Date: Fri, 29 Sep 2017 16:28:22 +0000 (UTC) From: Ryan Steinmetz <zi@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r450911 - head/security/vuxml Message-ID: <201709291628.v8TGSMLD035850@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: zi Date: Fri Sep 29 16:28:22 2017 New Revision: 450911 URL: https://svnweb.freebsd.org/changeset/ports/450911 Log: - Condense additional entries where description >4500 characters Approved by: ports-secteam (with hat) Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Fri Sep 29 16:06:29 2017 (r450910) +++ head/security/vuxml/vuln.xml Fri Sep 29 16:28:22 2017 (r450911) @@ -1070,64 +1070,17 @@ Notes: <topic>GitLab -- multiple vulnerabilities</topic> <affects> <package> - <name>gitlab</name> - <range><ge>1.0.0</ge><le>9.3.10</le></range> - <range><ge>9.4.0</ge><le>9.4.5</le></range> - <range><ge>9.5.0</ge><le>9.5.3</le></range> + <name>gitlab</name> + <range><ge>1.0.0</ge><le>9.3.10</le></range> + <range><ge>9.4.0</ge><le>9.4.5</le></range> + <range><ge>9.5.0</ge><le>9.5.3</le></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>GitLab reports:</p> <blockquote cite="https://about.gitlab.com/2017/09/07/gitlab-9-dot-5-dot-4-security-release/">; - <h1>Cross-Site Scripting (XSS) vulnerability in profile names</h1> - <p>An external security audit performed by Madison Gurkha disclosed a - Cross-Site Scripting (XSS) vulnerability in user names that could be - exploited in several locations.</p> - <h1>Open Redirect in go-get middleware</h1> - <p>Tim Goddard via HackerOne reported that GitLab was vulnerable to an open - redirect vulnerability caused when a specific flag is passed to the go-get - middleware. This vulnerability could also possibly be used to conduct - Cross-Site Scripting attacks.</p> - <h1>Race condition in project uploads</h1> - <p>Jobert Abma from HackerOne reported that GitLab was vulnerable to a race - condition in project uploads. While very difficult to exploit this race - condition could potentially allow an attacker to overwrite a victim's - uploaded project if the attacker can guess the name of the uploaded file - before it is extracted.</p> - <h1>Cross-Site Request Forgery (CSRF) token leakage</h1> - <p>naure via HackerOne reported that GitLab was vulnerable to CSRF token - leakage via improper filtering of external URLs in relative URL creation. A - specially crafted link configured in a project's environments settings could - be used to steal a visiting user's CSRF token.</p> - <h1>Potential project disclosure via project deletion bug</h1> - <p>An internal code review discovered that removed projects were not always - being deleted from the file system. This could allow an attacker who knew - the full path to a previously deleted project to steal a copy of the - repository. These releases prevent the leftover repository from being - accessed when creating a new project. The project deletion bug will be fixed - in a later release.</p> - <h1>White-listed style attribute for table contents in MD enables UI - redressing</h1> - <p>An external security audit performed by Recurity-Labs discovered a UI - redressing vulnerability in the GitLab markdown sanitization library.</p> - <h1>DOM clobbering in sanitized MD causes errors</h1> - <p>An external security audit performed by Recurity-Labs discovered a DOM - clobbering vulnerability in the GitLab markdown sanitization library that - could be used to render project pages unreadable.</p> - <h1>Nokogiri vendored libxslt library vulnerable to potential integer - overflow (CVE-2017-5029 and CVE-2016-4738)</h1> - <p>The bundled Nokogiri library has been updated to patch an integer - overflow vulnerability. Details are available in the Nokogiri issue.</p> - <h1>Security risk in recommended Geo configuration could give all users - access to all repositories</h1> - <p>An internal code review discovered that GitLab Geo instances could be - vulnerable to an attack that would allow any user on the primary Geo - instance to clone any repository on a secondary Geo instance.</p> - <h1>GitLab Pages private certificate disclosure via symlinks</h1> - <p>An external security review conducted by Recurity-Labs discovered a - vulnerability in GitLab Pages that could be used to disclose the contents of - private SSL keys.</p> + <p>Please reference CVE/URL list for details</p> </blockquote> </body> </description> @@ -2183,47 +2136,9 @@ Notes: <p>The cURL project reports:</p> <blockquote cite="https://curl.haxx.se/docs/security.html">; <ul> - <li><h2>FILE buffer read out of bounds</h2> - <p>When asking to get a file from a file:// URL, libcurl provides - a feature that outputs meta-data about the file using HTTP-like - headers.</p> - <p>The code doing this would send the wrong buffer to the user - (stdout or the application's provide callback), which could - lead to other private data from the heap to get inadvertently - displayed.</p> - <p>The wrong buffer was an uninitialized memory area allocated on - the heap and if it turned out to not contain any zero byte, it - would continue and display the data following that buffer in - memory.</p> - </li> - <li><h2>TFTP sends more than buffer size</h2> - <p>When doing a TFTP transfer and curl/libcurl is given a URL that - contains a very long file name (longer than about 515 bytes), - the file name is truncated to fit within the buffer boundaries, - but the buffer size is still wrongly updated to use the - untruncated length. This too large value is then used in the - sendto() call, making curl attempt to send more data than what - is actually put into the buffer. The sendto() function will then - read beyond the end of the heap based buffer.</p> - <p>A malicious HTTP(S) server could redirect a vulnerable libcurl- - using client to a crafted TFTP URL (if the client hasn't - restricted which protocols it allows redirects to) and trick it - to send private memory contents to a remote server over UDP. - Limit curl's redirect protocols with --proto-redir and libcurl's - with CURLOPT_REDIR_PROTOCOLS.</p> - </li> - <li><h2>URL globbing out of bounds read</h2> - <p>curl supports "globbing" of URLs, in which a user can pass a - numerical range to have the tool iterate over those numbers to - do a sequence of transfers.</p> - <p>In the globbing function that parses the numerical range, there - was an omission that made curl read a byte beyond the end of the - URL if given a carefully crafted, or just wrongly written, URL. - The URL is stored in a heap based buffer, so it could then be - made to wrongly read something else instead of crashing.</p> - <p>An example of a URL that triggers the flaw would be - http://ur%20[0-60000000000000000000.