From owner-svn-ports-head@freebsd.org Sat Feb 20 02:35:07 2021 Return-Path: Delivered-To: svn-ports-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1FEC654EBC0; Sat, 20 Feb 2021 02:35:07 +0000 (UTC) (envelope-from lwhsu@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DjCGM0MlYz4WP0; Sat, 20 Feb 2021 02:35:07 +0000 (UTC) (envelope-from lwhsu@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id F349A175AC; Sat, 20 Feb 2021 02:35:06 +0000 (UTC) (envelope-from lwhsu@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 11K2Z6vF002322; Sat, 20 Feb 2021 02:35:06 GMT (envelope-from lwhsu@FreeBSD.org) Received: (from lwhsu@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 11K2Z6eD002321; Sat, 20 Feb 2021 02:35:06 GMT (envelope-from lwhsu@FreeBSD.org) Message-Id: <202102200235.11K2Z6eD002321@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: lwhsu set sender to lwhsu@FreeBSD.org using -f From: Li-Wen Hsu Date: Sat, 20 Feb 2021 02:35:06 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r566133 - head/security/vuxml X-SVN-Group: ports-head X-SVN-Commit-Author: lwhsu X-SVN-Commit-Paths: head/security/vuxml X-SVN-Commit-Revision: 566133 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Feb 2021 02:35:07 -0000 Author: lwhsu Date: Sat Feb 20 02:35:06 2021 New Revision: 566133 URL: https://svnweb.freebsd.org/changeset/ports/566133 Log: Split out vuln-2020.xml Added: head/security/vuxml/vuln-2020.xml (contents, props changed) Added: head/security/vuxml/vuln-2020.xml ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/vuxml/vuln-2020.xml Sat Feb 20 02:35:06 2021 (r566133) @@ -0,0 +1,13173 @@ + + gitea -- multiple vulnerabilities + + + gitea + 1.13.1 + + + + +

The Gitea Team reports for release 1.13.1:

+
+
    +
  • Hide private participation in Orgs
    • +
  • Fix escaping issue in diff
    • +
+
+ + + + https://github.com/go-gitea/gitea/releases/tag/v1.13.1 + ports/252310 + + + 2020-12-15 + 2020-12-31 + + + + + InspIRCd websocket module double free vulnerability + + + inspircd + 3.8.1 + + + + +

The InspIRCd development team reports:

+
+

The websocket module before v3.8.1 contains a double free + vulnerability. When combined with a HTTP reverse proxy this + vulnerability can be used by any user who is [GKZ]-lined to remotely + crash an InspIRCd server.

+
+ + + + https://docs.inspircd.org/security/2020-02/ + + + 2020-02-01 + 2021-01-01 + + + + + Intel CPU issues + + + devcpu-data + 1.31 + + + + +

Intel reports:

+
+

Intel CPUs suffer Special Register Buffer Data Sampling vulnerability

+
+ + + + https://software.intel.com/security-software-guidance/insights/processors-affected-special-register-buffer-data-sampling + CVE-2020-0543 + + + 2020-06-09 + 2020-12-28 + + + + + asterisk -- Remote crash in res_pjsip_diversion + + + asterisk13 + 13.38.1 + + + asterisk16 + 16.15.1 + + + asterisk18 + 18.1.1 + + + + +

The Asterisk project reports:

+
+

AST-2020-003: A crash can occur in Asterisk when a SIP + message is received that has a History-Info header, which + contains a tel-uri.

+

AST-2020-004: A crash can occur in Asterisk when a SIP + 181 response is received that has a Diversion header, + which contains a tel-uri.

+
+ + + + https://downloads.asterisk.org/pub/security/AST-2020-003.html + https://downloads.asterisk.org/pub/security/AST-2020-004.html + + + 2020-12-02 + 2020-12-22 + + + + + postsrsd -- Denial of service vulnerability + + + postsrsd + 1.10 + + + + +

postsrsd developer reports:

+
+

PostSRSd could be tricked into consuming a lot of CPU time with + an SRS address that has an excessively long time stamp tag.

