From nobody Mon Dec 13 13:51:03 2021 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 45D6B18D2637; Mon, 13 Dec 2021 13:51:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JCNFk2DsCz3CxS; Mon, 13 Dec 2021 13:51:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D8D1D15A20; Mon, 13 Dec 2021 13:51:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1BDDp5xP040587; Mon, 13 Dec 2021 13:51:05 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1BDDp3BA040586; Mon, 13 Dec 2021 13:51:03 GMT (envelope-from git) Date: Mon, 13 Dec 2021 13:51:03 GMT Message-Id: <202112131351.1BDDp3BA040586@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Matthias Fechner Subject: git: 00bad07fd782 - main - security/vuxml: fixed solr entry, only version 8.11.1 will fix it List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mfechner X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 00bad07fd7826af78beea20ea6ff5ea2525729ad Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1639403466; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SQ4wuX90qUgVisV/OsqbuzGsaNHiPCnqGFOitJCnxeY=; b=SqMQkN71M5ukj3qqY7xsoNXB756X+a6hF6ytgocj0Pi0J3CJSLflWDhQgxMTdmY8ILazcF 9bVn0flSsenquvagIw90VlC5YZ8ST7/6urfRkQAq0VP/5+6vuH+n7SDycI2iJFfRiQA5Uc VLPNjhwzAaTt0phlE+4uJ6FWdgJ08rIm3jGe8SEF4u6kaP+tCSjneV8nMeJpy0nYSwnELb n22ve7FyWnqg1A/vmhUA6Wb6CJv+ZpRPDIgPutYorTARCUMXL8IkJEJwaMZkbCy/AzN9QE CiSDUd1SacfbNMCYVdcd5kx7ZgGB6jXarHohvDOPp4gNmVnsPLRmVih7l5a4Iw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1639403466; a=rsa-sha256; cv=none; b=oP8TDhplc7iTfVCcdWdwiD/RTR/OD7XVDrswGLFKEAQ5i4h6IexLRzPm6TLxiOjAbTd1Gc mbKEJhPpO9ONn16AT5+5HTOZR/dWqZLnXr8283TiM68ieE1ET2Ao7M2hcUlNLVfRimMWEJ FmfGYAav0lgg1riYzHkkgMaV+0gjkhj0jGWoXuma3LlKDu82m6LrByzM9Tv/3EAEGdWs/4 Vsk09Xq0US9n5Jzk8jdWUHm3qygBjX/mCUFxjocl1VqhOcyoF3F+/yprNGyFlz6DR3INsk Mknc35OIYINI6VmCGpf/wm+pXmcgaIk8UxaHElrEoS+zew8TN9QV6lW/ug0xog== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by mfechner: URL: https://cgit.FreeBSD.org/ports/commit/?id=00bad07fd7826af78beea20ea6ff5ea2525729ad commit 00bad07fd7826af78beea20ea6ff5ea2525729ad Author: Matthias Fechner AuthorDate: 2021-12-13 13:50:20 +0000 Commit: Matthias Fechner CommitDate: 2021-12-13 13:50:20 +0000 security/vuxml: fixed solr entry, only version 8.11.1 will fix it The fixed version is not released yet. --- security/vuxml/vuln-2021.xml | 3 +- security/vuxml/vuln.xml.unexpanded | 189118 ++++++++++++++++++++++++++++++++++ 2 files changed, 189120 insertions(+), 1 deletion(-) diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml index ac123c5227de..75671f1f2c33 100644 --- a/security/vuxml/vuln-2021.xml +++ b/security/vuxml/vuln-2021.xml @@ -33,7 +33,7 @@ apache-solr - 8.11.0 + 8.11.1 @@ -50,6 +50,7 @@ 2021-12-10 2021-12-13 + 2021-12-13 diff --git a/security/vuxml/vuln.xml.unexpanded b/security/vuxml/vuln.xml.unexpanded new file mode 100644 index 000000000000..e7964ff18921 --- /dev/null +++ b/security/vuxml/vuln.xml.unexpanded @@ -0,0 +1,189118 @@ + + + + + + + + + + + + + + + + + + + + +]> + + + + Solr -- Apache Log4J + + + apache-solr + 8.11.0 + + + + +