</p>; - </li> + <li>FILE buffer read out of bounds</li> + <li>TFTP sends more than buffer size</li> + <li>URL globbing out of bounds read</li> </ul> </blockquote> </body> @@ -2300,34 +2215,7 @@ Notes: <body xmlns="http://www.w3.org/1999/xhtml">; <p>Mozilla Foundation reports:</p> <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/">; - <p>CVE-2017-7798: XUL injection in the style editor in devtools</p> - <p>CVE-2017-7800: Use-after-free in WebSockets during disconnection</p> - <p>CVE-2017-7801: Use-after-free with marquee during window resizing</p> - <p>CVE-2017-7784: Use-after-free with image observers</p> - <p>CVE-2017-7802: Use-after-free resizing image elements</p> - <p>CVE-2017-7785: Buffer overflow manipulating ARIA attributes in DOM</p> - <p>CVE-2017-7786: Buffer overflow while painting non-displayable SVG</p> - <p>CVE-2017-7806: Use-after-free in layer manager with SVG</p> - <p>CVE-2017-7753: Out-of-bounds read with cached style data and pseudo-elements</p> - <p>CVE-2017-7787: Same-origin policy bypass with iframes through page reloads</p> - <p>CVE-2017-7807: Domain hijacking through AppCache fallback</p> - <p>CVE-2017-7792: Buffer overflow viewing certificates with an extremely long OID</p> - <p>CVE-2017-7804: Memory protection bypass through WindowsDllDetourPatcher</p> - <p>CVE-2017-7791: Spoofing following page navigation with data: protocol and modal alerts</p> - <p>CVE-2017-7808: CSP information leak with frame-ancestors containing paths</p> - <p>CVE-2017-7782: WindowsDllDetourPatcher allocates memory without DEP protections</p> - <p>CVE-2017-7781: Elliptic curve point addition error when using mixed Jacobian-affine coordinates</p> - <p>CVE-2017-7794: Linux file truncation via sandbox broker</p> - <p>CVE-2017-7803: CSP containing 'sandbox' improperly applied</p> - <p>CVE-2017-7799: Self-XSS XUL injection in about:webrtc</p> - <p>CVE-2017-7783: DOS attack through long username in URL</p> - <p>CVE-2017-7788: Sandboxed about:srcdoc iframes do not inherit CSP directives</p> - <p>CVE-2017-7789: Failure to enable HSTS when two STS headers are sent for a connection</p> - <p>CVE-2017-7790: Windows crash reporter reads extra memory for some non-null-terminated registry values</p> - <p>CVE-2017-7796: Windows updater can delete any file named update.log</p> - <p>CVE-2017-7797: Response header name interning leaks across origins</p> - <p>CVE-2017-7780: Memory safety bugs fixed in Firefox 55</p> - <p>CVE-2017-7779: Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3</p> + <p>Please reference CVE/URL list for details</p> </blockquote> </body> </description> @@ -2441,52 +2329,8 @@ Notes: <body xmlns="http://www.w3.org/1999/xhtml">; <p>Google Chrome releases reports:</p> <blockquote cite="https://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html">; - <p>40 security fixes in this release, including:</p> - <ul> - <li>[728887] High CVE-2017-5091: Use after free in IndexedDB. Reported by - Ned Williamson on 2017-06-02</li> - <li>[733549] High CVE-2017-5092: Use after free un PPAPI. Reported by - Yu Zhou, Yuan Deng of Ant-financial Light-Year Security Lab on 2017-06-15</li> - <li>[550017] High CVE-2017-5093: UI spoofing in Blink. Reported by - Luan Herrera on 2015-10-31</li> - <li>[702946] High CVE-2017-5094: Type confusion in extensions. Reported by - Anonymous on 2017-03-19</li> - <li>[732661] High CVE-2017-5095: Out-of-bounds write in PDFium. Reported by - Anonymous on 2017-06-13</li> - <li>[714442] High CVE-2017-5096: User information leak via Android intents. Reported by - Takeshi Terada on 2017-04-23</li> - <li>[740789] High CVE-2017-5097: Out-of-bounds read in Skia. Reported by - Anonymous on 2017-07-11</li> - <li>[740803] High CVE-2017-5098: Use after free in V8. Reported by - Jihoon Kim on 2017-07-11</li> - <li>[733548] High CVE-2017-5099: Out-of-bounds write in PPAPI. Reported by - Yuan Deng, Yu Zhou of Ant-financial Light-Year Security Lab on 2017-06-15</li> - <li>[718292] Medium CVE-2017-5100: Use after free in Chrome Apps. Reported by - Anonymous on 2017-05-04</li> - <li>[681740] Medium CVE-2017-5101: URL spoofing in OmniBox. Reported by - Luan Herrera on 2017-01-17</li> - <li>[727678] Medium CVE-2017-5102: Uninitialized use in Skia. Reported by - Anonymous on 2017-05-30</li> - <li>[726199] Medium CVE-2017-5103: Uninitialized use in Skia. Reported by - Anonymous on 2017-05-25</li> - <li>[729105] Medium CVE-2017-5104: UI spoofing in browser. Reported by - Khalil Zhani on 2017-06-02</li> - <li>[742407] Medium CVE-2017-7000: Pointer disclosure in SQLite. Reported by - Chaitin Security Research Lab working with Trend Micro's Zero Day Initiative</li> - <li>[729979] Low CVE-2017-5105: URL spoofing in OmniBox. Reported by - Rayyan Bijoora on 2017-06-06</li> - <li>[714628] Medium CVE-2017-5106: URL spoofing in OmniBox. Reported by - Jack Zac on 2017-04-24</li> - <li>[686253] Low CVE-2017-5107: User information leak via SVG. Reported by - David Kohlbrenner of UC San Diego on 2017-01-27</li> - <li>[695830] Low CVE-2017-5108: Type of confusion in PDFium. Reported by - Guang Gong of Alpha Team, Qihoo 360 on 2017-02-24</li> - <li>[710400] Low CVE-2017-5109: UI spoofing in browser. Reported by - Jose Maria Acunia Morgado on 2017-04-11</li> - <li>[717476] Low CVE-2017-5110: UI spoofing in payments dialog. Reported by - xisigr of Tencent's Xuanwu Lab on 2017-05-02</li> - <li>[748565] Various fixes from internal audits, fuzzing and other initiatives</li> - </ul> + <p>40 security fixes in this release</p> + <p>Please reference CVE/URL list for details</p> </blockquote> </body> </description> @@ -2698,60 +2542,19 @@ Notes: <topic>GitLab -- Various security issues</topic> <affects> <package> - <name>gitlab</name> - <range><ge>8.0.0</ge><le>8.17.6</le></range> + <name>gitlab</name> + <range><ge>8.0.0</ge><le>8.17.6</le></range> <range><ge>9.0.0</ge><le>9.0.10</le></range> <range><ge>9.1.0</ge><le>9.1.7</le></range> <range><ge>9.2.0</ge><le>9.2.7</le></range> - <range><ge>9.3.0</ge><le>9.3.7</le></range> + <range><ge>9.3.0</ge><le>9.3.7</le></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>GitLab reports:</p> <blockquote cite="https://about.gitlab.com/2017/07/19/gitlab-9-dot-3-dot-8-released/">; - <h1>Projects in subgroups authorization bypass with SQL wildcards - (CVE-2017-11438)</h1> - <p>An internal code review disclosed that by choosing a namespace with - underscores an authenticated user could take advantage of a badly written - SQL query to add themselves to any project inside a subgroup with - permissions of their choice.<br/> - This vulnerability was caused by a SQL query that automatically adjusts - project permissions but does not escape wildcards. This vulnerability was - coincidentally patched when the affected code was rewritten for - 9.3. Therefore, versions 9.3 and above are not vulnerable.<br/> - <br/> - This issue has been assigned CVE-2017-11438.<br/> - <br/> - Note: GitLab-CE+EE 8.17 is not vulnerable to this issue, however patches - have been included to improve the security of the SQL queries in 8.17.7.</p> - <h1>Symlink cleanup from a previous security release</h1> - <p>The 9.2.5 security release contained a fix for a data corruption - vulnerability involving file uploads. This fix utilized symlinks to migrate - file uploads to a new directory. Due to a typo in the included migration a - symlink was accidentally left behind after the migration finished. This - symlink can cause problems with instance backups. A fix is included with - these releases to remove the problematic symlink.