<vuln vid="d0b12952-cb86-11e6-906f-0cc47a065786">
<topic>h2o -- Use-after-free vulnerability</topic>
<affects>
<package>
<name>h2o</name>
<range><lt>2.0.4_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Kazuho Oku reports:</p>
<blockquote cite="https://github.com/h2o/h2o/issues?q=label%3Avulnerability">
<p>A use-after-free vulnerability exists in H2O up to and including
version 2.0.4 / 2.1.0-beta3 that can be used by a remote attacker to
mount DoS attacks and / or information theft.</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/h2o/h2o/releases/tag/v2.0.5</url>
<url>https://github.com/h2o/h2o/issues/1144</url>
</references>
<dates>
<discovery>2016-09-09</discovery>
<entry>2016-12-29</entry>
</dates>
</vuln>
<vuln vid="1b61ecef-cdb9-11e6-a9a5-b499baebfeaf">
<topic>PHP -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php70</name>
<range><lt>7.0.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Check Point reports:</p>
<blockquote cite="http://blog.checkpoint.com/2016/12/27/check-point-discovers-three-zero-day-vulnerabilities-web-programming-language-php-7/">
<p>... discovered 3 fresh and previously unknown vulnerabilities
(CVE-2016-7479, CVE-2016-7480, CVE-2016-7478) in the PHP 7
unserialize mechanism.</p>
<p>The first two vulnerabilities allow attackers to take full control
over servers, allowing them to do anything they want with the
website, from spreading malware to defacing it or stealing customer
data.</p>
<p>The last vulnerability generates a Denial of Service attack which
basically hangs the website, exhausts its memory consumption, and
shuts it down.</p>
<p>The PHP security team issued fixes for two of the vulnerabilities
on the 13th of October and 1st of December.</p>
</blockquote>
</body>
</description>
<references>
<url>http://blog.checkpoint.com/2016/12/27/check-point-discovers-three-zero-day-vulnerabilities-web-programming-language-php-7/</url>
<cvename>CVE-2016-7478</cvename>
<cvename>CVE-2016-7479</cvename>
<cvename>CVE-2016-7480</cvename>
</references>
<dates>
<discovery>2016-12-27</discovery>
<entry>2016-12-29</entry>
<modified>2017-01-04</modified>
</dates>
</vuln>
<vuln vid="6972668d-cdb7-11e6-a9a5-b499baebfeaf">
<topic>PHP -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php70</name>
<range><lt>7.0.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PHP project reports:</p>
<blockquote cite="http://php.net/ChangeLog-7.php#7.0.14">
<ul>
<li>Use After Free Vulnerability in unserialize() (CVE-2016-9936)</li>
<li>Invalid read when wddx decodes empty boolean element
(CVE-2016-9935)</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://php.net/ChangeLog-7.php#7.0.14</url>
<cvename>CVE-2016-9935</cvename>
<cvename>CVE-2016-9936</cvename>
</references>
<dates>
<discovery>2016-12-08</discovery>
<entry>2016-12-29</entry>
</dates>
</vuln>
<vuln vid="3c4693de-ccf7-11e6-a9a5-b499baebfeaf">
<topic>phpmailer -- Remote Code Execution</topic>
<affects>
<package>
<name>phpmailer</name>
<range><lt>5.2.20</lt></range>
</package>
<package>
<name>tt-rss</name>
<range><lt>29.12.2016.04.37</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Legal Hackers reports:</p>
<blockquote cite="https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html">
<p>An independent research uncovered a critical vulnerability in
PHPMailer that could potentially be used by (unauthenticated)
remote attackers to achieve remote arbitrary code execution in
the context of the web server user and remotely compromise the
target web application.</p>
<p>To exploit the vulnerability an attacker could target common
website components such as contact/feedback forms, registration
forms, password email resets and others that send out emails with
the help of a vulnerable version of the PHPMailer class.</p>
<p>The first patch of the vulnerability CVE-2016-10033 was incomplete.
This advisory demonstrates the bypass of the patch. The bypass allows
to carry out Remote Code Execution on all current versions (including
5.2.19).</p>
</blockquote>
</body>
</description>
<references>
<url>https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html</url>
<cvename>CVE-2016-10045</cvename>
</references>
<dates>
<discovery>2016-12-28</discovery>
<entry>2016-12-28</entry>
</dates>
</vuln>
<vuln vid="e4bc323f-cc73-11e6-b704-000c292e4fd8">
<topic>samba -- multiple vulnerabilities</topic>
<affects>
<package>
<name>samba36</name>
<range><ge>3.6.0</ge><le>3.6.25_4</le></range>
</package>
<package>
<name>samba4</name>
<range><ge>4.0.0</ge><le>4.0.26</le></range>
</package>
<package>
<name>samba41</name>
<range><ge>4.1.0</ge><le>4.1.23</le></range>
</package>
<package>
<name>samba42</name>
<range><ge>4.2.0</ge><le>4.2.14</le></range>
</package>
<package>
<name>samba43</name>
<range><ge>4.3.0</ge><lt>4.3.13</lt></range>
</package>
<package>
<name>samba44</name>
<range><ge>4.4.0</ge><lt>4.4.8</lt></range>
</package>
<package>
<name>samba45</name>
<range><ge>4.5.0</ge><lt>4.5.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Samba team reports:</p>
<blockquote cite="https://www.samba.org/samba/latest_news.html#4.5.3">
<p>[CVE-2016-2123] Authenticated users can supply malicious dnsRecord attributes
on DNS objects and trigger a controlled memory corruption.</p>
<p>[CVE-2016-2125] Samba client code always requests a forwardable ticket
when using Kerberos authentication. This means the target server, which must be in the current or trusted
domain/realm, is given a valid general purpose Kerberos "Ticket Granting Ticket" (TGT), which can be used to
fully impersonate the authenticated user or service.</p>
<p>[CVE-2016-2126] A remote, authenticated, attacker can cause the winbindd process
to crash using a legitimate Kerberos ticket due to incorrect handling of the PAC checksum.
A local service with access to the winbindd privileged pipe can cause winbindd to cache elevated access permissions.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2123</cvename>
<url>https://www.samba.org/samba/security/CVE-2016-2123.html</url>
<cvename>CVE-2016-2125</cvename>
<url>https://www.samba.org/samba/security/CVE-2016-2125.html</url>
<cvename>CVE-2016-2126</cvename>
<url>https://www.samba.org/samba/security/CVE-2016-2126.html</url>
</references>
<dates>
<discovery>2016-12-19</discovery>
<entry>2016-12-26</entry>
<modified>2016-12-26</modified>
</dates>
</vuln>
<vuln vid="244c8288-cc4a-11e6-a475-bcaec524bf84">
<topic>upnp -- multiple vulnerabilities</topic>
<affects>
<package>
<name>upnp</name>
<range><lt>1.6.21</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Matthew Garett reports:</p>
<blockquote cite="https://twitter.com/mjg59/status/755062278513319936">
<p>Reported this to upstream 8 months ago without response,
so: libupnp's default behaviour allows anyone to write to your
filesystem. Seriously. Find a device running a libupnp based server
(Shodan says there's rather a lot), and POST a file to /testfile.
Then GET /testfile ... and yeah if the server is running as root
(it is) and is using / as the web root (probably not, but maybe)
this gives full host fs access.</p>
</blockquote>
<p>Scott Tenaglia reports:</p>
<blockquote cite="https://sourceforge.net/p/pupnp/bugs/133/">
<p>There is a heap buffer overflow vulnerability in the
create_url_list function in upnp/src/gena/gena_device.c.</p>
</blockquote>
</body>
</description>
<references>
<url>https://twitter.com/mjg59/status/755062278513319936</url>
<url>https://sourceforge.net/p/pupnp/bugs/133/</url>
<cvename>CVE-2016-6255</cvename>
<cvename>CVE-2016-8863</cvename>
</references>
<dates>
<discovery>2016-02-23</discovery>
<entry>2016-12-27</entry>
</dates>
</vuln>
<vuln vid="c7656d4c-cb60-11e6-a9a5-b499baebfeaf">
<topic>phpmailer -- Remote Code Execution</topic>
<affects>
<package>
<name>phpmailer</name>
<range><lt>5.2.18</lt></range>
</package>
<package>
<name>tt-rss</name>
<range><lt>26.12.2016.07.29</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Legal Hackers reports:</p>
<blockquote cite="http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html">
<p>An independent research uncovered a critical vulnerability in
PHPMailer that could potentially be used by (unauthenticated)
remote attackers to achieve remote arbitrary code execution in
the context of the web server user and remotely compromise the
target web application.</p>
<p>To exploit the vulnerability an attacker could target common
website components such as contact/feedback forms, registration
forms, password email resets and others that send out emails with
the help of a vulnerable version of the PHPMailer class.</p>
</blockquote>
</body>
</description>
<references>
<url>http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html</url>
<url>https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md</url>
<cvename>CVE-2016-10033</cvename>
</references>
<dates>
<discovery>2016-12-26</discovery>
<entry>2016-12-26</entry>
</dates>
</vuln>
<vuln vid="e7002b26-caaa-11e6-a76a-9f7324e5534e">
<topic>exim -- DKIM private key leak</topic>
<affects>
<package>
<name>exim</name>
<range><gt>4.69</gt><lt>4.87.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Exim project reports:</p>
<blockquote cite="https://exim.org/static/doc/CVE-2016-9963.txt">
<p>Exim leaks the private DKIM signing key to the log files.