Solr reports:

+
+

Apache Solr affected by Apache Log4J

+
+ + + + CVE-2021-44228 + https://solr.apache.org/security.html + + + 2021-12-10 + 2021-12-13 + + + + + OpenSearch -- Log4Shell + + + opensearch + 1.2.1 + + + + +

OpenSearch reports:

+
+

A recently published security issue (CVE-2021-44228) affects several versions of the broadly-used Apache Log4j library. Some software in the OpenSearch project includes versions of Log4j referenced in this CVE. While, at time of writing, the team has not found a reproduceable example in OpenSearch of remote code execution (RCE) described in this issue, its severity is such that all users should take mitigation measures. As recommended by the advisory, the team has released OpenSearch 1.2.1, which updates Log4j to version 2.15.0. For those who cannot upgrade to 1.2.1, the Log4j website outlines additional measures to mitigate the issue. This patch release also addresses CVE-2021-4352 in t he OpenSearch Docker distributions..

+
+ + + + CVE-2021-44228 + https://opensearch.org/blog/releases/2021/12/update-to-1-2-1/ + + + 2021-12-11 + 2021-12-13 + + + + + Grafana -- Path Traversal + + + grafana8 + grafana + 8.0.08.0.7 + 8.1.08.1.8 + 8.2.08.2.7 + 8.3.08.3.1 + + + + +

Grafana Labs reports:

+
+

Grafana is vulnerable to directory traversal, allowing access to local files. We have confirmed this for versions v8.0.0-beta1 to v8.3.0. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable.

+

The vulnerable URL path is: <grafana_host_url>/public/plugins/<“plugin-id”> where <“plugin-id”> is the plugin ID for any installed plugin.

+

Every Grafana instance comes with pre-installed plugins like the Prometheus plugin or MySQL plugin so the following URLs are vulnerable for every instance:

+
    +
  • <grafana_host_url>/public/plugins/alertlist/
    • +
  • <grafana_host_url>/public/plugins/annolist/
    • +
  • <grafana_host_url>/public/plugins/barchart/
    • +
  • <grafana_host_url>/public/plugins/bargauge/
    • +
  • <grafana_host_url>/public/plugins/candlestick/
    • +
  • <grafana_host_url>/public/plugins/cloudwatch/
    • +
  • <grafana_host_url>/public/plugins/dashlist/
    • +
  • <grafana_host_url>/public/plugins/elasticsearch/
    • +
  • <grafana_host_url>/public/plugins/gauge/
    • +
  • <grafana_host_url>/public/plugins/geomap/
    • +
  • <grafana_host_url>/public/plugins/gettingstarted/
    • +
  • <grafana_host_url>/public/plugins/grafana-azure-monitor-datasource/
    • +
  • <grafana_host_url>/public/plugins/graph/
    • +
  • <grafana_host_url>/public/plugins/heatmap/
    • +
  • <grafana_host_url>/public/plugins/histogram/
    • +
  • <grafana_host_url>/public/plugins/influxdb/
    • +
  • <grafana_host_url>/public/plugins/jaeger/
    • +
  • <grafana_host_url>/public/plugins/logs/
    • +
  • <grafana_host_url>/public/plugins/loki/
    • +
  • <grafana_host_url>/public/plugins/mssql/
    • +
  • <grafana_host_url>/public/plugins/mysql/
    • +
  • <grafana_host_url>/public/plugins/news/
    • +
  • <grafana_host_url>/public/plugins/nodeGraph/
    • +
  • <grafana_host_url>/public/plugins/opentsdb
    • +
  • <grafana_host_url>/public/plugins/piechart/
    • +
  • <grafana_host_url>/public/plugins/pluginlist/
    • +
  • <grafana_host_url>/public/plugins/postgres/
    • +
  • <grafana_host_url>/public/plugins/prometheus/
    • +
  • <grafana_host_url>/public/plugins/stackdriver/
    • +
  • <grafana_host_url>/public/plugins/stat/
    • +
  • <grafana_host_url>/public/plugins/state-timeline/
    • +
  • <grafana_host_url>/public/plugins/status-history/
    • +
  • <grafana_host_url>/public/plugins/table/
    • +
  • <grafana_host_url>/public/plugins/table-old/
    • +
  • <grafana_host_url>/public/plugins/tempo/
    • +
  • <grafana_host_url>/public/plugins/testdata/
    • +
  • <grafana_host_url>/public/plugins/text/
    • +
  • <grafana_host_url>/public/plugins/timeseries/
    • +
  • <grafana_host_url>/public/plugins/welcome/
    • +
  • <grafana_host_url>/public/plugins/zipkin/
    • +
+
+ + + + CVE-2021-43798 + https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/ + + + 2021-12-03 + 2021-12-11 + + + + + Grafana -- Incorrect Access Control + + + grafana8 + grafana + 8.0.08.2.4 + + + + +