</p> - <h1>Accidental or malicious use of reserved names in group names could cause - deletion of all snippet uploads</h1> - <p>The 9.2.5 security release contained a fix for a data corruption - vulnerability involving file uploads. After the release of 9.2.5 an internal - code review determined that the recently introduced snippet file uploads - feature was also vulnerable to file deletion. Snippet uploads have now been - moved into the protected system namespace.</p> - <h1>Project name leak on todos page</h1> - <p>An internal code review discovered that forceful browsing could be - utilized to disclose the names of private projects.</p> - <h1>Denial of Service via regular expressions in CI process</h1> - <p>Lukas Svoboda reported that regular expressions (regex) included with CI - scripts could be utilized to perform a denial-of-service attack on GitLab - instances. GitLab now uses the re2 Regex library to limit regex execution - time.</p> - <h1>Issue title leakage when external issue tracker is enabled</h1> - <p>An internal code review determined that when an external issue tracker is - configured it was possible to discover the titles of all issues in a given - GitLab instance, including issues in private projects and confidential - issues.</p> + <p>Please reference CVE/URL list for details</p> </blockquote> </body> </description> @@ -2814,45 +2617,7 @@ Notes: <body xmlns="http://www.w3.org/1999/xhtml">; <p>Oracle reports:</p> <blockquote cite="http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html#AppendixMSQL">; - <ul> - <li>Reserved [CVE-2017-3629]</li> - <li>A remote user can exploit a flaw in the Server: Memcached component to partially - modify data and cause denial of service conditions [CVE-2017-3633].</li> - <li>A remote authenticated user can exploit a flaw in the Server: DML component to - cause denial of service conditions [CVE-2017-3634].</li> - <li>A remote authenticated user can exploit a flaw in the Connector/C component to - cause denial of service conditions [CVE-2017-3635].</li> - <li>A remote authenticated user can exploit a flaw in the C API component to cause - denial of service conditions [CVE-2017-3635].</li> - <li>A local user can exploit a flaw in the Client programs component to partially - access data, partially modify data, and partially deny service - [CVE-2017-3636].</li> - <li>A remote authenticated user can exploit a flaw in the Server: UDF component to - cause denial of service conditions [CVE-2017-3529].</li> - <li>A remote authenticated user can exploit a flaw in the X Plugin component to - cause denial of service conditions [CVE-2017-3637].</li> - <li>A remote authenticated user can exploit a flaw in the Server: DML component to - cause denial of service conditions [CVE-2017-3639, CVE-2017-3640, CVE-2017-3641, - CVE-2017-3643, CVE-2017-3644].</li> - <li>A remote authenticated user can exploit a flaw in the Server: Optimizer - component to cause denial of service conditions [CVE-2017-3638, CVE-2017-3642, - CVE-2017-3645].</li> - <li>A remote authenticated user can exploit a flaw in the X Plugin component to - cause denial of service conditions [CVE-2017-3646].</li> - <li>A remote authenticated user can exploit a flaw in the Server: Charsets component - to cause denial of service conditions [CVE-2017-3648].</li> - <li>A remote authenticated user can exploit a flaw in the Server: Replication - component to cause denial of service conditions [CVE-2017-3647, - CVE-2017-3649].</li> - <li>A remote authenticated user can exploit a flaw in the Client mysqldump component - to partially modify data [CVE-2017-3651].</li> - <li>A remote authenticated user can exploit a flaw in the Server: DDL component to - partially access and partially modify data [CVE-2017-3652].</li> - <li>A remote user can exploit a flaw in the C API component to partially access data - [CVE-2017-3650].</li> - <li>A remote authenticated user can exploit a flaw in the Server: DDL component to - partially modify data [CVE-2017-3653].</li> - </ul> + <p>Please reference CVE/URL list for details</p> </blockquote> </body> </description> @@ -3455,46 +3220,7 @@ Notes: <body xmlns="http://www.w3.org/1999/xhtml">; <p>GitLab reports:</p> <blockquote cite="https://about.gitlab.com/2017/06/07/gitlab-9-dot-2-dot-5-security-release/">; - <h1>Cross-Site Scripting (XSS) vulnerability when editing comments</h1> - <p>A GitLab.com user reported that recent changes to Markdown rendering - designed to improve performance by allowing comments to be rendered - client-side opened a persistent Cross-Site Scripting (XSS) vulnerability - when comments are edited and then re-saved. This vulnerability is difficult - to exploit because a victim must be tricked into editing and then saving - another user's comment.</p> - <h1>API vulnerable to embedding in iFrames using Session Auth</h1> - <p>A tip from a Twitter user led to an internal code audit that discovered a - malicious website could embed a GitLab API URL inside an iFrame, possibly - tricking a user into thinking that the website had access to the user's - GitLab user information. This attack would not disclose the user's data to - the malicious website, but it could cause confusion and the API has added an - X-Frame-Options header to prevent content from the API being included in - iFrames.</p> - <h1>Accidental or malicious use of reserved names in group names could cause - deletion of all project avatars</h1> - <p>A GitLab.com user reported that creating a group named project and then - renaming the group would cause all project avatars to be deleted. This was - due to an improperly constructed path variable when renaming files. To help - prevent this from happening again all avatar uploads have been moved from - /public/uploads/(user|group|project) to - /public/uploads/system/(user|group|project) and system has been made a - reserved namespace. A migration included with this release will rename any - existing top-level system namespace to be system0 (or system1, system2, - etc.)</p> - <h1>Unauthenticated disclosure of usernames in autocomplete controller</h1> - <p>HackerOne reporter Evelyn Lee reported that usernames could be enumerated - using the autocomplete/users.json endpoint without authenticating. This - could allow an unauthenticated attacker to gather a list of all valid - usernames from a GitLab instance.</p> - <h1>Information leakage with references to private project snippets</h1> - <p>GitLab.com user Patrick Fiedler reported that titles of private project - snippets could leak when they were referenced in other issues, merge - requests, or comments.