+
+ + + + CVE-2020-35573 + https://github.com/roehling/postsrsd/commit/4733fb11f6bec6524bb8518c5e1a699288c26bac + https://github.com/roehling/postsrsd/releases/tag/1.10 + + + 2020-12-12 + 2020-12-21 + + + + + powerdns -- Various issues in GSS-TSIG support + + + powerdns + 4.4.0 + + + + +

PowerDNS developers report:

+
+

A remote, unauthenticated attacker can trigger a race condition + leading to a crash, or possibly arbitrary code execution, by sending crafted queries with a GSS-TSIG signature.

+

A remote, unauthenticated attacker can cause a denial of service by + sending crafted queries with a GSS-TSIG signature.

+

A remote, unauthenticated attacker might be able to cause a double-free, + leading to a crash or possibly arbitrary code execution by sending crafted queries with a GSS-TSIG signature.

+
+ + + + CVE-2020-24696 + CVE-2020-24697 + CVE-2020-24698 + https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-06.html + + + 2020-08-27 + 2020-12-21 + + + + + vault -- User Enumeration via LDAP auth + + + vault + 1.6.1 + + + + +

Vault developers report:

+
+

Vault allowed enumeration of users via the LDAP auth method. This vulnerability, was fixed in Vault 1.6.1 and 1.5.6.

+

An external party reported that they were able to enumerate LDAP users via error messages returned by Vault’s LDAP auth method

+
+ + + + CVE-2020-35177 + https://discuss.hashicorp.com/t/hcsec-2020-25-vault-s-ldap-auth-method-allows-user-enumeration/18984 + + + 2020-12-16 + 2020-12-17 + + + + + jasper -- heap overflow vulnerability + + + jasper + 2.0.23 + + + + +

JasPer NEWS:

+
+

Fix CVE-2020-27828, heap-overflow in cp_create() in jpc_enc.c.

+
+ + + + CVE-2020-27828 + https://github.com/jasper-software/jasper/blob/master/NEWS + https://github.com/jasper-software/jasper/issues/252 + + + 2020-12-08 + 2020-12-13 + + + + + py-matrix-synapse -- DoS on Federation API + + + py36-matrix-synapse + py37-matrix-synapse + py38-matrix-synapse + py39-matrix-synapse + 1.23.1 + + + + +

Matrix developers reports:

+
+

A malicious or poorly-implemented homeserver can inject malformed events + into a room by specifying a different room id in the path of a /send_join, + /send_leave, /invite or /exchange_third_party_invite request. + This can lead to a denial of service in which future events will not be + correctly sent to other servers over federation. + This affects any server which accepts federation requests from untrusted + servers.

+
+ + + + CVE-2020-26257 + https://github.com/matrix-org/synapse/security/advisories/GHSA-hxmp-pqch-c8mm + ports/251768 + + + 2020-12-09 + 2020-12-13 + + + + + p11-kit -- Multiple vulnerabilities + + + p11-kit + 0.23.22 + + + + +

The p11-glue project reports:

+
+

CVE-2020-29363: Out-of-bounds write in + p11_rpc_buffer_get_byte_array_value function
A heap-based buffer + overflow has been discovered in the RPC protocol used by p11-kit + server/remote commands and the client library. When the remote + entity supplies a serialized byte array in a CK_ATTRIBUTE, the + receiving entity may not allocate sufficient length for the buffer + to store the deserialized value.

+

CVE-2020-29362: Out-of-bounds read in p11_rpc_buffer_get_byte_array + function
A heap-based buffer over-read has been discovered in + the RPC protocol used by thep11-kit server/remote commands and the + client library. When the remote entity supplies a byte array through + a serialized PKCS#11 function call, the receiving entity may allow + the reading of up to 4 bytes of memory past the heap + allocation.

+

CVE-2020-29361: Integer overflow when allocating memory for arrays + of attributes and object identifiers
Multiple integer overflows + have been discovered in the array allocations in the p11-kit library + and the p11-kit list command, where overflow checks are missing + before calling realloc or calloc.

