + <name>php70-gd</name> + <name>php70-intl</name> + <range><lt>7.0.7</lt></range> + </package> + <package> + <name>php56</name> + <name>php56-gd</name> + <range><lt>5.6.22</lt></range> + </package> + <package> + <name>php55</name> + <name>php55-gd</name> + <name>php55-phar</name> + <range><lt>5.5.36</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The PHP Group reports:</p> + <blockquote cite="http://php.net/ChangeLog-5.php#5.5.36"> + <ul><li>Core: + <ul> + <li>Fixed bug #72114 (Integer underflow / arbitrary null write in + fread/gzread). (CVE-2016-5096) (PHP 5.5/5.6 only)</li> + <li>Fixed bug #72135 (Integer Overflow in php_html_entities). + (CVE-2016-5094) (PHP 5.5/5.6 only)</li> + </ul></li> + <li>GD: + <ul> + <li>Fixed bug #72227 (imagescale out-of-bounds read). + (CVE-2013-7456)</li> + </ul></li> + <li>Intl: + <ul> + <li>Fixed bug #72241 (get_icu_value_internal out-of-bounds read). + (CVE-2016-5093)</li> + </ul></li> + <li>Phar: + <ul> + <li>Fixed bug #71331 (Uninitialized pointer in + phar_make_dirstream()). (CVE-2016-4343) (PHP 5.5 only)</li> + </ul></li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-5096</cvename> + <cvename>CVE-2016-5094</cvename> + <cvename>CVE-2013-7456</cvename> + <cvename>CVE-2016-5093</cvename> + <cvename>CVE-2016-4343</cvename> + <freebsdpr>ports/209779</freebsdpr> + <url>http://php.net/ChangeLog-7.php#7.0.7</url> + <url>http://php.net/ChangeLog-5.php#5.6.22</url> + <url>http://php.net/ChangeLog-5.php#5.5.36</url> + </references> + <dates> + <discovery>2016-05-26</discovery> + <entry>2016-05-28</entry> + </dates> + </vuln> + + <vuln vid="00ec1be1-22bb-11e6-9ead-6805ca0b3d42"> + <topic>phpmyadmin -- XSS and sensitive data leakage</topic> + <affects> + <package> + <name>phpmyadmin</name> + <range><ge>4.6.0</ge><lt>4.6.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The phpmyadmin development team reports:</p> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-14/"> + <h2>Description</h2> + <p>Because user SQL queries are part of the URL, sensitive + information made as part of a user query can be exposed by + clicking on external links to attackers monitoring user GET + query parameters or included in the webserver logs.</p> + <h2>Severity</h2> + <p>We consider this to be non-critical.</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-16/"> + <h2>Description</h2> + <p>A specially crafted attack could allow for special HTML + characters to be passed as URL encoded values and displayed + back as special characters in the page.</p> + <h2>Severity</h2> + <p>We consider this to be non-critical.</p> + </blockquote> + </body> + </description> + <references> + <url>https://www.phpmyadmin.net/security/PMASA-2016-14/</url> + <url>https://www.phpmyadmin.net/security/PMASA-2016-16/</url> + <cvename>CVE-2016-5097</cvename> + <cvename>CVE-2016-5099</cvename> + </references> + <dates> + <discovery>2016-05-25</discovery> + <entry>2016-05-25</entry> + <modified>2016-05-26</modified> + </dates> + </vuln> + + <vuln vid="b50f53ce-2151-11e6-8dd3-002590263bf5"> + <topic>mediawiki -- multiple vulnerabilities</topic> + <affects> + <package> + <name>mediawiki123</name> + <range><lt>1.23.14</lt></range> + </package> + <package> + <name>mediawiki124</name> + <range><le>1.24.6</le></range> + </package> + <package> + <name>mediawiki125</name> + <range><lt>1.25.6</lt></range> + </package> + <package> + <name>mediawiki126</name> + <range><lt>1.26.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Mediawiki reports:</p> + <blockquote cite="https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-May/000188.html"> + <p>Security fixes:</p> + <p>T122056: Old tokens are remaining valid within a new session</p> + <p>T127114: Login throttle can be tricked using non-canonicalized + usernames</p> + <p>T123653: Cross-domain policy regexp is too narrow</p> + <p>T123071: Incorrectly identifying http link in a's href + attributes, due to m modifier in regex</p> + <p>T129506: MediaWiki:Gadget-popups.js isn't renderable</p> + <p>T125283: Users occasionally logged in as different users after + SessionManager deployment</p> + <p>T103239: Patrol allows click catching and patrolling of any + page</p> + <p>T122807: [tracking] Check php crypto primatives</p> + <p>T98313: Graphs can leak tokens, leading to CSRF</p> + <p>T130947: Diff generation should use PoolCounter</p> + <p>T133507: Careless use of $wgExternalLinkTarget is insecure</p> + <p>T132874: API action=move is not rate limited</p> + </blockquote> + </body> + </description> + <references> + <url>https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-May/000188.html</url> + </references> + <dates> + <discovery>2016-05-20</discovery> + <entry>2016-05-24</entry> + </dates> + </vuln> + + <vuln vid="967b852b-1e28-11e6-8dd3-002590263bf5"> + <topic>wpa_supplicant -- psk configuration parameter update allowing arbitrary data to be written</topic> + <affects> + <package> + <name>wpa_supplicant</name> + <range><lt>2.5_2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Jouni Malinen reports:</p> + <blockquote cite="http://w1.fi/security/2016-1/psk-parameter-config-update.txt"> + <p>psk configuration parameter update allowing arbitrary data to be + written (2016-1 - CVE-2016-4476/CVE-2016-4477).</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-4476</cvename> + <cvename>CVE-2016-4477</cvename> + <freebsdpr>/ports/209564</freebsdpr> + <url>http://w1.fi/security/2016-1/psk-parameter-config-update.txt</url> + </references> + <dates> + <discovery>2016-05-02</discovery> + <entry>2016-05-20</entry> + </dates> + </vuln> + + <vuln vid="57b3aba7-1e25-11e6-8dd3-002590263bf5"> + <topic>expat -- denial of service vulnerability on malformed input</topic> + <affects> + <package> + <name>expat</name> + <range><lt>2.1.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Gustavo Grieco reports:</p> + <blockquote cite="http://www.openwall.com/lists/oss-security/2016/05/17/12"> + <p>The Expat XML parser mishandles certain kinds of malformed input + documents, resulting in buffer overflows during processing and error + reporting. The overflows can manifest as a segmentation fault or as + memory corruption during a parse operation. The bugs allow for a + denial of service attack in many applications by an unauthenticated + attacker, and could conceivably result in remote code execution.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-0718</cvename> + <freebsdpr>ports/209360</freebsdpr> + <url>http://www.openwall.com/lists/oss-security/2016/05/17/12</url> + </references> + <dates> + <discovery>2016-05-17</discovery> + <entry>2016-05-20</entry> + </dates> + </vuln> + + <vuln vid="036d6c38-1c5b-11e6-b9e0-20cf30e32f6d"> + <topic>Bugzilla security issues</topic> + <affects> + <package> + <name>bugzilla44</name> + <range><lt>4.4.12</lt></range> + </package> + <package> + <name>bugzilla50</name> + <range><lt>5.0.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Bugzilla Security Advisory</p> + <blockquote cite="https://www.bugzilla.org/security/4.4.11/"> + <p>A specially crafted bug summary could trigger XSS in dependency graphs. + Due to an incorrect parsing of the image map generated by the dot script, + a specially crafted bug summary could trigger XSS in dependency graphs.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-2803</cvename> + <url>https://bugzilla.mozilla.org/show_bug.cgi?id=1253263</url> + </references> + <dates> + <discovery>2016-03-03</discovery> + <entry>2016-05-17</entry> + </dates> + </vuln> + + <vuln vid="0dc8be9e-19af-11e6-8de0-080027ef73ec"> + <topic>OpenVPN -- Buffer overflow in PAM authentication and DoS through port sharing</topic> + <affects> + <package> + <name>openvpn</name> + <range><lt>2.3.11</lt></range> + </package> + <package> + <name>openvpn-polarssl</name> + <range><lt>2.3.11</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Samuli Seppänen reports:</p> + <blockquote cite="https://sourceforge.net/p/openvpn/mailman/message/35076507/"> + <p>OpenVPN 2.3.11 [...] fixes two vulnerabilities: a port-share bug + with DoS potential and a buffer overflow by user supplied data when + using pam authentication.[...]