</p> - <h1>Elasticsearch does not implement external user checks correctly</h1> - <p>An internal code review discovered that on instances with Elasticsearch - enabled GitLab allowed external users to view internal project data. This - could unintentionally expose sensitive information to external users. This - vulnerability only affects EE installations with Elasticsearch enabled.</p> + <p>Please reference CVE/URL list for details</p> </blockquote> </body> </description> @@ -3824,68 +3550,7 @@ maliciously crafted GET request to the Horde server.</ <body xmlns="http://www.w3.org/1999/xhtml">; <p>BestPractical reports:</p> <blockquote cite="http://lists.bestpractical.com/pipermail/rt-announce/2017-June/000297.html">; - <p>RT 4.0.0 and above are vulnerable to an information - leak of cross-site request forgery (CSRF) verification - tokens if a user visits a specific URL crafted by an - attacker. This vulnerability is assigned CVE-2017-5943. It - was discovered by a third-party security researcher.</p> - - <p>RT 4.0.0 and above are vulnerable to a cross-site - scripting (XSS) attack if an attacker uploads a malicious - file with a certain content type. Installations which use - the AlwaysDownloadAttachments config setting are - unaffected. This fix addresses all existant and future - uploaded attachments. This vulnerability is assigned - CVE-2016-6127. This was responsibly disclosed to us first - by Scott Russo and the GE Application Security Assessment - Team.</p> - - <p>One of RT's dependencies, a Perl module named - Email::Address, has a denial of service vulnerability - which could induce a denial of service of RT itself. We - recommend administrators install Email::Address version - 1.908 or above, though we additionally provide a new - workaround within RT. Tss vulnerability was assigned - CVE-2015-7686. This vulnerability's application to RT was - brought to our attention by Pali Rohár.</p> - - <p>RT 4.0.0 and above are vulnerable to timing - side-channel attacks for user passwords. By carefully - measuring millions or billions of login attempts, an - attacker could crack a user's password even over the - internet. RT now uses a constant-time comparison algorithm - for secrets to thwart such attacks. This vulnerability is - assigned CVE-2017-5361. This was responsibly disclosed to - us by Aaron Kondziela.</p> - - <p>RT's ExternalAuth feature is vulnerable to a similar - timing side-channel attack. Both RT 4.0/4.2 with the - widely-deployed RT::Authen::ExternalAuth extension, as - well as the core ExternalAuth feature in RT 4.4 are - vulnerable. Installations which don't use ExternalAuth, or - which use ExternalAuth for LDAP/ActiveDirectory - authentication, or which use ExternalAuth for cookie-based - authentication, are unaffected. Only ExternalAuth in DBI - (database) mode is vulnerable.</p> - - <p>RT 4.0.0 and above are potentially vulnerable to a - remote code execution attack in the dashboard subscription - interface. A privileged attacker can cause unexpected code - to be executed through carefully-crafted saved search - names. Though we have not been able to demonstrate an - actual attack owing to other defenses in place, it could - be possible. This fix addresses all existant and future - saved searches. This vulnerability is assigned - CVE-2017-5944. It was discovered by an internal security - audit.</p> - - <p>RT 4.0.0 and above have misleading documentation which - could reduce system security. The RestrictLoginReferrer - config setting (which has security implications) was - inconsistent with its implementation, which checked for a - slightly different variable name. RT will now check for - the incorrect name and produce an error message. This was - responsibly disclosed to us by Alex Vandiver.</p> + <p>Please reference CVE/URL list for details</p> </blockquote> </body> </description> @@ -3975,29 +3640,7 @@ maliciously crafted GET request to the Horde server.</ <body xmlns="http://www.w3.org/1999/xhtml">; <p>Mozilla Foundation reports:</p> <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/">; - <p>CVE-2017-5472: Use-after-free using destroyed node when regenerating trees</p> - <p>CVE-2017-7749: Use-after-free during docshell reloading</p> - <p>CVE-2017-7750: Use-after-free with track elements</p> - <p>CVE-2017-7751: Use-after-free with content viewer listeners</p> - <p>CVE-2017-7752: Use-after-free with IME input</p> - <p>CVE-2017-7754: Out-of-bounds read in WebGL with ImageInfo object</p> - <p>CVE-2017-7755: Privilege escalation through Firefox Installer with same directory DLL files</p> - <p>CVE-2017-7756: Use-after-free and use-after-scope logging XHR header errors</p> - <p>CVE-2017-7757: Use-after-free in IndexedDB</p> - <p>CVE-2017-7778: Vulnerabilities in the Graphite 2 library</p> - <p>CVE-2017-7758: Out-of-bounds read in Opus encoder</p> - <p>CVE-2017-7759: Android intent URLs can cause navigation to local file system</p> - <p>CVE-2017-7760: File manipulation and privilege escalation via callback parameter in Mozilla Windows Updater and Maintenance Service</p> - <p>CVE-2017-7761: File deletion and privilege escalation through Mozilla Maintenance Service helper.exe application</p> - <p>CVE-2017-7762: Addressbar spoofing in Reader mode</p> - <p>CVE-2017-7763: Mac fonts render some unicode characters as spaces</p> - <p>CVE-2017-7764: Domain spoofing with combination of Canadian Syllabics and other unicode blocks</p> - <p>CVE-2017-7765: Mark of the Web bypass when saving executable files</p> - <p>CVE-2017-7766: File execution and privilege escalation through updater.ini, Mozilla Windows Updater, and Mozilla Maintenance Service</p> - <p>CVE-2017-7767: Privilege escalation and arbitrary file overwrites through Mozilla Windows Updater and Mozilla Maintenance Service</p> - <p>CVE-2017-7768: 32 byte arbitrary file read through Mozilla Maintenance Service</p> - <p>CVE-2017-5471: Memory safety bugs fixed in Firefox 54</p> - <p>CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2</p> + <p>Please reference CVE/URL list for details</p> </blockquote> </body> </description> @@ -4135,42 +3778,8 @@ maliciously crafted GET request to the Horde server.