Grafana Labs reports:

+
+

When the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin.

+
+ + + + CVE-2021-41244 + https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/ + + + 2021-11-02 + 2021-12-11 + + + + + Grafana -- XSS + + + grafana8 + grafana + 8.0.08.2.3 + + + + +

Grafana Labs reports:

+
+

If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim’s browser.

+

The user visiting the malicious link must be unauthenticated, and the link must be for a page that contains the login button in the menu bar.

+

There are two ways an unauthenticated user can open a page in Grafana that contains the login button:

+
    +
  • Anonymous authentication is enabled. This means all pages in Grafana would be open for the attack.
    • +
  • The link is to an unauthenticated page. The following pages are vulnerable: +
      +
    • /dashboard-solo/snapshot/*
      • +
    • /dashboard/snapshot/*
      • +
    • /invite/:code
      • +
    +
    • +
+

The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }}

+

An example of an expression would be: {{constructor.constructor(‘alert(1)’)()}}. This can be included in the link URL like this:

+

https://play.grafana.org/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1

+

When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated, and the AngularJS rendering engine will execute the JavaScript expression contained in the URL.

+
+ + + + CVE-2021-41174 + https://grafana.com/blog/2021/11/03/grafana-8.2.3-released-with-medium-severity-security-fix-cve-2021-41174-grafana-xss/ + + + 2021-10-21 + 2021-12-11 + + + + + p7zip -- usage of uninitialized memory + + + p7zip + 18.05 + + + + +

NVD reports:

+
+

+ Incorrect initialization logic of RAR decoder objects in + 7-Zip 18.03 and before can lead to usage of + uninitialized memory, allowing remote attackers to cause + a denial of service (segmentation fault) or execute + arbitrary code via a crafted RAR archive. +

+
+ + + + CVE-2018-10115 + https://nvd.nist.gov/vuln/detail/CVE-2018-10115 + + + 2018-05-02 + 2021-12-11 + + + + + graylog -- include log4j patches + + + graylog + 4.2.3 + + + + +

Apache Software Foundation repos:

+
+

Apache Log4j2 JNDI features do not protect against attacker + controlled LDAP and other JNDI related endpoints. An attacker + who can control log messages or paramters can execute arbitrary + code from attacker-controller LDAP servers when message lookup + substitution is enabled. +

+
+ + + + CVE-2021-44228 + https://github.com/Graylog2/graylog2-server/commit/d3e441f1126f0dc292e986879039a87c59375b2a + https://logging.apache.org/log4j/2.x/security.html + + + 2021-12-10 + 2021-12-11 + + + + + go -- multiple vulnerabilities + + + go + 1.17.5,1 + + + + +

The Go project reports:

+
+

net/http: limit growth of header canonicalization cache. An + attacker can cause unbounded memory growth in a Go server accepting + HTTP/2 requests.