+
+ + + + https://lists.freedesktop.org/archives/p11-glue/2020-December/000712.html + CVE-2020-29361 + CVE-2020-29362 + CVE-2020-29363 + + + 2020-12-12 + 2020-12-12 + + + + + Unbound/NSD -- Denial of service vulnerability + + + unbound + 1.13.0 + + + nsd + 4.3.4 + + + + +

NLNetLabs reports:

+
+

Unbound and NSD when writing the PID file would not check if an + existing file was a symlink. This could allow for a local symlink \ + attack if an attacker has access to the user Unbound/NSD runs as.

+
+ + + + https://nlnetlabs.nl/downloads/unbound/CVE-2020-28935.txt + CVE-2020-28935 + + + 2020-12-01 + 2020-12-12 + + + + + LibreSSL -- NULL pointer dereference + + + libressl + 3.2.03.2.3 + 3.1.5 + + + libressl-devel + 3.3.1 + + + + +

The LibreSSL project reports:

+
+

Malformed ASN.1 in a certificate revocation list or a timestamp + response token can lead to a NULL pointer dereference.

+
+ + + + https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.3-relnotes.txt + + + 2020-12-08 + 2020-12-11 + 2020-12-12 + + + + + glpi -- Public GLPIKEY can be used to decrypt any data + + + glpi + 9.4.6 + + + + +

MITRE Corporation reports:

+
+

GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on existing instances, data must be reencrypted with the new key. Problem is we can not know which columns or rows in the database are using that; espcially from plugins. Changing the key without updating data would lend in bad password sent from glpi; but storing them again from the UI will work.

+
+ + + + https://github.com/glpi-project/glpi/security/advisories/GHSA-j222-j9mf-h6j9 + https://github.com/glpi-project/glpi/commit/efd14468c92c4da43333aa9735e65fd20cbc7c6c + CVE-2020-5248 + + + 2020-01-02 + 2020-01-02 + + + + + glpi -- Insecure Direct Object Reference on ajax/getDropdownValue.php + + + glpi + 9.5.3 + + + + +

MITRE Corporation reports:

+
+

In GLPI before 9.5.3, ajax/getDropdownValue.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any itemType (e.g., Ticket, Users, etc.).

+
+ + + + https://github.com/glpi-project/glpi/security/advisories/GHSA-pqfv-4pvr-55r4 + CVE-2020-27663 + + + 2020-10-22 + 2020-10-22 + + + + + glpi -- Insecure Direct Object Reference on ajax/comments.ph + + + glpi + 9.5.3 + + + + +

MITRE Corporation reports:

+
+

In GLPI before 9.5.3, ajax/comments.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any database table (e.g., glpi_tickets, glpi_users, etc.).

+
+ + + + https://github.com/glpi-project/glpi/security/advisories/GHSA-wq38-gwxp-8p5p + CVE-2020-27662 + + + 2020-10-22 + 2020-10-22 + + + + + glpi -- Any CalDAV calendars is read-only for every authenticated user + + + glpi + 9.5.0 + 9.5.3 + + + + +

MITRE Corporation reports:

+
+

In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. This issue is fixed in version 9.5.3. As a workaround, one can remove the caldav.php file to block access to CalDAV server.

+
+ + + + https://github.com/glpi-project/glpi/security/advisories/GHSA-qmw3-87hr-5wgx + https://github.com/glpi-project/glpi/commit/527280358ec78988ac57e9809d2eb21fcd74caf7 + https://github.com/glpi-project/glpi/releases/tag/9.5.3 + CVE-2020-26212 + + + 2020-10-01 + 2020-10-01 + + + + + glpi -- SQL Injection in Search API + + + glpi + 9.1 + 9.5.2 + + + + +

MITRE Corporation reports:

+
+

In GLPI before version 9.5.2, there is a SQL Injection in the API's search function. Not only is it possible to break the SQL syntax, but it is also possible to utilise a UNION SELECT query to reflect sensitive information such as the current database version, or database user. The most likely scenario for this vulnerability is with someone who has an API account to the system. The issue is patched in version 9.5.2. A proof-of-concept with technical details is available in the linked advisory.