Additionally, if the build option EXPERIMENTAL_DSN_INFO=yes is used,
the key material is included in the bounce message.</p>
</blockquote>
</body>
</description>
<references>
<url>https://exim.org/static/doc/CVE-2016-9963.txt</url>
<cvename>CVE-2016-9963</cvename>
</references>
<dates>
<discovery>2016-12-15</discovery>
<entry>2016-12-25</entry>
</dates>
</vuln>
<vuln vid="2aedd15f-ca8b-11e6-a9a5-b499baebfeaf">
<cancelled superseded="2c948527-d823-11e6-9171-14dae9d210b8"/>
</vuln>
<vuln vid="c40ca16c-4d9f-4d70-8b6c-4d53aeb8ead4">
<topic>cURL -- uninitialized random vulnerability</topic>
<affects>
<package>
<name>curl</name>
<range><ge>7.52.0</ge><lt>7.52.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Project curl Security Advisory:</p>
<blockquote cite="https://curl.haxx.se/docs/adv_20161223.html">
<p>libcurl's (new) internal function that returns a good 32bit
random value was implemented poorly and overwrote the pointer
instead of writing the value into the buffer the pointer
pointed to.</p>
<p>This random value is used to generate nonces for Digest and
NTLM authentication, for generating boundary strings in HTTP
formposts and more. Having a weak or virtually non-existent
random there makes these operations vulnerable.</p>
<p>This function is brand new in 7.52.0 and is the result of an
overhaul to make sure libcurl uses strong random as much as
possible - provided by the backend TLS crypto libraries when
present. The faulty function was introduced in this commit.</p>
<p>We are not aware of any exploit of this flaw.</p>
</blockquote>
</body>
</description>
<references>
<url>https://curl.haxx.se/docs/adv_20161223.html</url>
<cvename>CVE-2016-9594</cvename>
</references>
<dates>
<discovery>2016-12-23</discovery>
<entry>2016-12-24</entry>
</dates>
</vuln>
<vuln vid="41f8af15-c8b9-11e6-ae1b-002590263bf5">
<topic>squid -- multiple vulnerabilities</topic>
<affects>
<package>
<name>squid</name>
<range><ge>3.1</ge><lt>3.5.23</lt></range>
</package>
<package>
<name>squid-devel</name>
<range><ge>4.0</ge><lt>4.0.17</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Squid security advisory 2016:10 reports:</p>
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_10.txt">
<p>Due to incorrect comparison of request headers Squid can deliver
responses containing private data to clients it should not have
reached.</p>
<p>This problem allows a remote attacker to discover private and
sensitive information about another clients browsing session.
Potentially including credentials which allow access to further
sensitive resources. This problem only affects Squid configured
to use the Collapsed Forwarding feature. It is of particular
importance for HTTPS reverse-proxy sites with Collapsed
Forwarding.</p>
</blockquote>
<p>Squid security advisory 2016:11 reports:</p>
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_11.txt">
<p>Due to incorrect HTTP conditional request handling Squid can
deliver responses containing private data to clients it should not
have reached.</p>
<p>This problem allows a remote attacker to discover private and
sensitive information about another clients browsing session.
Potentially including credentials which allow access to further
sensitive resources..</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-10002</cvename>
<cvename>CVE-2016-10003</cvename>
<freebsdpr>ports/215416</freebsdpr>
<freebsdpr>ports/215418</freebsdpr>
<url>http://www.squid-cache.org/Advisories/SQUID-2016_10.txt</url>
<url>http://www.squid-cache.org/Advisories/SQUID-2016_11.txt</url>
</references>
<dates>
<discovery>2016-12-16</discovery>
<entry>2016-12-23</entry>
</dates>
</vuln>
<vuln vid="c11629d3-c8ad-11e6-ae1b-002590263bf5">
<topic>vim -- arbitrary command execution</topic>
<affects>
<package>
<name>vim</name>
<name>vim-console</name>
<name>vim-lite</name>
<range><lt>8.0.0056</lt></range>
</package>
<package>
<name>neovim</name>
<range><lt>0.1.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mitre reports:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1248">
<p>vim before patch 8.0.0056 does not properly validate values for the
'filetype', 'syntax' and 'keymap' options, which may result in the
execution of arbitrary code if a file with a specially crafted
modeline is opened.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1248</cvename>
<bid>94478</bid>
<url>https://github.com/vim/vim/commit/d0b5138ba4bccff8a744c99836041ef6322ed39a</url>
<url>https://github.com/neovim/neovim/commit/4fad66fbe637818b6b3d6bc5d21923ba72795040</url>
</references>
<dates>
<discovery>2016-11-22</discovery>
<entry>2016-12-23</entry>
</dates>
</vuln>
<vuln vid="c290f093-c89e-11e6-821e-68f7288bdf41">
<topic>Pligg CMS -- XSS Vulnerability</topic>
<affects>
<package>
<name>pligg</name>
<range><le>2.0.2,1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Netsparker reports: </p>
<blockquote cite="https://www.netsparker.com/web-applications-advisories/ns-15-011-xss-vulnerability-identified-in-pligg-cms/">
<p>Proof of Concept URL for XSS in Pligg CMS:</p>
<p>Page: groups.php</p>
<p>Parameter Name: keyword</p>
<p>Parameter Type: GET</p>
<p>Attack Pattern: http://example.com/pligg-cms-2.0.2/groups.php?view=search&keyword='+alert(0x000D82)+'</p>
<p>For more information on cross-site scripting vulnerabilities read the article Cross-site Scripting (XSS).</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.netsparker.com/web-applications-advisories/ns-15-011-xss-vulnerability-identified-in-pligg-cms/</url>
</references>
<dates>
<discovery>2015-05-13</discovery>
<entry>2016-12-22</entry>
</dates>
</vuln>
<vuln vid="fcedcdbb-c86e-11e6-b1cf-14dae9d210b8">
<topic>FreeBSD -- Multiple vulnerabilities of ntp</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>11.0</ge><lt>11.0_6</lt></range>
<range><ge>10.3</ge><lt>10.3_15</lt></range>
<range><ge>10.2</ge><lt>10.2_28</lt></range>
<range><ge>10.1</ge><lt>10.1_45</lt></range>
<range><ge>9.3</ge><lt>9.3_53</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>Multiple vulnerabilities have been discovered in the NTP
suite:</p>
<p>CVE-2016-9311: Trap crash, Reported by Matthew Van Gundy
of Cisco ASIG.</p>
<p>CVE-2016-9310: Mode 6 unauthenticated trap information
disclosure and DDoS vector. Reported by Matthew Van Gundy
of Cisco ASIG.</p>
<p>CVE-2016-7427: Broadcast Mode Replay Prevention DoS.
Reported by Matthew Van Gundy of Cisco ASIG.</p>
<p>CVE-2016-7428: Broadcast Mode Poll Interval Enforcement
DoS. Reported by Matthew Van Gundy of Cisco ASIG.</p>
<p>CVE-2016-7431: Regression: 010-origin: Zero Origin
Timestamp Bypass. Reported by Sharon Goldberg and Aanchal
Malhotra of Boston University.</p>
<p>CVE-2016-7434: Null pointer dereference in
_IO_str_init_static_internal(). Reported by Magnus Stubman.</p>
<p>CVE-2016-7426: Client rate limiting and server responses.
Reported by Miroslav Lichvar of Red Hat.</p>
<p>CVE-2016-7433: Reboot sync calculation problem. Reported
independently by Brian Utterback of Oracle, and by Sharon
Goldberg and Aanchal Malhotra of Boston University.</p>
<h1>Impact:</h1>
<p>A remote attacker who can send a specially crafted packet
to cause a NULL pointer dereference that will crash ntpd,
resulting in a Denial of Service. [CVE-2016-9311]</p>
<p>An exploitable configuration modification vulnerability
exists in the control mode (mode 6) functionality of ntpd.
If, against long-standing BCP recommendations, "restrict
default noquery ..." is not specified, a specially crafted
control mode packet can set ntpd traps, providing information
disclosure and DDoS amplification, and unset ntpd traps,
disabling legitimate monitoring by an attacker from remote.
[CVE-2016-9310]</p>
<p>An attacker with access to the NTP broadcast domain can
periodically inject specially crafted broadcast mode NTP
packets into the broadcast domain which, while being logged
by ntpd, can cause ntpd to reject broadcast mode packets
from legitimate NTP broadcast servers. [CVE-2016-7427]</p>
<p>An attacker with access to the NTP broadcast domain can
send specially crafted broadcast mode NTP packets to the
broadcast domain which, while being logged by ntpd, will
cause ntpd to reject broadcast mode packets from legitimate
NTP broadcast servers. [CVE-2016-7428]</p>
<p>Origin timestamp problems were fixed in ntp 4.2.8p6.
However, subsequent timestamp validation checks introduced
a regression in the handling of some Zero origin timestamp
checks. [CVE-2016-7431]</p>
<p>If ntpd is configured to allow mrulist query requests
from a server that sends a crafted malicious packet, ntpd
will crash on receipt of that crafted malicious mrulist
query packet. [CVE-2016-7434]</p>
<p>An attacker who knows the sources (e.g., from an IPv4
refid in server response) and knows the system is (mis)configured
in this way can periodically send packets with spoofed
source address to keep the rate limiting activated and
prevent ntpd from accepting valid responses from its sources.
[CVE-2016-7426]</p>
<p>Ntp Bug 2085 described a condition where the root delay
was included twice, causing the jitter value to be higher
than expected. Due to a misinterpretation of a small-print
variable in The Book, the fix for this problem was incorrect,
resulting in a root distance that did not include the peer
dispersion. The calculations and formulas have been reviewed
and reconciled, and the code has been updated accordingly.