</p> + </blockquote> + </body> + </description> + <references> + <url>https://sourceforge.net/p/openvpn/mailman/message/35076507/</url> + <url>https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.11</url> + </references> + <dates> + <discovery>2016-03-03</discovery> + <entry>2016-05-14</entry> + </dates> + </vuln> + + <vuln vid="82b702e0-1907-11e6-857b-00221503d280"> + <topic>imagemagick -- buffer overflow</topic> + <affects> + <package> + <name>ImageMagick</name> + <name>ImageMagick-nox11</name> + <range><lt>6.9.4.1,1</lt></range> + </package> + <package> + <name>ImageMagick7</name> + <name>ImageMagick7-nox11</name> + <range><ge>7.0.0.0.b20150715</ge><lt>7.0.1.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>ImageMagick reports:</p> + <blockquote cite="http://legacy.imagemagick.org/script/changelog.php"> + <p>Fix a buffer overflow in magick/drag.c/DrawStrokePolygon().</p> + </blockquote> + </body> + </description> + <references> + <url>http://legacy.imagemagick.org/script/changelog.php</url> + </references> + <dates> + <discovery>2016-05-09</discovery> + <entry>2016-05-13</entry> + </dates> + </vuln> + + <vuln vid="e387834a-17ef-11e6-9947-7054d2909b71"> + <topic>jenkins -- multiple vulnerabilities</topic> + <affects> + <package> + <name>jenkins</name> + <range><le>2.2</le></range> + </package> + <package> + <name>jenkins2</name> + <range><le>2.2</le></range> + </package> + <package> + <name>jenkins-lts</name> + <range><le>1.651.1</le></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Jenkins Security Advisory:</p> + <blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11"> + <h1>Description</h1> + <h5>SECURITY-170 / CVE-2016-3721</h5> + <p>Arbitrary build parameters are passed to build scripts as environment variables</p> + <h5>SECURITY-243 / CVE-2016-3722</h5> + <p>Malicious users with multiple user accounts can prevent other users from logging in</p> + <h5>SECURITY-250 / CVE-2016-3723</h5> + <p>Information on installed plugins exposed via API</p> + <h5>SECURITY-266 / CVE-2016-3724</h5> + <p>Encrypted secrets (e.g. passwords) were leaked to users with permission to read configuration</p> + <h5>SECURITY-273 / CVE-2016-3725</h5> + <p>Regular users can trigger download of update site metadata</p> + <h5>SECURITY-276 / CVE-2016-3726</h5> + <p>Open redirect to scheme-relative URLs</p> + <h5>SECURITY-281 / CVE-2016-3727</h5> + <p>Granting the permission to read node configurations allows access to overall system configuration</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-3721</cvename> + <cvename>CVE-2016-3722</cvename> + <cvename>CVE-2016-3723</cvename> + <cvename>CVE-2016-3724</cvename> + <cvename>CVE-2016-3725</cvename> + <cvename>CVE-2016-3726</cvename> + <cvename>CVE-2016-3727</cvename> + <url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11</url> + </references> + <dates> + <discovery>2016-05-11</discovery> + <entry>2016-05-12</entry> + </dates> + </vuln> + + <vuln vid="d9f99491-1656-11e6-94fa-002590263bf5"> + <topic>perl5 -- taint mechanism bypass vulnerability</topic> + <affects> + <package> + <name>perl5</name> + <range><lt>5.18.4_21</lt></range> + <range><ge>5.20.0</ge><lt>5.20.3_12</lt></range> + <range><ge>5.22.0</ge><lt>5.22.1_8</lt></range> + </package> + <package> + <name>perl5.18</name> + <range><ge>5.18.0</ge><lt>5.18.4_21</lt></range> + </package> + <package> + <name>perl5.20</name> + <range><ge>5.20.0</ge><lt>5.20.3_12</lt></range> + </package> + <package> + <name>perl5.22</name> + <range><ge>5.22.0</ge><lt>5.22.1_8</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>MITRE reports:</p> + <blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2381"> + <p>Perl might allow context-dependent attackers to bypass the taint + protection mechanism in a child process via duplicate environment + variables in envp.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-2381</cvename> + <freebsdpr>ports/208879</freebsdpr> + </references> + <dates> + <discovery>2016-04-08</discovery> + <entry>2016-05-10</entry> + </dates> + </vuln> + + <vuln vid="3686917b-164d-11e6-94fa-002590263bf5"> + <topic>wordpress -- multiple vulnerabilities</topic> + <affects> + <package> + <name>wordpress</name> + <range><lt>4.5.2,1</lt></range> + </package> + <package> + <name>de-wordpress</name> + <name>ja-wordpress</name> + <name>ru-wordpress</name> + <name>zh-wordpress-zh_CN</name> + <name>zh-wordpress-zh_TW</name> + <range><lt>4.5.