+
+ + + + https://github.com/glpi-project/glpi/commit/3dc4475c56b241ad659cc5c7cb5fb65727409cf0 + https://github.com/glpi-project/glpi/security/advisories/GHSA-jwpv-7m4h-5gvc + CVE-2020-15226 + + + 2020-06-25 + 2020-06-25 + + + + + glpi -- leakage issue with knowledge base + + + glpi + 9.5.0 + 9.5.2 + + + + +

MITRE Corporation reports:

+
+

In GLPI before version 9.5.2, there is a leakage of user information through the public FAQ. The issue was introduced in version 9.5.0 and patched in 9.5.2. As a workaround, disable public access to the FAQ.

+
+ + + + https://github.com/glpi-project/glpi/commit/39e25591efddc560e3679ab07e443ee6198705e2 + https://github.com/glpi-project/glpi/security/advisories/GHSA-x9hg-j29f-wvvv + CVE-2020-15217 + + + 2020-06-25 + 2020-06-25 + + + + + glpi -- Unauthenticated Stored XSS + + + glpi + 0.65 + 9.5.2 + + + + +

MITRE Corporation reports:

+
+

In GLPI before version 9.5.2, the `install/install.php` endpoint insecurely stores user input into the database as `url_base` and `url_base_api`. These settings are referenced throughout the application and allow for vulnerabilities like Cross-Site Scripting and Insecure Redirection Since authentication is not required to perform these changes,anyone could point these fields at malicious websites or form input in a way to trigger XSS. Leveraging JavaScript it's possible to steal cookies, perform actions as the user, etc. The issue is patched in version 9.5.2.

+
+ + + + https://github.com/glpi-project/glpi/commit/a8109d4ee970a222faf48cf48fae2d2f06465796 + https://github.com/glpi-project/glpi/security/advisories/GHSA-prvh-9m4h-4m79 + CVE-2020-15177 + + + 2020-06-25 + 2020-06-25 + + + + + glpi -- Multiple SQL Injections Stemming From isNameQuoted() + + + glpi + 0.68 + 9.5.2 + + + + +

MITRE Corporation reports:

+
+

In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords, reset tokens, personal details, and more. The issue is patched in version 9.5.2

+
+ + + + https://github.com/glpi-project/glpi/commit/f021f1f365b4acea5066d3e57c6d22658cf32575 + https://github.com/glpi-project/glpi/security/advisories/GHSA-x93w-64x9-58qw + CVE-2020-15176 + + + 2020-06-25 + 2020-06-25 + + + + + glpi -- Unauthenticated File Deletion + + + glpi + 0.70 + 9.5.2 + + + + +

MITRE Corporation reports:

+
+

In GLPI before version 9.5.2, the pluginimage.send.php endpoint allows a user to specify an image from a plugin. The parameters can be maliciously crafted to instead delete the .htaccess file for the files directory. Any user becomes able to read all the files and folders contained in /files/. Some of the sensitive information that is compromised are the user sessions, logs, and more. An attacker would be able to get the Administrators session token and use that to authenticate. The issue is patched in version 9.5.2.

+
+ + + + https://github.com/glpi-project/glpi/security/advisories/GHSA-rm52-jx9h-rwcp + https://github.com/glpi-project/glpi/commit/6ca9a0e77299a755c356d758344a23278df67f65 + CVE-2020-15175 + + + 2020-06-25 + 2020-06-25 + + + + + glpi -- SQL injection for all usages of "Clone" feature + + + glpi + 9.5.0 + 9.5.1 + + + + +

MITRE Corporation reports:

+
+

In glpi before 9.5.1, there is a SQL injection for all usages of "Clone" feature. This has been fixed in 9.5.1.