[CVE-2016-7433]</p>
</body>
</description>
<references>
<cvename>CVE-2016-7426</cvename>
<cvename>CVE-2016-7427</cvename>
<cvename>CVE-2016-7428</cvename>
<cvename>CVE-2016-7431</cvename>
<cvename>CVE-2016-7433</cvename>
<cvename>CVE-2016-7434</cvename>
<cvename>CVE-2016-9310</cvename>
<cvename>CVE-2016-9311</cvename>
<freebsdsa>SA-16:39.ntp</freebsdsa>
</references>
<dates>
<discovery>2016-12-22</discovery>
<entry>2016-12-22</entry>
</dates>
</vuln>
<vuln vid="42880202-c81c-11e6-a9a5-b499baebfeaf">
<topic>cURL -- buffer overflow</topic>
<affects>
<package>
<name>curl</name>
<range><ge>7.1</ge><lt>7.52</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The cURL project reports:</p>
<blockquote cite="https://curl.haxx.se/docs/vuln-7.51.0.html">
<h2>printf floating point buffer overflow</h2>
<p>libcurl's implementation of the printf() functions triggers a
buffer overflow when doing a large floating point output. The bug
occurs when the conversion outputs more than 255 bytes.</p>
</blockquote>
</body>
</description>
<references>
<url>https://curl.haxx.se/docs/vuln-7.51.0.html</url>
<cvename>CVE-2016-9586</cvename>
</references>
<dates>
<discovery>2016-12-21</discovery>
<entry>2016-12-22</entry>
</dates>
</vuln>
<vuln vid="624b45c0-c7f3-11e6-ae1b-002590263bf5">
<topic>Joomla! -- multiple vulnerabilities</topic>
<affects>
<package>
<name>joomla3</name>
<range><ge>1.6.0</ge><lt>3.6.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The JSST and the Joomla! Security Center report:</p>
<blockquote cite="https://developer.joomla.org/security-centre/664-20161201-core-elevated-privileges.html">
<h2>[20161201] - Core - Elevated Privileges</h2>
<p>Incorrect use of unfiltered data stored to the session on a form
validation failure allows for existing user accounts to be modified;
to include resetting their username, password, and user group
assignments.</p>
</blockquote>
<blockquote cite="https://developer.joomla.org/security-centre/665-20161202-core-shell-upload.html">
<h2>[20161202] - Core - Shell Upload</h2>
<p>Inadequate filesystem checks allowed files with alternative PHP
file extensions to be uploaded.</p>
</blockquote>
<blockquote cite="https://developer.joomla.org/security-centre/666-20161203-core-information-disclosure.html">
<h2>[20161203] - Core - Information Disclosure</h2>
<p>Inadequate ACL checks in the Beez3 com_content article layout
override enables a user to view restricted content.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-9836</cvename>
<cvename>CVE-2016-9837</cvename>
<cvename>CVE-2016-9838</cvename>
<url>https://developer.joomla.org/security-centre/664-20161201-core-elevated-privileges.html</url>
<url>https://developer.joomla.org/security-centre/665-20161202-core-shell-upload.html</url>
<url>https://developer.joomla.org/security-centre/666-20161203-core-information-disclosure.html</url>
<url>https://www.joomla.org/announcements/release-news/5693-joomla-3-6-5-released.html</url>
</references>
<dates>
<discovery>2016-12-06</discovery>
<entry>2016-12-22</entry>
</dates>
</vuln>
<vuln vid="a27d234a-c7f2-11e6-ae1b-002590263bf5">
<topic>Joomla! -- multiple vulnerabilities</topic>
<affects>
<package>
<name>joomla3</name>
<range><ge>3.4.4</ge><lt>3.6.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The JSST and the Joomla! Security Center report:</p>
<blockquote cite="https://developer.joomla.org/security-centre/659-20161001-core-account-creation.html">
<h2>[20161001] - Core - Account Creation</h2>
<p>Inadequate checks allows for users to register on a site when
registration has been disabled.</p>
</blockquote>
<blockquote cite="https://developer.joomla.org/security-centre/660-20161002-core-elevated-privileges.html">
<h2>[20161002] - Core - Elevated Privilege</h2>
<p>Incorrect use of unfiltered data allows for users to register on a
site with elevated privileges.</p>
</blockquote>
<blockquote cite="https://developer.joomla.org/security-centre/661-20161003-core-account-modifications.html">
<h2>[20161003] - Core - Account Modifications</h2>
<p>Incorrect use of unfiltered data allows for existing user accounts
to be modified; to include resetting their username, password, and
user group assignments.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-8869</cvename>
<cvename>CVE-2016-8870</cvename>
<cvename>CVE-2016-9081</cvename>
<url>https://developer.joomla.org/security-centre/659-20161001-core-account-creation.html</url>
<url>https://developer.joomla.org/security-centre/660-20161002-core-elevated-privileges.html</url>
<url>https://developer.joomla.org/security-centre/661-20161003-core-account-modifications.html</url>
<url>https://www.joomla.org/announcements/release-news/5678-joomla-3-6-4-released.html</url>
</references>
<dates>
<discovery>2016-10-25</discovery>
<entry>2016-12-22</entry>
</dates>
</vuln>
<vuln vid="f0806cad-c7f1-11e6-ae1b-002590263bf5">
<topic>Joomla! -- multiple vulnerabilities</topic>
<affects>
<package>
<name>joomla3</name>
<range><ge>1.6.0</ge><lt>3.6.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The JSST and the Joomla! Security Center report:</p>
<blockquote cite="https://developer.joomla.org/security-centre/652-20160801-core-core-acl-violations.html">
<h2>[20160801] - Core - ACL Violation</h2>
<p>Inadequate ACL checks in com_content provide potential read access
to data which should be access restricted to users with edit_own
level.</p>
</blockquote>
<blockquote cite="https://developer.joomla.org/security-centre/653-20160802-core-xss-vulnerability.html">
<h2>[20160802] - Core - XSS Vulnerability</h2>
<p>Inadequate escaping leads to XSS vulnerability in mail component.
</p>
</blockquote>
<blockquote cite="https://developer.joomla.org/security-centre/654-20160803-core-csrf.html">
<h2>[20160803] - Core - CSRF</h2>
<p>Add additional CSRF hardening in com_joomlaupdate.</p>
</blockquote>
</body>
</description>
<references>
<url>https://developer.joomla.org/security-centre/652-20160801-core-core-acl-violations.html</url>
<url>https://developer.joomla.org/security-centre/653-20160802-core-xss-vulnerability.html</url>
<url>https://developer.joomla.org/security-centre/654-20160803-core-csrf.html</url>
<url>https://www.joomla.org/announcements/release-news/5665-joomla-3-6-1-released.html</url>
</references>
<dates>
<discovery>2016-08-03</discovery>
<entry>2016-12-22</entry>
</dates>
</vuln>
<vuln vid="c0ef061a-c7f0-11e6-ae1b-002590263bf5">
<topic>Joomla! -- multiple vulnerabilities</topic>
<affects>
<package>
<name>joomla3</name>
<range><ge>1.5.0</ge><lt>3.4.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The JSST and the Joomla! Security Center report:</p>
<blockquote cite="https://developer.joomla.org/security-centre/639-20151206-core-session-hardening.html">
<h2>[20151206] - Core - Session Hardening</h2>
<p>The Joomla Security Strike team has been following up on the
critical security vulnerability patched last week. Since the recent
update it has become clear that the root cause is a bug in PHP
itself. This was fixed by PHP in September of 2015 with the releases
of PHP 5.4.45, 5.5.29, 5.6.13 (Note that this is fixed in all
versions of PHP 7 and has been back-ported in some specific Linux
LTS versions of PHP 5.3). This fixes the bug across all supported
PHP versions.</p>
</blockquote>
<blockquote cite="https://developer.joomla.org/security-centre/640-20151207-core-sql-injection.html">
<h2>[20151207] - Core - SQL Injection</h2>
<p>Inadequate filtering of request data leads to a SQL Injection
vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<url>https://developer.joomla.org/security-centre/639-20151206-core-session-hardening.html</url>
<url>https://developer.joomla.org/security-centre/640-20151207-core-sql-injection.html</url>
<url>https://www.joomla.org/announcements/release-news/5643-joomla-3-4-7.html</url>
</references>
<dates>
<discovery>2015-12-21</discovery>
<entry>2016-12-22</entry>
</dates>
</vuln>
<vuln vid="3ae078ca-c7eb-11e6-ae1b-002590263bf5">
<topic>xen-kernel -- x86 PV guests may be able to mask interrupts</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><lt>4.7.1_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="https://xenbits.xen.org/xsa/advisory-202.html">
<p>Certain PV guest kernel operations (page table writes in
particular) need emulation, and use Xen's general x86 instruction
emulator. This allows a malicious guest kernel which asynchronously
modifies its instruction stream to effect the clearing of EFLAGS.IF
from the state used to return to guest context.</p>
<p>A malicious guest kernel administrator can cause a host hang or
crash, resulting in a Denial of Service.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-10024</cvename>
<url>https://xenbits.xen.org/xsa/advisory-202.html</url>
</references>
<dates>
<discovery>2016-12-21</discovery>
<entry>2016-12-22</entry>
</dates>
</vuln>
<vuln vid="862d6ab3-c75e-11e6-9f98-20cf30e32f6d">
<topic>Apache httpd -- several vulnerabilities</topic>
<affects>
<package>
<name>apache24</name>
<range><lt>2.4.25</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Apache Software Foundation reports:</p>
<blockquote cite="http://httpd.apache.org/security/vulnerabilities_24.html">
<p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
<references>
<url>http://httpd.apache.org/security/vulnerabilities_24.html</url>
<cvename>CVE-2016-8743</cvename>
<cvename>CVE-2016-2161</cvename>
<cvename>CVE-2016-0736</cvename>
<cvename>CVE-2016-8740</cvename>
<cvename>CVE-2016-5387</cvename>
</references>
<dates>
<discovery>2016-12-20</discovery>
<entry>2016-12-21</entry>
<modified>2016-12-22</modified>
</dates>
</vuln>
<vuln vid="942433db-c661-11e6-ae1b-002590263bf5">
<topic>xen-kernel -- x86: Mishandling of SYSCALL singlestep during emulation</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><lt>4.7.1_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-204.html">
<p>The typical behaviour of singlestepping exceptions is determined at
the start of the instruction, with a #DB trap being raised at the
end of the instruction. SYSCALL (and SYSRET, although we don't
implement it) behave differently because the typical behaviour
allows userspace to escalate its privilege. (This difference in
behaviour seems to be undocumented.) Xen wrongly raised the
exception based on the flags at the start of the instruction.</p>
<p>Guest userspace which can invoke the instruction emulator can use