</ <body xmlns="http://www.w3.org/1999/xhtml">; <p>Google Chrome releases reports:</p> <blockquote cite="https://chromereleases.googleblog.com/2017/06/stable-channel-update-for-desktop.html">; - <p>30 security fixes in this release, including:</p> - <ul> - <li>[722756] High CVE-2017-5070: Type confusion in V8. Reported by - Zhao Qixun of Qihoo 360 Vulcan Team on 2017-05-16</li> - <li>[715582] High CVE-2017-5071: Out of bounds read in V8. Reported by - Choongwood Han on 2017-04-26</li> - <li>[709417] High CVE-2017-5072: Address spoofing in Omnibox. Reported by - Rayyan Bijoora on 2017-04-07</li> - <li>[716474] High CVE-2017-5073: Use after free in print preview. Reported by - Khalil Zhani on 2017-04-28</li> - <li>[700040] High CVE-2017-5074: Use after free in Apps Bluetooth. Reported by - anonymous on 2017-03-09</li> - <li>[678776] Medium CVE-2017-5075: Information leak in CSP reporting. Reported by - Emmanuel Gil Peyrot on 2017-01-05</li> - <li>[722639] Medium CVE-2017-5086: Address spoofing in Omnibox. Reported by - Rayyan Bijoora on 2017-05-16</li> - <li>[719199] Medium CVE-2017-5076: Address spoofing in Omnibox. Reported by - Samuel Erb on 2017-05-06</li> - <li>[716311] Medium CVE-2017-5077: Heap buffer overflow in Skia. Reported by - Sweetchip on 2017-04-28</li> - <li>[711020] Medium CVE-2017-5078: Possible command injection in mailto handling. - Reported by Jose Carlos Exposito Bueno on 2017-04-12</li> - <li>[713686] Medium CVE-2017-5079: UI spoofing in Blink. Reported by - Khalil Zhani on 2017-04-20</li> - <li>[708819] Medium CVE-2017-5080: Use after free in credit card autofill. - Reported by Khalil Zhani on 2017-04-05</li> - <li>[672008] Medium CVE-2017-5081: Extension verification bypass. Reported by - Andrey Kovalev of Yandex Security Team on 2016-12-07</li> - <li>[721579] Low CVE-2017-5082: Insufficient hardening in credit card editor. - Reported by Nightwatch Cybersecurity Research on 2017-05-11</li> - <li>[714849] Low CVE-2017-5083: UI spoofing in Blink. Reported by - Khalil Zhani on 2017-04-24</li> - <li>[692378] Low CVE-2017-5085: Inappropriate javascript execution on WebUI pages. - Reported by Zhiyang Zeng of Tencent security platform department on 2017-02-15</li> - <li>[729639] Various fixes from internal audits, fuzzing and other initiatives</li> - </ul> + <p>30 security fixes in this release</p> + <p>Please reference CVE/URL list for details</p> </blockquote> </body> </description> @@ -4831,57 +4440,7 @@ maliciously crafted GET request to the Horde server.</ <body xmlns="http://www.w3.org/1999/xhtml">; <p>GitLab reports:</p> <blockquote cite="https://about.gitlab.com/2017/05/08/gitlab-9-dot-1-dot-3-security-release/">; - <h1>Cross-Site Scripting (XSS) vulnerability in project import file names - for gitlab_project import types</h1> - <p>Timo Schmid from ERNW reported a persistent Cross-Site Scripting - vulnerability in the new project import view for gitlab_project import - types. This XSS vulnerability was caused by the use of Hamlit filters inside - HAML views without manually escaping HTML. Unlike content outside of a - filter, content inside Hamlit filters (:css, :javascript, :preserve, :plain) - is not automatically escaped.</p> - <h1>Cross-Site Scripting (XSS) vulnerability in git submodule support</h1> - <p>Jobert Abma from HackerOne reported a persistent XSS vulnerability in the - GitLab repository files view that could be exploited by injecting malicious - script into a git submodule.</p> - <h1>Cross-Site Scripting (XSS) vulnerability in repository "new branch" - view</h1> - <p>A GitLab user reported a persistent XSS vulnerability in the repository - new branch view that allowed malicious branch names or git references to - execute arbitrary Javascript.</p> - <h1>Cross-Site Scripting (XSS) vulnerability in mirror errors display</h1> - <p>While investigating Timo Schmid's previously reported XSS vulnerability - in import filenames another persistent XSS vulnerability was discovered in - the GitLab Enterprise Edition's (EE) mirror view. This vulnerability was - also caused by the misuse of Hamlit filters.</p> - <h1>Potential XSS vulnerability in DropLab</h1> - <p>An internal code audit disclosed a vulnerability in DropLab's templating - that, while not currently exploitable, could become exploitable depending on - how the templates were used in the future.</p> - <h1>Tab Nabbing vulnerabilities in mardown link filter, Asciidoc files, and - other markup files</h1> - <p>edio via HackerOne reported two tab nabbing vulnerabilities. The first - tab nabbing vulnerability was caused by improper hostname filtering when - identifying user-supplied external links. GitLab did not properly filter - usernames from the URL. An attacker could construct a specially crafted link - including a username to bypass GitLab's external link filter. This allowed - an attacker to post links in Markdown that did not include the appropriate - "noreferrer noopener" options, allowing tab nabbing attacks.</p> - <p>The second vulnerability was in the AsciiDoctor markup - library. AsciiDoctor was not properly including the "noreferrer noopener" - options with external links. An internal investigation discovered other - markup libraries that were also vulnerable.</p> - <h1>Unauthorized disclosure of wiki pages in search</h1> - <p>M. Hasbini reported a flaw in the project search feature that allowed - authenticated users to disclose the contents of private wiki pages inside - public projects.</p> - <h1>External users can view internal snippets</h1> - <p>Christian Kühn discovered a vulnerability in GitLab snippets that allowed - an external user to view the contents of internal snippets.</p> - <h1>Subgroup visibility for private subgroups under a public parent - group</h1> - <p>Matt Harrison discovered a vulnerability with subgroups that allowed - private subgroup names to be disclosed when they belong to a parent group - that is public.</p> + <p>Please reference CVE/URL list for details</p> </blockquote> </body> </description> @@ -5538,81 +5097,8 @@ maliciously crafted GET request to the Horde server.</ <body xmlns="http://www.w3.org/1999/xhtml">; <p>NVD reports:</p> <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-5225">; - <p>LibTIFF version 4.0.7 is vulnerable to a heap buffer - overflow in the tools/tiffcp resulting in DoS or code - execution via a crafted BitsPerSample value.</p> + <p>Please reference CVE/URL list for details</p> </blockquote> - <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7592">; - <p>The putagreytile function in tif_getimage.c in LibTIFF - 4.0.7 has a left-shift undefined behavior issue, which - might allow remote attackers to cause a denial of service - (application crash) or possibly have unspecified other - impact via a crafted image.</p> - </blockquote> - <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7593">; - <p>tif_read.c in LibTIFF 4.0.7 does not ensure that - tif_rawdata is properly initialized, which might allow - remote attackers to obtain sensitive information from - process memory via a crafted image.</p> - </blockquote> - <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7594">; - <p>The OJPEGReadHeaderInfoSecTablesDcTable function in - tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to - cause a denial of service (memory leak) via a crafted - image.</p> - </blockquote> - <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7595">; - <p>The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF - 4.0.7 allows remote attackers to cause a denial of service - (divide-by-zero error and application crash) via a crafted - image.</p> - </blockquote> - <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7596">; - <p>LibTIFF 4.0.7 has an "outside the range of - representable values of type float" undefined behavior - issue, which might allow remote attackers to cause a - denial of service (application crash) or possibly have - unspecified other impact via a crafted image.