+
+
+

syscall: don’t close fd 0 on ForkExec error. When a Go program + running on a Unix system is out of file descriptors and calls + syscall.ForkExec (including indirectly by using the os/exec + package), syscall.ForkExec can close file descriptor 0 as it fails. + If this happens (or can be provoked) repeatedly, it can result in + misdirected I/O such as writing network traffic intended for one + connection to a different connection, or content intended for one + file to a different one.

+
+ + + + CVE-2021-44716 + https://github.com/golang/go/issues/50058 + CVE-2021-44717 + https://github.com/golang/go/issues/50057 + + + 2021-12-08 + 2021-12-09 + + + + + chromium -- multiple vulnerabilities + + + chromium + 96.0.4664.93 + + + + +

Chrome Releases reports:

+
+

This release contains 22 security fixes, including:

+
    +
  • [1267661] High CVE-2021-4052: Use after free in web apps. + Reported by Wei Yuan of MoyunSec VLab on 2021-11-07
    • +
  • [1267791] High CVE-2021-4053: Use after free in UI. Reported by + Rox on 2021-11-08
    • +
  • [1265806] High CVE-2021-4079: Out of bounds write in WebRTC. + Reported by Brendon Tiszka on 2021-11-01
    • +
  • [1239760] High CVE-2021-4054: Incorrect security UI in autofill. + Reported by Alesandro Ortiz on 2021-08-13
    • +
  • [1268738] High CVE-2021-4078: Type confusion in V8. Reported by + Nan Wang (@eternalsakura13) and Guang Gong of 360 Alpha Lab on + 2021-11-09
    • +
  • [1266510] High CVE-2021-4055: Heap buffer overflow in + extensions. Reported by Chen Rong on 2021-11-03
    • +
  • [1260939] High CVE-2021-4056: Type Confusion in loader. Reported + by @__R0ng of 360 Alpha Lab on 2021-10-18
    • +
  • [1262183] High CVE-2021-4057: Use after free in file API. + Reported by Sergei Glazunov of Google Project Zero on + 2021-10-21
    • +
  • [1267496] High CVE-2021-4058: Heap buffer overflow in ANGLE. + Reported by Abraruddin Khan and Omair on 2021-11-06
    • +
  • [1270990] High CVE-2021-4059: Insufficient data validation in + loader. Reported by Luan Herrera (@lbherrera_) on 2021-11-17
    • +
  • [1271456] High CVE-2021-4061: Type Confusion in V8. Reported by + Paolo Severini on 2021-11-18
    • +
  • [1272403] High CVE-2021-4062: Heap buffer overflow in BFCache. + Reported by Leecraso and Guang Gong of 360 Alpha Lab on + 2021-11-22
    • +
  • [1273176] High CVE-2021-4063: Use after free in developer tools. + Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability + Research on 2021-11-23
    • +
  • [1273197] High CVE-2021-4064: Use after free in screen capture. + Reported by @ginggilBesel on 2021-11-23
    • +
  • [1273674] High CVE-2021-4065: Use after free in autofill. + Reported by 5n1p3r0010 on 2021-11-25
    • +
  • [1274499] High CVE-2021-4066: Integer underflow in ANGLE. + Reported by Jaehun Jeong(@n3sk) of Theori on 2021-11-29
    • +
  • [1274641] High CVE-2021-4067: Use after free in window manager. + Reported by @ginggilBesel on 2021-11-29
    • +
  • [1265197] Low CVE-2021-4068: Insufficient validation of + untrusted input in new tab page. Reported by NDevTK on + 2021-10-31
    • +
+
+ + + + CVE-2021-4052 + CVE-2021-4053 + CVE-2021-4054 + CVE-2021-4055 + CVE-2021-4056 + CVE-2021-4057 + CVE-2021-4058 + CVE-2021-4059 + CVE-2021-4061 + CVE-2021-4062 + CVE-2021-4063 + CVE-2021-4064 + CVE-2021-4065 + CVE-2021-4066 + CVE-2021-4067 + CVE-2021-4068 + CVE-2021-4078 + CVE-2021-4079 + https://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop.html + + + 2021-12-06 + 2021-12-07 + + + + + Gitlab -- Multiple Vulnerabilities + + + gitlab-ce + 14.5.014.5.2 + 14.4.014.4.4 + 014.3.6 + + + + +