this flaw to escalate its privilege to that of the guest kernel.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-10013</cvename>
<url>http://xenbits.xen.org/xsa/advisory-204.html</url>
</references>
<dates>
<discovery>2016-12-19</discovery>
<entry>2016-12-20</entry>
</dates>
</vuln>
<vuln vid="e47ab5db-c333-11e6-ae1b-002590263bf5">
<topic>atheme-services -- multiple vulnerabilities</topic>
<affects>
<package>
<name>atheme-services</name>
<range><lt>7.2.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mitre reports:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9773">
<p>modules/chanserv/flags.c in Atheme before 7.2.7 allows remote
attackers to modify the Anope FLAGS behavior by registering and
dropping the (1) LIST, (2) CLEAR, or (3) MODIFY keyword nicks.</p>
</blockquote>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4478">
<p>Buffer overflow in the xmlrpc_char_encode function in
modules/transport/xmlrpc/xmlrpclib.c in Atheme before 7.2.7 allows
remote attackers to cause a denial of service via vectors related
to XMLRPC response encoding.</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/209217</freebsdpr>
<cvename>CVE-2014-9773</cvename>
<cvename>CVE-2016-4478</cvename>
<url>https://github.com/atheme/atheme/commit/87580d767868360d2fed503980129504da84b63e</url>
<url>https://github.com/atheme/atheme/commit/c597156adc60a45b5f827793cd420945f47bc03b</url>
</references>
<dates>
<discovery>2016-01-09</discovery>
<entry>2016-12-16</entry>
</dates>
</vuln>
<vuln vid="512c0ffd-cd39-4da4-b2dc-81ff4ba8e238">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>50.1.0_1,1</lt></range>
</package>
<package>
<name>seamonkey</name>
<name>linux-seamonkey</name>
<range><lt>2.47</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><lt>45.6.0,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>45.6.0,2</lt></range>
</package>
<package>
<name>libxul</name>
<name>thunderbird</name>
<name>linux-thunderbird</name>
<range><lt>45.6.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/">
<p>CVE-2016-9894: Buffer overflow in SkiaGL</p>
<p>CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements</p>
<p>CVE-2016-9895: CSP bypass using marquee tag</p>
<p>CVE-2016-9896: Use-after-free with WebVR</p>
<p>CVE-2016-9897: Memory corruption in libGLES</p>
<p>CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees</p>
<p>CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs</p>
<p>CVE-2016-9904: Cross-origin information leak in shared atoms</p>
<p>CVE-2016-9901: Data from Pocket server improperly sanitized before execution</p>
<p>CVE-2016-9902: Pocket extension does not validate the origin of events</p>
<p>CVE-2016-9903: XSS injection vulnerability in add-ons SDK</p>
<p>CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1</p>
<p>CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-9894</cvename>
<cvename>CVE-2016-9899</cvename>
<cvename>CVE-2016-9895</cvename>
<cvename>CVE-2016-9896</cvename>
<cvename>CVE-2016-9897</cvename>
<cvename>CVE-2016-9898</cvename>
<cvename>CVE-2016-9900</cvename>
<cvename>CVE-2016-9904</cvename>
<cvename>CVE-2016-9901</cvename>
<cvename>CVE-2016-9902</cvename>
<cvename>CVE-2016-9903</cvename>
<cvename>CVE-2016-9080</cvename>
<cvename>CVE-2016-9893</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2016-94/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-95/</url>
</references>
<dates>
<discovery>2016-12-13</discovery>
<entry>2016-12-14</entry>
</dates>
</vuln>
<vuln vid="54e50cd9-c1a8-11e6-ae1b-002590263bf5">
<topic>wordpress -- multiple vulnerabilities</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>4.6.1,1</lt></range>
</package>
<package>
<name>de-wordpress</name>
<name>ja-wordpress</name>
<name>ru-wordpress</name>
<name>zh-wordpress-zh_CN</name>
<name>zh-wordpress-zh_TW</name>
<range><lt>4.6.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jeremy Felt reports:</p>
<blockquote cite="https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/">
<p>WordPress versions 4.6 and earlier are affected by two security
issues: a cross-site scripting vulnerability via image filename,
reported by SumOfPwn researcher Cengiz Han Sahin; and a path
traversal vulnerability in the upgrade package uploader, reported
by Dominik Schilling from the WordPress security team.</p>
</blockquote>
</body>
</description>
<references>
<url>https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/</url>
</references>
<dates>
<discovery>2016-09-07</discovery>
<entry>2016-12-14</entry>
</dates>
</vuln>
<vuln vid="80a897a2-c1a6-11e6-ae1b-002590263bf5">
<topic>xen-kernel -- x86 CMPXCHG8B emulation fails to ignore operand size override</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><lt>4.7.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-200.html">
<p>The x86 instruction CMPXCHG8B is supposed to ignore legacy operand
size overrides; it only honors the REX.W override (making it
CMPXCHG16B). So, the operand size is always 8 or 16. When support
for CMPXCHG16B emulation was added to the instruction emulator,
this restriction on the set of possible operand sizes was relied on
in some parts of the emulation; but a wrong, fully general, operand
size value was used for other parts of the emulation. As a result,
if a guest uses a supposedly-ignored operand size prefix, a small
amount of hypervisor stack data is leaked to the guests: a 96 bit
leak to guests running in 64-bit mode; or, a 32 bit leak to other
guests.</p>
<p>A malicious unprivileged guest may be able to obtain sensitive
information from the host.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-9932</cvename>
<url>http://xenbits.xen.org/xsa/advisory-200.html</url>
</references>
<dates>
<discovery>2016-12-13</discovery>
<entry>2016-12-14</entry>
</dates>
</vuln>
<vuln vid="2d56308b-c0a8-11e6-a9a5-b499baebfeaf">
<topic>PHP -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>php56</name>
<range><lt>5.6.29</lt></range>
</package>
<package>
<name>php70</name>
<range><lt>7.0.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PHP project reports:</p>
<blockquote cite="http://php.net/archive/2016.php#id2016-12-08-1">
<p>This is a security release. Several security bugs were fixed in
this release.</p>
</blockquote>
</body>
</description>
<references>
<url>http://php.net/archive/2016.php#id2016-12-08-1</url>
<url>http://php.net/archive/2016.php#id2016-12-08-2</url>
</references>
<dates>
<discovery>2016-12-12</discovery>
<entry>2016-12-12</entry>
</dates>
</vuln>
<vuln vid="c0b13887-be44-11e6-b04f-001999f8d30b">
<topic>asterisk -- Authentication Bypass</topic>
<affects>
<package>
<name>asterisk11</name>
<range><lt>11.25.1</lt></range>
</package>
<package>
<name>asterisk13</name>
<range><lt>13.13.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="http://www.asterisk.org/downloads/security-advisories">
<p>The chan_sip channel driver has a liberal definition
for whitespace when attempting to strip the content between
a SIP header name and a colon character. Rather than
following RFC 3261 and stripping only spaces and horizontal
tabs, Asterisk treats any non-printable ASCII character
as if it were whitespace.</p>
<p>This mostly does not pose a problem until Asterisk is
placed in tandem with an authenticating SIP proxy. In
such a case, a crafty combination of valid and invalid
To headers can cause a proxy to allow an INVITE request
into Asterisk without authentication since it believes
the request is an in-dialog request. However, because of
the bug described above, the request will look like an
out-of-dialog request to Asterisk. Asterisk will then
process the request as a new call. The result is that
Asterisk can process calls from unvetted sources without
any authentication.</p>
<p>If you do not use a proxy for authentication, then
this issue does not affect you.</p>
<p>If your proxy is dialog-aware (meaning that the proxy
keeps track of what dialogs are currently valid), then
this issue does not affect you.</p>
<p>If you use chan_pjsip instead of chan_sip, then this
issue does not affect you.</p>
</blockquote>
</body>
</description>
<references>
<url>http://downloads.digium.com/pub/security/ASTERISK-2016-009.html</url>
</references>
<dates>
<discovery>2016-11-28</discovery>
<entry>2016-12-09</entry>
</dates>
</vuln>
<vuln vid="9e6640fe-be3a-11e6-b04f-001999f8d30b">
<topic>asterisk -- Crash on SDP offer or answer from endpoint using Opus</topic>
<affects>
<package>
<name>asterisk13</name>
<range><ge>13.12.0</ge><lt>13.13.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="http://www.asterisk.org/downloads/security-advisories">
<p>If an SDP offer or answer is received with the Opus
codec and with the format parameters separated using a
space the code responsible for parsing will recursively
call itself until it crashes. This occurs as the code
does not properly handle spaces separating the parameters.
This does NOT require the endpoint to have Opus configured
in Asterisk. This also does not require the endpoint to
be authenticated. If guest is enabled for chan_sip or
anonymous in chan_pjsip an SDP offer or answer is still
processed and the crash occurs.</p>
</blockquote>
</body>
</description>
<references>
<url>http://downloads.asterisk.org/pub/security/AST-2016-008.html</url>
</references>
<dates>
<discovery>2016-11-11</discovery>
<entry>2016-12-09</entry>
</dates>
</vuln>
<vuln vid="eab68cff-bc0c-11e6-b2ca-001b3856973b">
<topic>cryptopp -- multiple vulnerabilities</topic>
<affects>
<package>
<name>cryptopp</name>
<range><lt>5.6.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Multiple sources report:</p>
<blockquote cite="https://eprint.iacr.org/2015/368">
<p>CVE-2015-2141: The InvertibleRWFunction::CalculateInverse function
in rw.cpp in libcrypt++ 5.6.2 does not properly blind private key
operations for the Rabin-Williams digital signature algorithm, which
allows remote attackers to obtain private keys via a timing attack.
Fixed in 5.6.3.</p>
</blockquote>
<blockquote cite="https://github.com/weidai11/cryptopp/issues/146">
<p>CVE-2016-3995: Incorrect implementation of Rijndael timing attack
countermeasure. Fixed in 5.6.4.</p>
</blockquote>
<blockquote cite="https://github.com/weidai11/cryptopp/issues/277">
<p>CVE-2016-7420: Library built without -DNDEBUG could egress sensitive
information to the filesystem via a core dump if an assert was triggered.