+
+ + + + https://github.com/glpi-project/glpi/security/advisories/GHSA-qv6w-68gq-wx2v + https://github.com/glpi-project/glpi/commit/a4baa64114eb92fd2adf6056a36e0582324414ba + https://github.com/glpi-project/glpi/pull/6684 + CVE-2020-15108 + + + 2020-06-25 + 2020-06-25 + + + + + glpi -- Reflexive XSS in Dropdown menus + + + glpi + 0.68.1 + 9.4.6 + + + + +

MITRE Corporation reports:

+
+

In GLPI after 0.68.1 and before 9.4.6, multiple reflexive XSS occur in Dropdown endpoints due to an invalid Content-Type. This has been fixed in version 9.4.6.

+
+ + + + https://github.com/glpi-project/glpi/security/advisories/GHSA-3xxh-f5p2-jg3h + https://github.com/glpi-project/glpi/commit/5e1c52c5e8a30ceb4e9572964da7ed89ddfb1aaf + CVE-2020-11062 + + + 2020-03-30 + 2020-03-30 + + + + + glpi -- Remote Code Execution (RCE) via the backup functionality + + + glpi + 9.4.6 + + + + +

MITRE Corporation reports:

+
+

In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.

+
+ + + + https://github.com/glpi-project/glpi/security/advisories/GHSA-cvvq-3fww-5v6f + https://github.com/glpi-project/glpi/commit/ad748d59c94da177a3ed25111c453902396f320c + CVE-2020-11060 + + + 2020-03-30 + 2020-03-30 + + + + + glpi -- multiple related stored XSS vulnerabilities + + + glpi + 9.4.6 + + + + +

MITRE Corporation reports:

+
+

In GLPI before version 9.4.6 there are multiple related stored XSS vulnerabilities. The package is vulnerable to Stored XSS in the comments of items in the Knowledge base. Adding a comment with content "alert(1)" reproduces the attack. This can be exploited by a user with administrator privileges in the User-Agent field. It can also be exploited by an outside party through the following steps: 1. Create a user with the surname `" onmouseover="alert(document.cookie)` and an empty first name. 2. With this user, create a ticket 3. As an administrator (or other privileged user) open the created ticket 4. On the "last update" field, put your mouse on the name of the user 5. The XSS fires This is fixed in version 9.4.6.

+
+ + + + https://github.com/glpi-project/glpi/security/advisories/GHSA-3g3h-rwhr-7385 + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5WQMONZRWLWOXMHMYWR7A5Q5JJERPMVC/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q4BG2UTINBVV7MTJRXKBQ26GV2UINA6L/ + CVE-2020-11036 + + + 2020-03-30 + 2020-03-30 + + + + + glpi -- weak csrf tokens + + + glpi + 0.83.3 + 9.4.6 + + + + +

MITRE Corporation reports:

+
+

In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values. This is fixed in version 9.4.6.

+
+ + + + https://github.com/glpi-project/glpi/security/advisories/GHSA-w7q8-58qp-vmpf + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5WQMONZRWLWOXMHMYWR7A5Q5JJERPMVC/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q4BG2UTINBVV7MTJRXKBQ26GV2UINA6L/ + CVE-2020-11035 + + + 2020-03-30 + 2020-03-30 + + + + + glpi -- bypass of the open redirect protection + + + glpi + 9.4.6 + + + + +

MITRE Corporation reports:

+
+

In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6.

+
+ + + + https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5WQMONZRWLWOXMHMYWR7A5Q5JJERPMVC/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q4BG2UTINBVV7MTJRXKBQ26GV2UINA6L/ + CVE-2020-11034 + + + 2020-03-30 + 2020-03-30 + + + + + glpi -- able to read any token through API user endpoint + + + glpi + 9.1 + 9.4.6 + + + + +

MITRE Corporation reports:

+
+

In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. The response contains: - All api_tokens which can be used to do privileges escalations or read/update/delete data normally non accessible to the current user. - All personal_tokens can display another users planning. Exploiting this vulnerability requires the api to be enabled, a technician account. It can be mitigated by adding an application token. This is fixed in version 9.4.6.