</p> - </blockquote> - <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7597">; - <p>tif_dirread.c in LibTIFF 4.0.7 has an "outside the - range of representable values of type float" undefined - behavior issue, which might allow remote attackers to - cause a denial of service (application crash) or possibly - have unspecified other impact via a crafted image.</p> - </blockquote> - <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7598">; - <p>tif_dirread.c in LibTIFF 4.0.7 might allow remote - attackers to cause a denial of service (divide-by-zero - error and application crash) via a crafted image.</p> - </blockquote> - <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7599">; - <p>LibTIFF 4.0.7 has an "outside the range of - representable values of type short" undefined behavior - issue, which might allow remote attackers to cause a - denial of service (application crash) or possibly have - unspecified other impact via a crafted image.</p> - </blockquote> - <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7600">; - <p>LibTIFF 4.0.7 has an "outside the range of - representable values of type unsigned char" undefined - behavior issue, which might allow remote attackers to - cause a denial of service (application crash) or possibly - have unspecified other impact via a crafted image.</p> - </blockquote> - <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7601">; - <p>LibTIFF 4.0.7 has a "shift exponent too large for - 64-bit type long" undefined behavior issue, which might - allow remote attackers to cause a denial of service - (application crash) or possibly have unspecified other - impact via a crafted image.</p> - </blockquote> - <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7602">; - <p>LibTIFF 4.0.7 has a signed integer overflow, which - might allow remote attackers to cause a denial of service - (application crash) or possibly have unspecified other - impact via a crafted image.</p> - </blockquote> </body> </description> <references> @@ -5934,45 +5420,7 @@ maliciously crafted GET request to the Horde server.</ <body xmlns="http://www.w3.org/1999/xhtml">; <p>Mozilla Foundation reports:</p> <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/">; - <p>CVE-2017-5433: Use-after-free in SMIL animation functions</p> - <p>CVE-2017-5435: Use-after-free during transaction processing in the editor</p> - <p>CVE-2017-5436: Out-of-bounds write with malicious font in Graphite 2</p> - <p>CVE-2017-5461: Out-of-bounds write in Base64 encoding in NSS</p> - <p>CVE-2017-5459: Buffer overflow in WebGL</p> - <p>CVE-2017-5466: Origin confusion when reloading isolated data:text/html URL</p> - <p>CVE-2017-5434: Use-after-free during focus handling</p> - <p>CVE-2017-5432: Use-after-free in text input selection</p> - <p>CVE-2017-5460: Use-after-free in frame selection</p> - <p>CVE-2017-5438: Use-after-free in nsAutoPtr during XSLT processing</p> - <p>CVE-2017-5439: Use-after-free in nsTArray Length() during XSLT processing</p> - <p>CVE-2017-5440: Use-after-free in txExecutionState destructor during XSLT processing</p> - <p>CVE-2017-5441: Use-after-free with selection during scroll events</p> - <p>CVE-2017-5442: Use-after-free during style changes</p> - <p>CVE-2017-5464: Memory corruption with accessibility and DOM manipulation</p> - <p>CVE-2017-5443: Out-of-bounds write during BinHex decoding</p> - <p>CVE-2017-5444: Buffer overflow while parsing application/http-index-format content</p> - <p>CVE-2017-5446: Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data</p> - <p>CVE-2017-5447: Out-of-bounds read during glyph processing</p> - <p>CVE-2017-5465: Out-of-bounds read in ConvolvePixel</p> - <p>CVE-2017-5448: Out-of-bounds write in ClearKeyDecryptor</p> - <p>CVE-2017-5437: Vulnerabilities in Libevent library</p> - <p>CVE-2017-5454: Sandbox escape allowing file system read access through file picker</p> - <p>CVE-2017-5455: Sandbox escape through internal feed reader APIs</p> - <p>CVE-2017-5456: Sandbox escape allowing local file system access</p> - <p>CVE-2017-5469: Potential Buffer overflow in flex-generated code</p> - <p>CVE-2017-5445: Uninitialized values used while parsing application/http-index-format content</p> - <p>CVE-2017-5449: Crash during bidirectional unicode manipulation with animation</p> - <p>CVE-2017-5450: Addressbar spoofing using javascript: URI on Firefox for Android</p> - <p>CVE-2017-5451: Addressbar spoofing with onblur event</p> - <p>CVE-2017-5462: DRBG flaw in NSS</p> - <p>CVE-2017-5463: Addressbar spoofing through reader view on Firefox for Android</p> - <p>CVE-2017-5467: Memory corruption when drawing Skia content</p> - <p>CVE-2017-5452: Addressbar spoofing during scrolling with editable content on Firefox for Android</p> - <p>CVE-2017-5453: HTML injection into RSS Reader feed preview page through TITLE element</p> - <p>CVE-2017-5458: Drag and drop of javascript: URLs can allow for self-XSS</p> - <p>CVE-2017-5468: Incorrect ownership model for Private Browsing information</p> - <p>CVE-2017-5430: Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1</p> - <p>CVE-2017-5429: Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1</p> + <p>Please reference CVE/URL list for details</p> </blockquote> </body> </description> @@ -6984,46 +6432,8 @@ maliciously crafted GET request to the Horde server.</ <body xmlns="http://www.w3.org/1999/xhtml">; <p>Google Chrome Releases reports:</p> <blockquote cite="https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html">; - <p>36 security fixes in this release, including:</p> - <ul> - <li>[682194] High CVE-2017-5030: Memory corruption in V8. Credit to - Brendon Tiszka</li> - <li>[682020] High CVE-2017-5031: Use after free in ANGLE. Credit to - Looben Yang</li> - <li>[668724] High CVE-2017-5032: Out of bounds write in PDFium. Credit to - Ashfaq Ansari - Project Srishti</li> - <li>[676623] High CVE-2017-5029: Integer overflow in libxslt. Credit to - Holger Fuhrmannek</li> - <li>[678461] High CVE-2017-5034: Use after free in PDFium. Credit to - Ke Liu of Tencent's Xuanwu Lab</li> - <li>[688425] High CVE-2017-5035: Incorrect security UI in Omnibox. Credit to - Enzo Aguado</li> - <li>[691371] High CVE-2017-5036: Use after free in PDFium. Credit to - Anonymous</li> - <li>[679640] High CVE-2017-5037: Multiple out of bounds writes in ChunkDemuxer. - Credit to Yongke Wang of Tecent's Xuanwu Lab</li> - <li>[679649] High CVE-2017-5039: Use after free in PDFium. Credit to - jinmo123</li> - <li>[691323] Medium CVE-2017-5040: Information disclosure in V8. Credit to - Choongwoo Han</li> - <li>[642490] Medium CVE-2017-5041: Address spoofing in Omnibox. Credit to - Jordi Chancel</li> - <li>[669086] Medium CVE-2017-5033: Bypass of Content Security Policy in Blink. - Credit to Nicolai Grodum</li> - <li>[671932] Medium CVE-2017-5042: Incorrect handling of cookies in Cast. - Credit to Mike Ruddy</li> - <li>[695476] Medium CVE-2017-5038: Use after free in GuestView. Credit to - Anonymous</li> - <li>[683523] Medium CVE-2017-5043: Use after free in GuestView. Credit to - Anonymous</li> - <li>[688987] Medium CVE-2017-5044: Heap overflow in Skia. Credit to - Kushal Arvind Shah of Fortinet's FortiGuard Labs</li> - <li>[667079] Medium CVE-2017-5045: Information disclosure in XSS Auditor. - Credit to Dhaval Kapil</li> - <li>[680409] Medium CVE-2017-5046: Information disclosure in Blink. Credit to - Masato Kinugawa</li> - <li>[699618] Various fixes from internal audits, fuzzing and other initiatives</li> - </ul> + <p>36 security fixes in this release</p> + <p>Please reference CVE/URL list for details</p> </blockquote> </body> </description> @@ -7257,34 +6667,7 @@ maliciously crafted GET request to the Horde server.