Fixed in 5.6.5.</p>
</blockquote>
</body>
</description>
<references>
<url>https://eprint.iacr.org/2015/368</url>
<url>https://github.com/weidai11/cryptopp/issues/146</url>
<url>https://github.com/weidai11/cryptopp/issues/277</url>
<cvename>CVE-2015-2141</cvename>
<cvename>CVE-2016-3995</cvename>
<cvename>CVE-2016-7420</cvename>
</references>
<dates>
<discovery>2015-02-27</discovery>
<entry>2016-12-06</entry>
</dates>
</vuln>
<vuln vid="e722e3c6-bbee-11e6-b1cf-14dae9d210b8">
<topic>FreeBSD -- bhyve(8) virtual machine escape</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>11.0</ge><lt>11.0_4</lt></range>
<range><ge>10.3</ge><lt>10.3_13</lt></range>
<range><ge>10.2</ge><lt>10.2_26</lt></range>
<range><ge>10.1</ge><lt>10.1_43</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The bounds checking of accesses to guest memory greater
than 4GB by device emulations is subject to integer
overflow.</p>
<h1>Impact:</h1>
<p>For a bhyve virtual machine with more than 3GB of guest
memory configured, a malicious guest could craft device
descriptors that could give it access to the heap of the
bhyve process. Since the bhyve process is running as root,
this may allow guests to obtain full control of the hosts
they're running on.</p>
</body>
</description>
<references>
<cvename>CVE-2016-1889</cvename>
<freebsdsa>SA-16:38.bhyve</freebsdsa>
</references>
<dates>
<discovery>2016-12-06</discovery>
<entry>2016-12-06</entry>
</dates>
</vuln>
<vuln vid="0282269d-bbee-11e6-b1cf-14dae9d210b8">
<topic>FreeBSD -- link_ntoa(3) buffer overflow</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>11.0</ge><lt>11.0_5</lt></range>
<range><ge>10.3</ge><lt>10.3_14</lt></range>
<range><ge>10.2</ge><lt>10.2_27</lt></range>
<range><ge>10.1</ge><lt>10.1_44</lt></range>
<range><ge>9.3</ge><lt>9.3_52</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>A specially crafted argument can trigger a static buffer
overflow in the library, with possibility to rewrite following
static buffers that belong to other library functions.</p>
<h1>Impact:</h1>
<p>Due to very limited use of the function in the existing
applications, and limited length of the overflow, exploitation
of the vulnerability does not seem feasible. None of the
utilities and daemons in the base system are known to be
vulnerable. However, careful review of third party software
that may use the function was not performed.</p>
</body>
</description>
<references>
<cvename>CVE-2016-6559</cvename>
<freebsdsa>SA-16:37.libc</freebsdsa>
</references>
<dates>
<discovery>2016-12-06</discovery>
<entry>2016-12-06</entry>
<modified>2016-12-08</modified>
</dates>
</vuln>
<vuln vid="e00304d2-bbed-11e6-b1cf-14dae9d210b8">
<topic>FreeBSD -- Possible login(1) argument injection in telnetd(8)</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>11.0</ge><lt>11.0_4</lt></range>
<range><ge>10.3</ge><lt>10.3_13</lt></range>
<range><ge>10.2</ge><lt>10.2_26</lt></range>
<range><ge>10.1</ge><lt>10.1_43</lt></range>
<range><ge>9.3</ge><lt>9.3_51</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>An unexpected sequence of memory allocation failures
combined with insufficient error checking could result in
the construction and execution of an argument sequence that
was not intended.</p>
<h1>Impact:</h1>
<p>An attacker who controls the sequence of memory allocation
failures and success may cause login(1) to run without
authentication and may be able to cause misbehavior of
login(1) replacements.</p>
<p>No practical way of controlling these memory allocation
failures is known at this time.</p>
</body>
</description>
<references>
<cvename>CVE-2016-1888</cvename>
<freebsdsa>SA-16:36.telnetd</freebsdsa>
</references>
<dates>
<discovery>2016-12-06</discovery>
<entry>2016-12-06</entry>
</dates>
</vuln>
<vuln vid="cb0bf1ec-bb92-11e6-a9a5-b499baebfeaf">
<topic>Apache httpd -- denial of service in HTTP/2</topic>
<affects>
<package>
<name>apache24</name>
<range><ge>2.4.17</ge><le>2.4.23_1</le></range>
</package>
<package>
<name>mod_http2-devel</name>
<range><lt>1.8.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>mod_http2 reports:</p>
<blockquote cite="http://mail-archives.apache.org/mod_mbox/httpd-announce/201612.mbox/%3C1A097A43-7CCB-4BA1-861F-E0C7EEE83A4B%40apache.org%3E">
<p>The Apache HTTPD web server (from 2.4.17-2.4.23) did not apply
limitations on request headers correctly when experimental module
for the HTTP/2 protocol is used to access a resource.</p>
<p>The net result is that a the server allocates too much memory
instead of denying the request. This can lead to memory exhaustion
of the server by a properly crafted request.</p>
</blockquote>
</body>
</description>
<references>
<url>http://mail-archives.apache.org/mod_mbox/httpd-announce/201612.mbox/%3C1A097A43-7CCB-4BA1-861F-E0C7EEE83A4B%40apache.org%3E</url>
<url>https://github.com/icing/mod_h2/releases/tag/v1.8.3</url>
<cvename>CVE-2016-8740</cvename>
</references>
<dates>
<discovery>2016-12-06</discovery>
<entry>2016-12-06</entry>
</dates>
</vuln>
<vuln vid="603fe0a1-bb26-11e6-8e5a-3065ec8fd3ec">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>55.0.2883.75</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="https://googlechromereleases.blogspot.nl/2016/12/stable-channel-update-for-desktop.html">
<p>36 security fixes in this release</p>
<p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-9651</cvename>
<cvename>CVE-2016-5208</cvename>
<cvename>CVE-2016-5207</cvename>
<cvename>CVE-2016-5206</cvename>
<cvename>CVE-2016-5205</cvename>
<cvename>CVE-2016-5204</cvename>
<cvename>CVE-2016-5209</cvename>
<cvename>CVE-2016-5203</cvename>
<cvename>CVE-2016-5210</cvename>
<cvename>CVE-2016-5212</cvename>
<cvename>CVE-2016-5211</cvename>
<cvename>CVE-2016-5213</cvename>
<cvename>CVE-2016-5214</cvename>
<cvename>CVE-2016-5216</cvename>
<cvename>CVE-2016-5215</cvename>
<cvename>CVE-2016-5217</cvename>
<cvename>CVE-2016-5218</cvename>
<cvename>CVE-2016-5219</cvename>
<cvename>CVE-2016-5221</cvename>
<cvename>CVE-2016-5220</cvename>
<cvename>CVE-2016-5222</cvename>
<cvename>CVE-2016-9650</cvename>
<cvename>CVE-2016-5223</cvename>
<cvename>CVE-2016-5226</cvename>
<cvename>CVE-2016-5225</cvename>
<cvename>CVE-2016-5224</cvename>
<cvename>CVE-2016-9652</cvename>
<url>https://googlechromereleases.blogspot.nl/2016/12/stable-channel-update-for-desktop.html</url>
</references>
<dates>
<discovery>2016-12-01</discovery>
<entry>2016-12-05</entry>
</dates>
</vuln>
<vuln vid="e1f67063-aab4-11e6-b2d3-60a44ce6887b">
<topic>ImageMagick7 -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ImageMagick7</name>
<name>ImageMagick7-nox11</name>
<range><lt>7.0.3.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Multiple sources report:</p>
<blockquote cite="https://github.com/ImageMagick/ImageMagick/issues/296">
<p>CVE-2016-9298: heap overflow in WaveletDenoiseImage(), fixed in ImageMagick7-7.0.3.6, discovered 2016-10-31</p>
</blockquote>
<blockquote cite="https://blogs.gentoo.org/ago/2016/10/20/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c-incomplete-fix-for-cve-2016-8862/">
<p>CVE-2016-8866: memory allocation failure in AcquireMagickMemory (incomplete previous fix for CVE-2016-8862), not fixed yet with the release of this announcement, re-discovered 2016-10-13.</p>
</blockquote>
<blockquote cite="https://blogs.gentoo.org/ago/2016/10/17/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c/">
<p>CVE-2016-8862: memory allocation failure in AcquireMagickMemory, initially partially fixed in ImageMagick7-7.0.3.3, discovered 2016-09-14.</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/ImageMagick/ImageMagick/issues/296</url>
<url>https://blogs.gentoo.org/ago/2016/10/20/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c-incomplete-fix-for-cve-2016-8862/</url>
<url>https://blogs.gentoo.org/ago/2016/10/17/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c/</url>
<cvename>CVE-2016-9298</cvename>
<cvename>CVE-2016-8866</cvename>
<cvename>CVE-2016-8862</cvename>
<freebsdpr>ports/214514</freebsdpr>
</references>
<dates>
<discovery>2016-09-14</discovery>
<entry>2016-12-04</entry>
</dates>
</vuln>
<vuln vid="bc4898d5-a794-11e6-b2d3-60a44ce6887b">
<topic>Pillow -- multiple vulnerabilities</topic>
<affects>
<package>
<name>py27-pillow</name>
<name>py33-pillow</name>
<name>py34-pillow</name>
<name>py35-pillow</name>
<range><lt>3.3.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Pillow reports:</p>
<blockquote cite="http://pillow.readthedocs.io/en/3.4.x/releasenotes/3.3.2.html">
<p>Pillow prior to 3.3.2 may experience integer overflow
errors in map.c when reading specially crafted image files. This may
lead to memory disclosure or corruption.</p>
<p>Pillow prior to 3.3.2 and PIL 1.1.7 (at least) do not check
for negative image sizes in ImagingNew in Storage.c. A negative image
size can lead to a smaller allocation than expected, leading to arbi
trary writes.</p>
</blockquote>
</body>
</description>
<references>
<url>http://pillow.readthedocs.io/en/3.4.x/releasenotes/3.3.2.html</url>
<url>https://github.com/python-pillow/Pillow/issues/2105</url>
<cvename>CVE-2016-9189</cvename>
<cvename>CVE-2016-9190</cvename>
<freebsdpr>ports/214410</freebsdpr>
</references>
<dates>
<discovery>2016-09-06</discovery>
<entry>2016-12-04</entry>
</dates>
</vuln>
<vuln vid="19d35b0f-ba73-11e6-b1cf-14dae9d210b8">
<topic>ImageMagick -- heap overflow vulnerability</topic>
<affects>
<package>
<name>ImageMagick</name>
<name>ImageMagick-nox11</name>
<range><lt>6.9.6.4,1</lt></range>
</package>
<package>
<name>ImageMagick7</name>
<name>ImageMagick7-nox11</name>