Gitlab reports:

+
+

Group members with developer role can escalate their privilege to maintainer on projects that they import

+

When user registration is limited, external users that aren't developers shouldn't have access to the CI Lint API

+

Collision in access memoization leads to potential elevated privileges on groups and projects

+

Project access token names are returned for unauthenticated requesters

+

Sensitive info disclosure in logs

+

Disclosure of a user's custom project and group templates

+

ReDoS in Maven package version

+

Potential denial of service via the Diff feature

+

Regular Expression Denial of Service via user comments

+

Service desk email accessible by any project member

+

Regular Expression Denial of Service via quick actions

+

IDOR in "external status check" API leaks data about any status check on the instance

+

Default branch name visible in public projects restricting access to the source code repository

+

Deploy token allows access to disabled project Wiki

+

Regular Expression Denial of Service via deploy Slash commands

+

Users can reply to Vulnerability Report discussions despite Only Project Members settings

+

Unauthorised deletion of protected branches

+

Author can approve Merge Request after having access revoked

+

HTML Injection via Swagger UI

+
+ + + + CVE-2021-39944 + CVE-2021-39935 + CVE-2021-39937 + CVE-2021-39915 + CVE-2021-39919 + CVE-2021-39930 + CVE-2021-39940 + CVE-2021-39932 + CVE-2021-39933 + CVE-2021-39934 + CVE-2021-39917 + CVE-2021-39916 + CVE-2021-39941 + CVE-2021-39936 + CVE-2021-39938 + CVE-2021-39918 + CVE-2021-39931 + CVE-2021-39945 + CVE-2021-39910 + https://about.gitlab.com/releases/2021/12/06/security-release-gitlab-14-5-2-released/ + + + 2021-12-06 + 2021-12-07 + + + + + NSS -- Memory corruption + + + nss + 3.73 + + + + +

The Mozilla project reports:

+
+

Memory corruption in NSS via DER-encoded DSA and RSA-PSS signatures (Critical)

+

NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR + are vulnerable to a heap overflow when handling DER-encoded DSA or + RSA-PSS signatures. Applications using NSS for handling signatures + encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be + impacted. Applications using NSS for certificate validation or other + TLS, X.509, OCSP or CRL functionality may be impacted, depending on + how they configure NSS.

+
+ + + + CVE-2021-43527 + https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/ + + + 2021-12-01 + 2021-12-02 + + + + + mailman < 2.1.38 -- CSRF vulnerability of list mod or member against list admin page + + + mailman + 2.1.38 + + + mailman-exim4 + 2.1.38 + + + mailman-exim4-with-htdig + 2.1.38 + + + mailman-postfix + 2.1.38 + + + mailman-postfix-with-htdig + 2.1.38 + + + mailman-with-htdig + 2.1.38 + + + + +

Mark Sapiro reports:

+
+

A list moderator or list member can potentially carry out a CSRF attack + by getting a list admin to visit a crafted web page.