</ <body xmlns="http://www.w3.org/1999/xhtml">; <p>Mozilla Foundation reports:</p> <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/">; - <p>CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP</p> - <p>CVE-2017-5401: Memory Corruption when handling ErrorResult</p> - <p>CVE-2017-5402: Use-after-free working with events in FontFace objects</p> - <p>CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object</p> - <p>CVE-2017-5404: Use-after-free working with ranges in selections</p> - <p>CVE-2017-5406: Segmentation fault in Skia with canvas operations</p> - <p>CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters</p> - <p>CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping</p> - <p>CVE-2017-5411: Use-after-free in Buffer Storage in libGLES</p> - <p>CVE-2017-5409: File deletion via callback parameter in Mozilla Windows Updater and Maintenance Service</p> - <p>CVE-2017-5408: Cross-origin reading of video captions in violation of CORS</p> - <p>CVE-2017-5412: Buffer overflow read in SVG filters</p> - <p>CVE-2017-5413: Segmentation fault during bidirectional operations</p> - <p>CVE-2017-5414: File picker can choose incorrect default directory</p> - <p>CVE-2017-5415: Addressbar spoofing through blob URL</p> - <p>CVE-2017-5416: Null dereference crash in HttpChannel</p> - <p>CVE-2017-5417: Addressbar spoofing by draging and dropping URLs</p> - <p>CVE-2017-5425: Overly permissive Gecko Media Plugin sandbox regular expression access</p> - <p>CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running</p> - <p>CVE-2017-5427: Non-existent chrome.manifest file loaded during startup</p> - <p>CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses</p> - <p>CVE-2017-5419: Repeated authentication prompts lead to DOS attack</p> - <p>CVE-2017-5420: Javascript: URLs can obfuscate addressbar location</p> - <p>CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports</p> - <p>CVE-2017-5421: Print preview spoofing</p> - <p>CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink</p> - <p>CVE-2017-5399: Memory safety bugs fixed in Firefox 52</p> - <p>CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8</p> + <p>Please reference CVE/URL list for details</p> </blockquote> </body> </description> @@ -8059,43 +7442,7 @@ maliciously crafted GET request to the Horde server.</ <body xmlns="http://www.w3.org/1999/xhtml">; <p>Jenkins Security Advisory:</p> <blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01">; - <h1>Description</h1> - <h5>SECURITY-304 / CVE-2017-2598</h5> - <p>Use of AES ECB block cipher mode without IV for encrypting secrets</p> - <h5>SECURITY-321 / CVE-2017-2599</h5> - <p>Items could be created with same name as existing item</p> - <h5>SECURITY-343 / CVE-2017-2600</h5> - <p>Node monitor data could be viewed by low privilege users</p> - <h5>SECURITY-349 / CVE-2011-4969</h5> - <p>Possible cross-site scripting vulnerability in jQuery bundled with timeline widget</p> - <h5>SECURITY-353 / CVE-2017-2601</h5> - <p>Persisted cross-site scripting vulnerability in parameter names and descriptions</p> - <h5>SECURITY-354 / CVE-2015-0886</h5> - <p>Outdated jbcrypt version bundled with Jenkins</p> - <h5>SECURITY-358 / CVE-2017-2602</h5> - <p>Pipeline metadata files not blacklisted in agent-to-master security subsystem</p> - <h5>SECURITY-362 / CVE-2017-2603</h5> - <p>User data leak in disconnected agents' config.xml API</p> - <h5>SECURITY-371 / CVE-2017-2604</h5> - <p>Low privilege users were able to act on administrative monitors</p> - <h5>SECURITY-376 / CVE-2017-2605</h5> - <p>Re-key admin monitor leaves behind unencrypted credentials in upgraded installations</p> - <h5>SECURITY-380 / CVE-2017-2606</h5> - <p>Internal API allowed access to item names that should not be visible</p> - <h5>SECURITY-382 / CVE-2017-2607</h5> - <p>Persisted cross-site scripting vulnerability in console notes</p> - <h5>SECURITY-383 / CVE-2017-2608</h5> - <p>XStream remote code execution vulnerability</p> - <h5>SECURITY-385 / CVE-2017-2609</h5> - <p>Information disclosure vulnerability in search suggestions</p> - <h5>SECURITY-388 / CVE-2017-2610</h5> - <p>Persisted cross-site scripting vulnerability in search suggestions</p> - <h5>SECURITY-389 / CVE-2017-2611</h5> - <p>Insufficient permission check for periodic processes</p> - <h5>SECURITY-392 / CVE-2017-2612</h5> - <p>Low privilege users were able to override JDK download credentials</p> - <h5>SECURITY-406 / CVE-2017-2613</h5> - <p>User creation CSRF using GET by admins</p> + <p>Please reference CVE/URL list for details</p> </blockquote> </body> </description> @@ -8217,51 +7564,8 @@ maliciously crafted GET request to the Horde server.</ <body xmlns="http://www.w3.org/1999/xhtml">; <p>Google Chrome Releases reports:</p> <blockquote cite="https://chromereleases.googleblog.com/2017/01/stable-channel-update-for-desktop.html">; - <p>51 security fixes in this release, including:</p> - <ul> - <li>[671102] High CVE-2017-5007: Universal XSS in Blink. Credit to - Mariusz Mlynski</li> - <li>[673170] High CVE-2017-5006: Universal XSS in Blink. Credit to - Mariusz Mlynski</li> - <li>[668552] High CVE-2017-5008: Universal XSS in Blink. Credit to - Mariusz Mlynski</li> - <li>[663476] High CVE-2017-5010: Universal XSS in Blink. Credit to - Mariusz Mlynski</li> - <li>[662859] High CVE-2017-5011: Unauthorised file access in Devtools. - Credit to Khalil Zhani</li> - <li>[667504] High CVE-2017-5009: Out of bounds memory access in WebRTC. - Credit to Sean Stanek and Chip Bradford</li> - <li>[681843] High CVE-2017-5012: Heap overflow in V8. Credit to - Gergely Nagy (Tresorit)</li> - <li>[677716] Medium CVE-2017-5013: Address spoofing in Omnibox. - Credit to Haosheng Wang (@gnehsoah)</li> - <li>[675332] Medium CVE-2017-5014: Heap overflow in Skia. Credit to - sweetchip</li> - <li>[673971] Medium CVE-2017-5015: Address spoofing in Omnibox. - Credit to Armin Razmdjou</li> - <li>[666714] Medium CVE-2017-5019: Use after free in Renderer. - Credit to Wadih Matar</li> - <li>[673163] Medium CVE-2017-5016: UI spoofing in Blink. Credit to - Haosheng Wang (@gnehsoah)</li> - <li>[676975] Medium CVE-2017-5017: Uninitialised memory access in webm video. - Credit to danberm</li> - <li>[668665] Medium CVE-2017-5018: Universal XSS in chrome://apps. - Credit to Rob Wu</li> - <li>[668653] Medium CVE-2017-5020: Universal XSS in chrome://downloads. - Credit to Rob Wu</li> - <li>[663726] Low CVE-2017-5021: Use after free in Extensions. Credit to - Rob Wu</li> - <li>[663620] Low CVE-2017-5022: Bypass of Content Security Policy in Blink. - Credit to Pujun Li of PKAV Team</li> - <li>[651443] Low CVE-2017-5023: Type confunsion in metrics. Credit to the - UK's National Cyber Security Centre (NCSC)</li> - <li>[643951] Low CVE-2017-5024: Heap overflow in FFmpeg. Credit to - Paul Mehta</li> - <li>[643950] Low CVE-2017-5025: Heap overflow in FFmpeg. Credit to - Paul Mehta</li> - <li>[634108] Low CVE-2017-5026: UI spoofing. Credit to Ronni Skansing</li> - <li>[685349] Various fixes from internal audits, fuzzing and other initiatives</li> - </ul> + <p>51 security fixes in this release</p> + <p>Please reference CVE/URL list for details</p> </blockquote> </body> </description> @@ -8325,38 +7629,10 @@ maliciously crafted GET request to the Horde server.