<range><lt>7.0.3.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Bastien Roucaries reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2016/q4/413">
<p>Imagemagick before 3cbfb163cff9e5b8cdeace8312e9bfee810ed02b
suffer from a heap overflow in WaveletDenoiseImage(). This problem is
easily trigerrable from a Perl script.</p>
</blockquote>
</body>
</description>
<references>
<url>http://seclists.org/oss-sec/2016/q4/413</url>
<url>https://github.com/ImageMagick/ImageMagick/issues/296</url>
<cvename>CVE-2016-9298</cvename>
<freebsdpr>ports/214517</freebsdpr>
<freebsdpr>ports/214511</freebsdpr>
<freebsdpr>ports/214520</freebsdpr>
</references>
<dates>
<discovery>2016-11-13</discovery>
<entry>2016-12-04</entry>
</dates>
</vuln>
<vuln vid="e5dcb942-ba6f-11e6-b1cf-14dae9d210b8">
<topic>py-cryptography -- vulnerable HKDF key generation</topic>
<affects>
<package>
<name>py27-cryptography</name>
<name>py33-cryptography</name>
<name>py34-cryptography</name>
<name>py35-cryptography</name>
<range><lt>1.5.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Alex Gaynor reports:</p>
<blockquote cite="https://github.com/pyca/cryptography/commit/b94cacf2ae6e75e4007a79709bbf5360435b512d">
<p>Fixed a bug where ``HKDF`` would return an empty
byte-string if used with a ``length`` less than
``algorithm.digest_size``.</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/pyca/cryptography/commit/b94cacf2ae6e75e4007a79709bbf5360435b512d</url>
<cvename>CVE-2016-9243</cvename>
<freebsdpr>ports/214915</freebsdpr>
</references>
<dates>
<discovery>2016-11-05</discovery>
<entry>2016-12-04</entry>
<modified>2016-12-06</modified>
</dates>
</vuln>
<vuln vid="a228c7a0-ba66-11e6-b1cf-14dae9d210b8">
<topic>qemu -- denial of service vulnerability</topic>
<affects>
<package>
<name>qemu</name>
<name>qemu-devel</name>
<name>qemu-sbruno</name>
<range><lt>2.3.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Daniel P. Berrange reports:</p>
<blockquote cite="https://lists.gnu.org/archive/html/qemu-devel/2015-03/msg04895.html">
<p>The VNC server websockets decoder will read and buffer data
from websockets clients until it sees the end of the HTTP headers,
as indicated by \r\n\r\n. In theory this allows a malicious to
trick QEMU into consuming an arbitrary amount of RAM.</p>
</blockquote>
</body>
</description>
<references>
<url>https://lists.gnu.org/archive/html/qemu-devel/2015-03/msg04895.html</url>
<cvename>CVE-2015-1779</cvename>
<freebsdpr>ports/206725</freebsdpr>
</references>
<dates>
<discovery>2015-03-23</discovery>
<entry>2016-12-04</entry>
<modified>2016-12-06</modified>
</dates>
</vuln>
<vuln vid="59f79c99-ba4d-11e6-ae1b-002590263bf5">
<topic>xen-tools -- delimiter injection vulnerabilities in pygrub</topic>
<affects>
<package>
<name>xen-tools</name>
<range><lt>4.7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="https://xenbits.xen.org/xsa/advisory-198.html">
<p>pygrub, the boot loader emulator, fails to quote (or sanity check)
its results when reporting them to its caller.</p>
<p>A malicious guest administrator can obtain the contents of
sensitive host files (an information leak). Additionally, a
malicious guest administrator can cause files on the host to be
removed, causing a denial of service. In some unusual host
configurations, ability to remove certain files may be usable for
privilege escalation.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-9379</cvename>
<cvename>CVE-2016-9380</cvename>
<freebsdpr>ports/214936</freebsdpr>
<url>https://xenbits.xen.org/xsa/advisory-198.html</url>
</references>
<dates>
<discovery>2016-11-22</discovery>
<entry>2016-12-04</entry>
</dates>
</vuln>
<vuln vid="58685e23-ba4d-11e6-ae1b-002590263bf5">
<topic>xen-tools -- qemu incautious about shared ring processing</topic>
<affects>
<package>
<name>xen-tools</name>
<range><lt>4.7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="https://xenbits.xen.org/xsa/advisory-197.html">
<p>The compiler can emit optimizations in qemu which can lead to
double fetch vulnerabilities. Specifically data on the rings shared
between qemu and the hypervisor (which the guest under control can
obtain mappings of) can be fetched twice (during which time the
guest can alter the contents) possibly leading to arbitrary code
execution in qemu.</p>
<p>Malicious administrators can exploit this vulnerability to take
over the qemu process, elevating its privilege to that of the qemu
process.</p>
<p>In a system not using a device model stub domain (or other
techniques for deprivileging qemu), malicious guest administrators
can thus elevate their privilege to that of the host.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-9381</cvename>
<freebsdpr>ports/214936</freebsdpr>
<url>https://xenbits.xen.org/xsa/advisory-197.html</url>
</references>
<dates>
<discovery>2016-11-22</discovery>
<entry>2016-12-04</entry>
</dates>
</vuln>
<vuln vid="56f0f11e-ba4d-11e6-ae1b-002590263bf5">
<topic>xen-kernel -- x86 64-bit bit test instruction emulation broken</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><lt>4.7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="https://xenbits.xen.org/xsa/advisory-195.html">
<p>The x86 instructions BT, BTC, BTR, and BTS, when used with a
destination memory operand and a source register rather than an
immediate operand, access a memory location offset from that
specified by the memory operand as specified by the high bits of
the register source.</p>
<p>A malicious guest can modify arbitrary memory, allowing for
arbitrary code execution (and therefore privilege escalation
affecting the whole host), a crash of the host (leading to a DoS),
or information leaks. The vulnerability is sometimes exploitable
by unprivileged guest user processes.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-9383</cvename>
<freebsdpr>ports/214936</freebsdpr>
<url>https://xenbits.xen.org/xsa/advisory-195.html</url>
</references>
<dates>
<discovery>2016-11-22</discovery>
<entry>2016-12-04</entry>
</dates>
</vuln>
<vuln vid="5555120d-ba4d-11e6-ae1b-002590263bf5">
<topic>xen-kernel -- guest 32-bit ELF symbol table load leaking host data</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><ge>4.7</ge><lt>4.7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="https://xenbits.xen.org/xsa/advisory-194.html">
<p>Along with their main kernel binary, unprivileged guests may
arrange to have their Xen environment load (kernel) symbol tables
for their use. The ELF image metadata created for this purpose has a
few unused bytes when the symbol table binary is in 32-bit ELF
format. These unused bytes were not properly cleared during symbol
table loading.</p>
<p>A malicious unprivileged guest may be able to obtain sensitive
information from the host.</p>
<p>The information leak is small and not under the control of the
guest, so effectively exploiting this vulnerability is probably
difficult.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-9384</cvename>
<freebsdpr>ports/214936</freebsdpr>
<url>https://xenbits.xen.org/xsa/advisory-194.html</url>
</references>
<dates>
<discovery>2016-11-22</discovery>
<entry>2016-12-04</entry>
</dates>
</vuln>
<vuln vid="53dbd096-ba4d-11e6-ae1b-002590263bf5">
<topic>xen-kernel -- x86 segment base write emulation lacking canonical address checks</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><ge>4.4</ge><lt>4.7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="https://xenbits.xen.org/xsa/advisory-193.html">
<p>Both writes to the FS and GS register base MSRs as well as the
WRFSBASE and WRGSBASE instructions require their input values to be
canonical, or a #GP fault will be raised. When the use of those
instructions by the hypervisor was enabled, the previous guard
against #GP faults (having recovery code attached) was accidentally
removed.</p>
<p>A malicious guest administrator can crash the host, leading to a
DoS.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-9385</cvename>
<freebsdpr>ports/214936</freebsdpr>
<url>https://xenbits.xen.org/xsa/advisory-193.html</url>
</references>
<dates>
<discovery>2016-11-22</discovery>
<entry>2016-12-04</entry>
</dates>
</vuln>
<vuln vid="523bb0b7-ba4d-11e6-ae1b-002590263bf5">
<topic>xen-kernel -- x86 task switch to VM86 mode mis-handled</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><lt>4.7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="https://xenbits.xen.org/xsa/advisory-192.html">
<p>LDTR, just like TR, is purely a protected mode facility. Hence even
when switching to a VM86 mode task, LDTR loading needs to follow
protected mode semantics. This was violated by the code.</p>
<p>On SVM (AMD hardware): a malicious unprivileged guest process can
escalate its privilege to that of the guest operating system.</p>
<p>On both SVM and VMX (Intel hardware): a malicious unprivileged
guest process can crash the guest.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-9382</cvename>
<freebsdpr>ports/214936</freebsdpr>
<url>https://xenbits.xen.org/xsa/advisory-192.html</url>
</references>
<dates>
<discovery>2016-11-22</discovery>
<entry>2016-12-04</entry>
</dates>
</vuln>
<vuln vid="50ac2e96-ba4d-11e6-ae1b-002590263bf5">
<topic>xen-kernel -- x86 null segments not always treated as unusable</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><lt>4.7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="https://xenbits.xen.org/xsa/advisory-191.html">
<p>The Xen x86 emulator erroneously failed to consider the unusability
of segments when performing memory accesses.</p>
<p> The intended behaviour is as follows: The user data segment (%ds,
%es, %fs and %gs) selectors may be NULL in 32-bit to prevent access.