+
+ + + + https://github.com/glpi-project/glpi/security/advisories/GHSA-rf54-3r4w-4h55 + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5WQMONZRWLWOXMHMYWR7A5Q5JJERPMVC/ + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q4BG2UTINBVV7MTJRXKBQ26GV2UINA6L/ + CVE-2020-11033 + + + 2020-03-30 + 2020-03-30 + + + + + glpi -- SQL injection for all helpdesk instances + + + glpi + 9.4.6 + + + + +

MITRE Corporation reports:

+
+

In GLPI before version 9.4.6, there is a SQL injection vulnerability for all helpdesk instances. Exploiting this vulnerability requires a technician account. This is fixed in version 9.4.6.

+
+ + + + https://github.com/glpi-project/glpi/security/advisories/GHSA-344w-34h9-wwhh + CVE-2020-11032 + + + 2020-03-30 + 2020-03-30 + + + + + glpi -- Improve encryption algorithm + + + glpi + 9.5.0 + + + + +

MITRE Corporation reports:

+
+

In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure encryption library. The library chosen is sodium.

+
+ + + + https://github.com/glpi-project/glpi/security/advisories/GHSA-7xwm-4vjr-jvqh + https://github.com/glpi-project/glpi/commit/f1ae6c8481e5c19a6f1801a5548cada45702e01a#diff-b5d0ee8c97c7abd7e3fa29b9a27d1780 + https://github.com/glpi-project/glpi/commit/f1ae6c8481e5c19a6f1801a5548cada45702e01a#diff-b5d0ee8c97c7abd7e3fa29b9a27d1780 + CVE-2020-11031 + + + 2020-03-30 + 2020-03-30 + + + + + glpi -- Account takeover vulnerability + + + glpi + 9.4.4 + + + + +

MITRE Corporation reports:

+
+

GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature. The lack of correct validation leads to recovery of the token generated via the password reset functionality, and thus an authenticated attacker can set an arbitrary password for any user. This vulnerability can be exploited to take control of admin account. This vulnerability could be also abused to obtain other sensitive fields like API keys or password hashes.

+
+ + + + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14666 + https://github.com/glpi-project/glpi/security/advisories/GHSA-47hq-pfrr-jh5q + https://www.tarlogic.com/advisories/Tarlogic-2019-GPLI-Account-Takeover.txt + CVE-2019-14666 + + + 2019-08-05 + 2019-08-05 + + + + + cURL -- Multiple vulnerabilities + + + curl + 4.07.74.0 + + + + +

The cURL project reports:

+
+

Trusting FTP PASV responses (CVE-2020-8284)

+

FTP wildcard stack overflow (CVE-2020-8285)

+

Inferior OCSP verification (CVE-2020-8286)

+
+ + + + https://curl.se/docs/security.html + CVE-2020-8284 + CVE-2020-8285 + CVE-2020-8286 + + + 2020-12-09 + 2020-12-09 + + + + + OpenSSL -- NULL pointer de-reference + + + openssl + 1.0.2,11.1.1i,1 + + + FreeBSD + 12.212.2_2 + 12.112.1_12 + 11.411.4_6 + + + + +

The OpenSSL project reports:

+
+

EDIPARTYNAME NULL pointer de-reference (High)

+

The X.509 GeneralName type is a generic type for representing + different types of names. One of those name types is known as + EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which + compares different instances of a GENERAL_NAME to see if they + are equal or not. This function behaves incorrectly when both + GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer + dereference and a crash may occur leading to a possible denial + of service attack.

+
+ + + + https://www.openssl.org/news/secadv/20201208.txt + CVE-2020-1971 + SA-20:33.openssl + + + 2020-12-08 + 2020-12-08 + 2020-12-15 + + + + + Gitlab -- Multiple vulnerabilities + + + gitlab-ce + 13.6.013.6.2 + 13.5.013.5.5 + 12.213.4.9 + + + + +

Gitlab reports:

+
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***