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Helen Hou-Sandi reports:</p> + <blockquote cite="https://wordpress.org/news/2016/05/wordpress-4-5-2/"> + <p>WordPress 4.5.2 is now available. This is a security release for + all previous versions and we strongly encourage you to update your + sites immediately.</p> + <p>WordPress versions 4.5.1 and earlier are affected by a SOME + vulnerability through Plupload, the third-party library WordPress + uses for uploading files. WordPress versions 4.2 through 4.5.1 are + vulnerable to reflected XSS using specially crafted URIs through + MediaElement.js, the third-party library used for media players. + MediaElement.js and Plupload have also released updates fixing + these issues.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-4566</cvename> + <cvename>CVE-2016-4567</cvename> + <url>https://wordpress.org/news/2016/05/wordpress-4-5-2/</url> + <url>http://www.openwall.com/lists/oss-security/2016/05/07/7</url> + </references> + <dates> + <discovery>2016-05-06</discovery> + <entry>2016-05-10</entry> + </dates> + </vuln> + + <vuln vid="2b4c8e1f-1609-11e6-b55e-b499baebfeaf"> + <topic>libarchive -- RCE vulnerability</topic> + <affects> + <package> + <name>libarchive</name> + <range><lt>3.2.0,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The libarchive project reports:</p> + <blockquote cite="https://github.com/libarchive/libarchive/commit/d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7"> + <p>Heap-based buffer overflow in the zip_read_mac_metadata function + in archive_read_support_format_zip.c in libarchive before 3.2.0 + allows remote attackers to execute arbitrary code via crafted + entry-size values in a ZIP archive.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-1541</cvename> + <url>https://github.com/libarchive/libarchive/commit/d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7</url> + </references> + <dates> + <discovery>2016-05-01</discovery> + <entry>2016-05-09</entry> + <modified>2016-05-10</modified> + </dates> + </vuln> + + <vuln vid="25e5205b-1447-11e6-9ead-6805ca0b3d42"> + <topic>squid -- multiple vulnerabilities</topic> + <affects> + <package> + <name>squid</name> + <range><ge>3.0.0</ge><lt>3.5.18</lt></range> + </package> + <package> + <name>squid-devel</name> + <range><ge>4.0.0</ge><lt>4.0.10</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The squid development team reports:</p> + <blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_7.txt"> + <dl> + <dt>Problem Description:</dt> + <dd>Due to incorrect data validation of intercepted HTTP + Request messages Squid is vulnerable to clients bypassing + the protection against CVE-2009-0801 related issues. This + leads to cache poisoning.</dd> + <dt>Severity:</dt> + <dd>This problem is serious because it allows any client, + including browser scripts, to bypass local security and + poison the proxy cache and any downstream caches with + content from an arbitrary source.</dd> + </dl> + </blockquote> + <blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_8.txt"> + <dl> + <dt>Problem Description:</dt> + <dd>Due to incorrect input validation Squid is vulnerable + to a header smuggling attack leading to cache poisoning + and to bypass of same-origin security policy in Squid and + some client browsers.</dd> + <dt>Severity:</dt> + <dd>This problem allows a client to smuggle Host header + value past same-origin security protections to cause Squid + operating as interception or reverse-proxy to contact the + wrong origin server. Also poisoning any downstream cache + which stores the response.</dd> + <dd>However, the cache poisoning is only possible if the + caching agent (browser or explicit/forward proxy) is not + following RFC 7230 processing guidelines and lets the + smuggled value through.