In 64-bit, NULL has a special meaning for user segments, and there
is no way of preventing access. However, in both 32-bit and 64-bit,
a NULL LDT system segment is intended to prevent access.</p>
<p>On Intel hardware, loading a NULL selector zeros the base as well
as most attributes, but sets the limit field to its largest possible
value. On AMD hardware, loading a NULL selector zeros the attributes,
leaving the stale base and limit intact.</p>
<p>Xen may erroneously permit the access using unexpected base/limit
values.</p>
<p>Ability to exploit this vulnerability on Intel is easy, but on AMD
depends in a complicated way on how the guest kernel manages LDTs.
</p>
<p>An unprivileged guest user program may be able to elevate its
privilege to that of the guest operating system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-9386</cvename>
<freebsdpr>ports/214936</freebsdpr>
<url>https://xenbits.xen.org/xsa/advisory-191.html</url>
</references>
<dates>
<discovery>2016-11-22</discovery>
<entry>2016-12-04</entry>
</dates>
</vuln>
<vuln vid="4d7cf654-ba4d-11e6-ae1b-002590263bf5">
<topic>xen-kernel -- CR0.TS and CR0.EM not always honored for x86 HVM guests</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><lt>4.7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="https://xenbits.xen.org/xsa/advisory-190.html">
<p>Instructions touching FPU, MMX, or XMM registers are required to
raise a Device Not Available Exception (#NM) when either CR0.EM or
CR0.TS are set. (Their AVX or AVX-512 extensions would consider only
CR0.TS.) While during normal operation this is ensured by the
hardware, if a guest modifies instructions while the hypervisor is
preparing to emulate them, the #NM delivery could be missed.</p>
<p>Guest code in one task may thus (unintentionally or maliciously)
read or modify register state belonging to another task in the same
VM.</p>
<p>A malicious unprivileged guest user may be able to obtain or
corrupt sensitive information (including cryptographic material) in
other programs in the same guest.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-7777</cvename>
<freebsdpr>ports/214936</freebsdpr>
<url>https://xenbits.xen.org/xsa/advisory-190.html</url>
</references>
<dates>
<discovery>2016-10-04</discovery>
<entry>2016-12-04</entry>
</dates>
</vuln>
<vuln vid="4bf57137-ba4d-11e6-ae1b-002590263bf5">
<topic>xen-kernel -- use after free in FIFO event channel code</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><ge>4.4</ge><lt>4.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="https://xenbits.xen.org/xsa/advisory-188.html">
<p>When the EVTCHNOP_init_control operation is called with a bad guest
frame number, it takes an error path which frees a control structure
without also clearing the corresponding pointer. Certain subsequent
operations (EVTCHNOP_expand_array or another EVTCHNOP_init_control),
upon finding the non-NULL pointer, continue operation assuming it
points to allocated memory.</p>
<p>A malicious guest administrator can crash the host, leading to a
DoS. Arbitrary code execution (and therefore privilege escalation),
and information leaks, cannot be excluded.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-7154</cvename>
<freebsdpr>ports/214936</freebsdpr>
<url>https://xenbits.xen.org/xsa/advisory-188.html</url>
</references>
<dates>
<discovery>2016-09-08</discovery>
<entry>2016-12-04</entry>
</dates>
</vuln>
<vuln vid="4aae54be-ba4d-11e6-ae1b-002590263bf5">
<topic>xen-kernel -- x86 HVM: Overflow of sh_ctxt->seg_reg[]</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><lt>4.7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="https://xenbits.xen.org/xsa/advisory-187.html">
<p>x86 HVM guests running with shadow paging use a subset of the x86
emulator to handle the guest writing to its own pagetables. There
are situations a guest can provoke which result in exceeding the
space allocated for internal state.</p>
<p>A malicious HVM guest administrator can cause Xen to fail a bug
check, causing a denial of service to the host.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-7094</cvename>
<freebsdpr>ports/214936</freebsdpr>
<url>https://xenbits.xen.org/xsa/advisory-187.html</url>
</references>
<dates>
<discovery>2016-09-08</discovery>
<entry>2016-12-04</entry>
</dates>
</vuln>
<vuln vid="49211361-ba4d-11e6-ae1b-002590263bf5">
<topic>xen-kernel -- x86: Mishandling of instruction pointer truncation during emulation</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><eq>4.5.3</eq></range>
<range><eq>4.6.3</eq></range>
<range><ge>4.7.0</ge><lt>4.7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="https://xenbits.xen.org/xsa/advisory-186.html">
<p>When emulating HVM instructions, Xen uses a small i-cache for
fetches from guest memory. The code that handles cache misses does
not check if the address from which it fetched lies within the cache
before blindly writing to it. As such it is possible for the guest
to overwrite hypervisor memory.</p>
<p>It is currently believed that the only way to trigger this bug is
to use the way that Xen currently incorrectly wraps CS:IP in 16 bit
modes. The included patch prevents such wrapping.</p>
<p>A malicious HVM guest administrator can escalate their privilege to
that of the host.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-7093</cvename>
<freebsdpr>ports/214936</freebsdpr>
<url>https://xenbits.xen.org/xsa/advisory-186.html</url>
</references>
<dates>
<discovery>2016-09-08</discovery>
<entry>2016-12-04</entry>
</dates>
</vuln>
<vuln vid="45ca25b5-ba4d-11e6-ae1b-002590263bf5">
<topic>xen-kernel -- x86: Disallow L3 recursive pagetable for 32-bit PV guests</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><lt>4.7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="https://xenbits.xen.org/xsa/advisory-185.html">
<p>On real hardware, a 32-bit PAE guest must leave the USER and RW bit
clear in L3 pagetable entries, but the pagetable walk behaves as if
they were set. (The L3 entries are cached in processor registers,
and don't actually form part of the pagewalk.)</p>
<p>When running a 32-bit PV guest on a 64-bit Xen, Xen must always OR
in the USER and RW bits for L3 updates for the guest to observe
architectural behaviour. This is unsafe in combination with
recursive pagetables.</p>
<p>As there is no way to construct an L3 recursive pagetable in native
32-bit PAE mode, disallow this option in 32-bit PV guests.</p>
<p>A malicious 32-bit PV guest administrator can escalate their
privilege to that of the host.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-7092</cvename>
<freebsdpr>ports/214936</freebsdpr>
<url>https://xenbits.xen.org/xsa/advisory-185.html</url>
</references>
<dates>
<discovery>2016-09-08</discovery>
<entry>2016-12-04</entry>
</dates>
</vuln>
<vuln vid="7fff2b16-b0ee-11e6-86b8-589cfc054129">
<topic>wireshark -- multiple vulnerabilities</topic>
<affects>
<package>
<name>tshark</name>
<range><lt>2.2.2</lt></range>
</package>
<package>
<name>tshark-lite</name>
<range><lt>2.2.2</lt></range>
</package>
<package>
<name>wireshark</name>
<range><lt>2.2.2</lt></range>
</package>
<package>
<name>wireshark-lite</name>
<range><lt>2.2.2</lt></range>
</package>
<package>
<name>wireshark-qt5</name>
<range><lt>2.2.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Wireshark project reports:</p>
<blockquote cite="://www.wireshark.org/docs/relnotes/wireshark-2.2.2.html">
<p>Wireshark project is releasing Wireshark 2.2.2, which addresses:</p>
<ul>
<li>wnpa-sec-2016-58: Profinet I/O long loop - CVE-2016-9372</li>
<li>wnpa-sec-2016-59: AllJoyn crash - CVE-2016-9374</li>
<li>wnpa-sec-2016-60: OpenFlow crash - CVE-2016-9376</li>
<li>wnpa-sec-2016-61: DCERPC crash - CVE-2016-9373</li>
<li>wnpa-sec-2016-62: DTN infinite loop - CVE-2016-9375</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://www.wireshark.org/docs/relnotes/wireshark-2.2.2.html</url>
<cvename>CVE-2016-9372</cvename>
<cvename>CVE-2016-9373</cvename>
<cvename>CVE-2016-9374</cvename>
<cvename>CVE-2016-9375</cvename>
<cvename>CVE-2016-9376</cvename>
</references>
<dates>
<discovery>2016-11-16</discovery>
<entry>2016-12-01</entry>
</dates>
</vuln>
<vuln vid="18f39fb6-7400-4063-acaf-0806e92c094f">
<topic>Mozilla -- SVG Animation Remote Code Execution</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>50.0.2,1</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><lt>45.5.1,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>45.5.1,2</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.46</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.46</lt></range>
</package>
<package>
<name>libxul</name>
<range><lt>45.5.1</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><lt>45.5.1</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>45.5.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/">
<p>A use-after-free vulnerability in SVG Animation has been
discovered. An exploit built on this vulnerability has been
discovered in the wild targeting Firefox and Tor Browser
users on Windows.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-9079</cvename>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/</url>
</references>
<dates>
<discovery>2016-11-30</discovery>
<entry>2016-12-01</entry>
<modified>2016-12-16</modified>
</dates>
</vuln>
<vuln vid="479c5b91-b6cc-11e6-a04e-3417eb99b9a0">
<topic>wget -- Access List Bypass / Race Condition</topic>
<affects>
<package>
<name>wget</name>
<range><le>1.17</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dawid Golunski reports:</p>
<blockquote cite="https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html">
<p>GNU wget in version 1.17 and earlier, when used in
mirroring/recursive mode, is affected by a Race Condition
vulnerability that might allow remote attackers to bypass intended
wget access list restrictions specified with -A parameter.