</ <p>The OpenSSL project reports:</p> <blockquote cite="https://www.openssl.org/news/secadv/20170126.txt">; <ul> - <li>Truncated packet could crash via OOB read (CVE-2017-3731)<br/> - Severity: Moderate<br/> - If an SSL/TLS server or client is running on a 32-bit host, and a specific - cipher is being used, then a truncated packet can cause that server or client - to perform an out-of-bounds read, usually resulting in a crash.</li> - <li>Bad (EC)DHE parameters cause a client crash (CVE-2017-3730)<br/> - Severity: Moderate<br/> - If a malicious server supplies bad parameters for a DHE or ECDHE key exchange - then this can result in the client attempting to dereference a NULL pointer - leading to a client crash. This could be exploited in a Denial of Service - attack.</li> - <li>BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)<br/> - Severity: Moderate<br/> - There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No - EC algorithms are affected. Analysis suggests that attacks against RSA and DSA - as a result of this defect would be very difficult to perform and are not - believed likely. Attacks against DH are considered just feasible (although very - difficult) because most of the work necessary to deduce information - about a private key may be performed offline. The amount of resources - required for such an attack would be very significant and likely only - accessible to a limited number of attackers. An attacker would - additionally need online access to an unpatched system using the target - private key in a scenario with persistent DH parameters and a private - key that is shared between multiple clients. For example this can occur by - default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very - similar to CVE-2015-3193 but must be treated as a separate problem.</li> - <li>Montgomery multiplication may produce incorrect results (CVE-2016-7055)<br/> - Severity: Low<br/> - There is a carry propagating bug in the Broadwell-specific Montgomery - multiplication procedure that handles input lengths divisible by, but - longer than 256 bits. (OpenSSL 1.0.2 only)<br/> - This issue was previously fixed in 1.1.0c</li> + <li>Truncated packet could crash via OOB read (CVE-2017-3731)</li> + <li>Bad (EC)DHE parameters cause a client crash (CVE-2017-3730)</li> + <li>BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)</li> + <li>Montgomery multiplication may produce incorrect results (CVE-2016-7055)</li> </ul> </blockquote> </body> @@ -8407,30 +7683,7 @@ maliciously crafted GET request to the Horde server.</ <body xmlns="http://www.w3.org/1999/xhtml">; <p>Mozilla Foundation reports:</p> <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/">; - <p>CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7</p> - <p>CVE-2017-5374: Memory safety bugs fixed in Firefox 51</p> - <p>CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP</p> - <p>CVE-2017-5376: Use-after-free in XSL</p> - <p>CVE-2017-5377: Memory corruption with transforms to create gradients in Skia</p> - <p>CVE-2017-5378: Pointer and frame data leakage of Javascript objects</p> - <p>CVE-2017-5379: Use-after-free in Web Animations</p> - <p>CVE-2017-5380: Potential use-after-free during DOM manipulations</p> - <p>CVE-2017-5381: Certificate Viewer exporting can be used to navigate and save to arbitrary filesystem locations</p> - <p>CVE-2017-5382: Feed preview can expose privileged content errors and exceptions</p> - <p>CVE-2017-5383: Location bar spoofing with unicode characters</p> - <p>CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)</p> - <p>CVE-2017-5385: Data sent in multipart channels ignores referrer-policy response headers</p> - <p>CVE-2017-5386: WebExtensions can use data: protocol to affect other extensions</p> - <p>CVE-2017-5387: Disclosure of local file existence through TRACK tag error messages</p> - <p>CVE-2017-5388: WebRTC can be used to generate a large amount of UDP traffic for DDOS attacks</p> - <p>CVE-2017-5389: WebExtensions can install additional add-ons via modified host requests</p> - <p>CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer</p> - <p>CVE-2017-5391: Content about: pages can load privileged about: pages</p> - <p>CVE-2017-5392: Weak references using multiple threads on weak proxy objects lead to unsafe memory usage</p> - <p>CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for mozAddonManager</p> - <p>CVE-2017-5394: Android location bar spoofing using fullscreen and JavaScript events</p> - <p>CVE-2017-5395: Android location bar spoofing during scrolling</p> - <p>CVE-2017-5396: Use-after-free with Media Decoder</p> + <p>Please reference CVE/URL list for details</p> </blockquote> </body> </description> @@ -8480,69 +7733,25 @@ maliciously crafted GET request to the Horde server.</ <body xmlns="http://www.w3.org/1999/xhtml">; <p>The phpMyAdmin development team reports:</p> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2017-1/">; - <h3>Summary</h3> <p>Open redirect</p> - <h3>Description</h3> - <p>It was possible to trick phpMyAdmin to redirect to - insecure using special request path.</p> - <h3>Severity</h3> - <p>We consider this vulnerability to be non critical.</p> </blockquote> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2017-2/">; - <h3>Summary</h3> <p>php-gettext code execution</p> - <h3>Description</h3> - <p>The php-gettext library can suffer to code - execution. However there is no way to trigger this inside - phpMyAdmin.</p> - <h3>Severity</h3> - <p>We consider this to be minor.</p> </blockquote> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2017-3/">; - <h3>Summary</h3> <p>DOS vulnerability in table editing</p> - <h3>Description</h3> - <p>It was possible to trigger recursive include operation by - crafted parameters when editing table data.</p> - <h3>Severity</h3> - <p>We consider this to be non critical.</p> </blockquote> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2017-4/">; *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201709291628.v8TGSMLD035850>