</dd> + </dl> + </blockquote> + <blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_9.txt"> + <dl> + <dt>Problem Description:</dt> + <dd>Due to incorrect pointer handling and reference + counting Squid is vulnerable to a denial of service attack + when processing ESI responses.</dd> + <dt>Severity:</dt> + <dd>These problems allow a remote server delivering + certain ESI response syntax to trigger a denial of service + for all clients accessing the Squid service.</dd> + <dd>Due to unrelated changes Squid-3.5 has become + vulnerable to some regular ESI server responses also + triggering one or more of these issues.</dd> + </dl> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-4553</cvename> + <cvename>CVE-2016-4554</cvename> + <cvename>CVE-2016-4555</cvename> + <cvename>CVE-2016-4556</cvename> + <url>http://www.squid-cache.org/Advisories/SQUID-2016_7.txt</url> + <url>http://www.squid-cache.org/Advisories/SQUID-2016_8.txt</url> + <url>http://www.squid-cache.org/Advisories/SQUID-2016_9.txt</url> + </references> + <dates> + <discovery>2016-05-06</discovery> + <entry>2016-05-07</entry> + <modified>2016-05-09</modified> + </dates> + </vuln> + + <vuln vid="0d724b05-687f-4527-9c03-af34d3b094ec"> + <topic>ImageMagick -- multiple vulnerabilities</topic> + <affects> + <package> + <name>ImageMagick</name> + <name>ImageMagick-nox11</name> + <range><lt>6.9.3.9_1,1</lt></range> + </package> + <package> + <name>ImageMagick7</name> + <name>ImageMagick7-nox11</name> + <range><ge>7.0.0.0.b20150715</ge><lt>7.0.1.0_1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Openwall reports:</p> + <blockquote cite="http://www.openwall.com/lists/oss-security/2016/05/03/18"> + <p>Insufficient filtering for filename passed to delegate's command + allows remote code execution during conversion of several file + formats. Any service which uses ImageMagick to process user + supplied images and uses default delegates.xml / policy.xml, + may be vulnerable to this issue.</p> + <p>It is possible to make ImageMagick perform a HTTP GET or FTP + request</p> + <p>It is possible to delete files by using ImageMagick's 'ephemeral' + pseudo protocol which deletes files after reading.</p> + <p>It is possible to move image files to file with any extension + in any folder by using ImageMagick's 'msl' pseudo protocol. + msl.txt and image.gif should exist in known location - /tmp/ + for PoC (in real life it may be web service written in PHP, + which allows to upload raw txt files and process images with + ImageMagick).</p> + <p>It is possible to get content of the files from the server + by using ImageMagick's 'label' pseudo protocol.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-3714</cvename> + <cvename>CVE-2016-3715</cvename> + <cvename>CVE-2016-3716</cvename> + <cvename>CVE-2016-3717</cvename> + <cvename>CVE-2016-3718</cvename> + <url>http://www.openwall.com/lists/oss-security/2016/05/03/18</url> + <url>https://imagetragick.com/</url> + </references> + <dates> + <discovery>2016-05-03</discovery> + <entry>2016-05-06</entry> + <modified>2016-05-07</modified> + </dates> + </vuln> + + <vuln vid="a6cd01fa-11bd-11e6-bb3c-9cb654ea3e1c"> + <topic>jansson -- local denial of service vulnerabilities</topic> + <affects> + <package> + <name>jansson</name> + <range><lt>2.7_2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>QuickFuzz reports:</p> + <blockquote cite="http://www.openwall.com/lists/oss-security/2016/05/01/5"> + <p>A crash caused by stack exhaustion parsing a JSON was found.</p> + </blockquote> + </body> + </description> + <references> + <url>http://www.openwall.com/lists/oss-security/2016/05/01/5</url> + <url>http://www.openwall.com/lists/oss-security/2016/05/02/1</url> + <cvename>CVE-2016-4425</cvename> + </references> + <dates> + <discovery>2016-05-01</discovery> + <entry>2016-05-04</entry> + </dates> + </vuln> + + <vuln vid="01d729ca-1143-11e6-b55e-b499baebfeaf"> + <topic>OpenSSL -- multiple vulnerabilities</topic> + <affects> + <package> + <name>openssl</name> + <range><lt>1.0.2_11</lt></range> + </package> + <package> + <name>linux-c6-openssl</name> + <range><lt>1.0.1e_8</lt></range> + </package> *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201606012254.u51MsEat075363>