+
+ + + + CVE-2021-44227 + https://bugs.launchpad.net/mailman/+bug/1952384 + https://www.mail-archive.com/mailman-users@python.org/msg73979.html + + + 2021-11-25 + 2021-12-01 + + + + + rubygem-cgi -- cookie prefix spoofing in CGI::Cookie.parse + + + ruby + 2.6.0,12.6.9,1 + 2.7.0,12.7.5,1 + 3.0.0,13.0.3,1 + + + ruby26 + 2.6.0,12.6.9,1 + + + ruby27 + 2.7.0,12.7.5,1 + + + ruby30 + 3.0.0,13.0.3,1 + + + rubygem-cgi + 0.3.1 + + + + +

ooooooo_q reports:

+
+

+ The old versions of CGI::Cookie.parse applied + URL decoding to cookie names. An attacker could exploit + this vulnerability to spoof security prefixes in cookie + names, which may be able to trick a vulnerable + application. +

+

+ By this fix, CGI::Cookie.parse no longer + decodes cookie names. Note that this is an incompatibility + if cookie names that you are using include + non-alphanumeric characters that are URL-encoded. +

+
+ + + + CVE-2021-41819 + https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/ + + + 2021-11-24 + 2021-11-24 + + + + + rubygem-cgi -- buffer overrun in CGI.escape_html + + + ruby + 2.7.0,12.7.5,1 + 3.0.0,13.0.3,1 + + + ruby27 + 2.7.0,12.7.5,1 + + + ruby30 + 3.0.0,13.0.3,1 + + + rubygem-cgi + 0.3.1 + + + + +

chamal reports:

+
+

+ A security vulnerability that causes buffer overflow when + you pass a very large string (> 700 MB) to + CGI.escape_html on a platform where + long type takes 4 bytes, typically, Windows. +

+
+ + + + CVE-2021-41816 + https://www.ruby-lang.org/en/news/2021/11/24/buffer-overrun-in-cgi-escape_html-cve-2021-41816/ + + + 2021-11-24 + 2021-11-24 + + + + + py-matrix-synapse -- several vulnerabilities + + + py36-matrix-synapse + py37-matrix-synapse + py38-matrix-synapse + py39-matrix-synapse + py310-matrix-synapse + 1.47.1 + + + + +

Matrix developers report:

+
+

This release patches one high severity issue affecting + Synapse installations 1.47.0 and earlier using the media repository. + An attacker could cause these Synapses to download a remote file + and store it in a directory outside the media repository.

+

Note that:

+
    +
  • This only affects homeservers using Synapse's built-in media + repository, as opposed to synapse-s3-storage-provider or + matrix-media-repo.
    • +
  • Attackers cannot control the exact name or destination of the + stored file.
    • +
+
+ + + + ports/259994 + CVE-2021-41281 + https://matrix.org/blog/2021/11/23/synapse-1-47-1-released + + + 2021-11-18 + 2021-11-23 + + + + + advancecomp -- multiple vulnerabilities + + + advancecomp + 2.1.6 + + + + +

Joonun Jang reports:

+
+

heap buffer overflow running advzip with "-l poc" option

+

Running 'advzip -l poc' with the attached file raises heap buffer overflow + which may allow a remote attacker to cause unspecified impact including denial-of-service attack. + I expected the program to terminate without segfault, but the program crashes as follow. [...] +

+
+

and other vulnerabilities.

+ + + + CVE-2018-1056 + CVE-2019-8379 + CVE-2019-8383 + CVE-2019-9210 + + + 2018-07-29 + 2021-11-19 + + + + + chromium -- multiple vulnerabilities + + + chromium + 96.0.4664.45 + + + + +

Chrome Releases reports:

+
+

This release contains 25 security fixes, including:

+
    +
  • [1263620] High CVE-2021-38008: Use after free in media. Reported + by Marcin Towalski of Cisco Talos on 2021-10-26
    • +
  • [1260649] High CVE-2021-38009: Inappropriate implementation in + cache. Reported by Luan Herrera (@lbherrera_) on 2021-10-16
    • +
  • [1240593] High CVE-2021-38006: Use after free in storage + foundation. Reported by Sergei Glazunov of Google Project Zero on + 2021-08-17
    • +
  • [1254189] High CVE-2021-38007: Type Confusion in V8. Reported by + Polaris Feng and SGFvamll at Singular Security Lab on + 2021-09-29
    • +
  • [1241091] High CVE-2021-38005: Use after free in loader. + Reported by Sergei Glazunov of Google Project Zero on + 2021-08-18
    • +
  • [1264477] High CVE-2021-38010: Inappropriate implementation in + service workers. Reported by Sergei Glazunov of Google Project + Zero on 2021-10-28
    • +
  • [1268274] High CVE-2021-38011: Use after free in storage + foundation. Reported by Sergei Glazunov of Google Project Zero on + 2021-11-09
    • +
  • [1262791] Medium CVE-2021-38012: Type Confusion in V8. Reported + by Yonghwi Jin (@jinmo123) on 2021-10-24
    • +
  • [1242392] Medium CVE-2021-38013: Heap buffer overflow in + fingerprint recognition. Reported by raven (@raid_akame) on + 2021-08-23
    • +
  • [1248567] Medium CVE-2021-38014: Out of bounds write in + Swiftshader. Reported by Atte Kettunen of OUSPG on 2021-09-10
    • +
  • [957553] Medium CVE-2021-38015: Inappropriate implementation in + input. Reported by David Erceg on 2019-04-29
    • +
  • [1244289] Medium CVE-2021-38016: Insufficient policy + enforcement in background fetch. Reported by Maurice Dauer on + 2021-08-28
    • +
  • [1256822] Medium CVE-2021-38017: Insufficient policy enforcement + in iframe sandbox. Reported by NDevTK on 2021-10-05
    • +
  • [1197889] Medium CVE-2021-38018: Inappropriate implementation in + navigation. Reported by Alesandro Ortiz on 2021-04-11
    • +
  • [1251179] Medium CVE-2021-38019: Insufficient policy enforcement + in CORS. Reported by Maurice Dauer on 2021-09-20
    • +
  • [1259694] Medium CVE-2021-38020: Insufficient policy enforcement + in contacts picker. Reported by Luan Herrera (@lbherrera_) on + 2021-10-13
    • +
  • [1233375] Medium CVE-2021-38021: Inappropriate implementation in + referrer. Reported by Prakash (@1lastBr3ath) and Jun Kokatsu on + 2021-07-27
    • +
  • [1248862] Low CVE-2021-38022: Inappropriate implementation in + WebAuthentication. Reported by Michal Kepkowski on 2021-09-13
    • +
+
+ + + + CVE-2021-38005 + CVE-2021-38006 + CVE-2021-38007 + CVE-2021-38008 + CVE-2021-38009 + CVE-2021-38010 + CVE-2021-38011 + CVE-2021-38012 + CVE-2021-38013 + CVE-2021-38014 + CVE-2021-38015 + CVE-2021-38016 + CVE-2021-38017 + CVE-2021-38018 + CVE-2021-38019 + CVE-2021-38020 + CVE-2021-38021 + CVE-2021-38022 + https://chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.html + + + 2021-11-15 + 2021-11-16 + + + + + rubygem-date -- Regular Expression Denial of Service Vunlerability of Date Parsing Methods + + + ruby + 2.6.0,12.6.9,1 + 2.7.0,12.7.5,1 + 3.0.0,13.0.3,1 + + + ruby26 + 2.6.0,12.6.9,1 + + + ruby27 + 2.7.0,12.7.5,1 + + + ruby30 + 3.0.0,13.0.3,1 + + + rubygem-date + 3.2.1 + + + + +

Stanislav Valkanov reports:

+
+

+ Date's parsing methods including Date.parse + are using Regexps internally, some of which are vulnerable + against regular expression denial of service. Applications + and libraries that apply such methods to untrusted input + may be affected. +

+
+ + + + CVE-2021-41817 + https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/ + + + 2021-11-15 + 2021-11-15 + 2021-11-24 + + + + + Roundcube -- Multiple vulnerabilities + + + roundcube + 1.4.12,1 + + + + +

The Roundcube project reports:

+
+

XSS issue in handling attachment filename extension in mimetype mismatch warning

+

possible SQL injection via some session variables

+
+ *** 188176 LINES SKIPPED ***