</p>
</blockquote>
</body>
</description>
<references>
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7098</url>
<cvename>CVE-2016-7098</cvename>
</references>
<dates>
<discovery>2016-11-24</discovery>
<entry>2016-11-30</entry>
</dates>
</vuln>
<vuln vid="48e83187-b6e9-11e6-b6cf-5453ed2e2b49">
<topic>p7zip -- Null pointer dereference</topic>
<affects>
<package>
<name>p7zip</name>
<range><lt>15.14_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE reports:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9296">
<p>A null pointer dereference bug affects the 16.02 and many old
versions of p7zip. A lack of null pointer check for the variable
<code>folders.PackPositions</code> in function
<code>CInArchive::ReadAndDecodePackedStreams</code>, as used in
the 7z.so library and in 7z applications, will cause a crash and a
denial of service when decoding malformed 7z files.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-9296</cvename>
<url>https://sourceforge.net/p/p7zip/discussion/383043/thread/648d34db/</url>
<url>https://sourceforge.net/p/p7zip/bugs/185/</url>
<url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9296</url>
</references>
<dates>
<discovery>2016-07-17</discovery>
<entry>2016-11-30</entry>
</dates>
</vuln>
<vuln vid="ac256985-b6a9-11e6-a3bf-206a8a720317">
<topic>subversion -- Unrestricted XML entity expansion in mod_dontdothat and Subversionclients using http(s)</topic>
<affects>
<package>
<name>subversion18</name>
<range><lt>1.8.17</lt></range>
</package>
<package>
<name>subversion</name>
<range><lt>1.9.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache Software Foundation reports:</p>
<blockquote cite="http://subversion.apache.org/security/CVE-2016-8734-advisory.txt">
<p>The mod_dontdothat module of subversion and subversion clients using
http(s):// are vulnerable to a denial-of-service attack, caused by
exponential XML entity expansion. The attack targets XML parsers
causing targeted process to consume excessive amounts of resources.
The attack is also known as the "billions of laughs attack."</p>
</blockquote>
</body>
</description>
<references>
<url>http://subversion.apache.org/security/CVE-2016-8734-advisory.txt</url>
<cvename>CVE-2016-8734</cvename>
</references>
<dates>
<discovery>2016-11-29</discovery>
<entry>2016-11-29</entry>
</dates>
</vuln>
<vuln vid="18449f92-ab39-11e6-8011-005056925db4">
<topic>libwww -- multiple vulnerabilities</topic>
<affects>
<package>
<name>libwww</name>
<range><lt>5.4.0_6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mitre reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3183">
<p>The HTBoundary_put_block function in HTBound.c for W3C libwww
(w3c-libwww) allows remote servers to cause a denial of service
(segmentation fault) via a crafted multipart/byteranges MIME message
that triggers an out-of-bounds read.</p>
</blockquote>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560">
<p>The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1,
as used in the XML-Twig module for Perl, allows context-dependent
attackers to cause a denial of service (application crash) via an XML
document with malformed UTF-8 sequences that trigger a buffer
over-read, related to the doProlog function in lib/xmlparse.c, a
different vulnerability than CVE-2009-2625 and CVE-2009-3720.</p>
</blockquote>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720">
<p>The updatePosition function in lib/xmltok_impl.c in libexpat in
Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other
software, allows context-dependent attackers to cause a denial of
service (application crash) via an XML document with crafted UTF-8
sequences that trigger a buffer over-read, a different vulnerability
than CVE-2009-2625.</p>
</blockquote>
</body>
</description>
<references>
<bid>15035</bid>
<cvename>CVE-2005-3183</cvename>
<cvename>CVE-2009-3560</cvename>
<cvename>CVE-2009-3720</cvename>
<freebsdpr>ports/214546</freebsdpr>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=170518</url>
</references>
<dates>
<discovery>2005-10-12</discovery>
<entry>2016-11-29</entry>
</dates>
</vuln>
<vuln vid="f90fce70-ecfa-4f4d-9ee8-c476dbf4bf0e">
<topic>mozilla -- data: URL can inherit wrong origin after an HTTP redirect</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>50.0.1,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-91/">
<p>Redirection from an HTTP connection to a data: URL
assigns the referring site's origin to the data: URL in some
circumstances. This can result in same-origin violations
against a domain if it loads resources from malicious
sites. Cross-origin setting of cookies has been demonstrated
without the ability to read them.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-9078</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2016-91/</url>
</references>
<dates>
<discovery>2016-11-28</discovery>
<entry>2016-11-29</entry>
</dates>
</vuln>
<vuln vid="125f5958-b611-11e6-a9a5-b499baebfeaf">
<topic>Roundcube -- arbitrary command execution</topic>
<affects>
<package>
<name>roundcube</name>
<range><lt>1.2.3,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Roundcube project reports</p>
<blockquote cite="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-9920">
<p>steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before
1.2.3, when no SMTP server is configured and the sendmail program is
enabled, does not properly restrict the use of custom envelope-from
addresses on the sendmail command line, which allows remote
authenticated users to execute arbitrary code via a modified HTTP
request that sends a crafted e-mail message.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-9920</cvename>
<bid>94858</bid>
<url>http://www.openwall.com/lists/oss-security/2016/12/08/17</url>
<url>https://github.com/roundcube/roundcubemail/wiki/Changelog#release-123</url>
</references>
<dates>
<discovery>2016-11-29</discovery>
<entry>2016-11-29</entry>
<modified>2016-12-14</modified>
</dates>
</vuln>
<vuln vid="8db24888-b2f5-11e6-8153-00248c0c745d">
<topic>Drupal Code -- Multiple Vulnerabilities</topic>
<affects>
<package>
<name>drupal7</name>
<range><ge>7.0</ge><lt>7.52</lt></range>
</package>
<package>
<name>drupal8</name>
<range><ge>8.0.0</ge><lt>8.2.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Drupal development team reports:</p>
<blockquote cite="https://www.drupal.org/SA-CORE-2016-005">
<h3>Inconsistent name for term access query (Less critical - Drupal
7 and Drupal 8)</h3>
<p>Drupal provides a mechanism to alter database SELECT queries before
they are executed. Contributed and custom modules may use this
mechanism to restrict access to certain entities by implementing
hook_query_alter() or hook_query_TAG_alter() in order to add
additional conditions. Queries can be distinguished by means of
query tags. As the documentation on EntityFieldQuery::addTag()
suggests, access-tags on entity queries normally follow the form
ENTITY_TYPE_access (e.g. node_access). However, the taxonomy
module's access query tag predated this system and used term_access
as the query tag instead of taxonomy_term_access.</p>
<p>As a result, before this security release modules wishing to
restrict access to taxonomy terms may have implemented an
unsupported tag, or needed to look for both tags (term_access and
taxonomy_term_access) in order to be compatible with queries
generated both by Drupal core as well as those generated by
contributed modules like Entity Reference. Otherwise information
on taxonomy terms might have been disclosed to unprivileged users.
</p>
<h3>Incorrect cache context on password reset page (Less critical -
Drupal 8)</h3>
<p>The user password reset form does not specify a proper cache
context, which can lead to cache poisoning and unwanted content on
the page.</p>
<h3>Confirmation forms allow external URLs to be injected (Moderately
critical - Drupal 7)</h3>
<p>Under certain circumstances, malicious users could construct a URL
to a confirmation form that would trick users into being redirected
to a 3rd party website after interacting with the form, thereby
exposing the users to potential social engineering attacks.</p>
<h3>Denial of service via transliterate mechanism (Moderately critical
- Drupal 8)</h3>
<p>A specially crafted URL can cause a denial of service via the
transliterate mechanism.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-9449</cvename>
<cvename>CVE-2016-9450</cvename>
<cvename>CVE-2016-9451</cvename>
<cvename>CVE-2016-9452</cvename>
</references>
<dates>
<discovery>2016-11-16</discovery>
<entry>2016-11-25</entry>
<modified>2016-11-27</modified>
</dates>
</vuln>
<vuln vid="6fe72178-b2e3-11e6-8b2a-6805ca0b3d42">
<topic>phpMyAdmin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><ge>4.6.0</ge><lt>4.6.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Please reference CVE/URL list for details</p>
</body>
</description>
<references>
<url>https://www.phpmyadmin.net/security/PMASA-2016-57/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-58/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-59/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-60/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-61/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-62/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-63/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-64/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-65/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-66/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-67/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-68/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-69/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-70/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-71/</url>
<cvename>CVE-2016-6632</cvename>
<cvename>CVE-2016-6633</cvename>
<cvename>CVE-2016-4412</cvename>
</references>
<dates>
<discovery>2016-11-25</discovery>
<entry>2016-11-25</entry>
</dates>
</vuln>
<vuln vid="dc596a17-7a9e-11e6-b034-f0def167eeea">
<topic>Remote-Code-Execution vulnerability in mysql and its variants CVE 2016-6662</topic>
<affects>
<package>
<name>mysql57-client</name>
<name>mysql57-server</name>
<range><lt>5.7.15</lt></range>
</package>
<package>
<name>mysql56-client</name>
<name>mysql56-server</name>
<range><lt>5.6.33</lt></range>
</package>
<package>
<name>mysql55-client</name>
<name>mysql55-server</name>
<range><lt>5.5.52</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>LegalHackers' reports:</p>
<blockquote cite="http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html">
<p>RCE Bugs discovered in MySQL and its variants like MariaDB.
It works by manipulating my.cnf files and using --malloc-lib.
The bug seems fixed in MySQL 5.7.15 by Oracle</p>
</blockquote>
</body>
</description>
<references>
<url>http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html</url>
<url>https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-15.html</url>
</references>
<dates>
<discovery>2016-09-12</discovery>
<entry>2016-11-24</entry>
<modified>2016-11-24</modified>
</dates>
</vuln>
<vuln vid="8db8d62a-b08b-11e6-8eba-d050996490d0">
<topic>ntp -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ntp</name>
<range><lt>4.2.8p9</lt></range>
</package>
<package>
<name>ntp-devel</name>
<range><gt>0</gt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Network Time Foundation reports:</p>
<blockquote cite="http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se">
<p>NTF's NTP Project is releasing ntp-4.2.8p9, which addresses:</p>
<ul>
<li>1 HIGH severity vulnerability that only affects Windows</li>
<li>2 MEDIUM severity vulnerabilities</li>
<li>2 MEDIUM/LOW severity vulnerabilities</li>
<li>5 LOW severity vulnerabilities</li>
<li>28 other non-security fixes and improvements</li>
</ul>
<p>All of the security issues in this release are listed in
<a href="http://www.kb.cert.org/vuls/id/633847">VU#633847</a>.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-7426</cvename>
<cvename>CVE-2016-7427</cvename>
<cvename>CVE-2016-7428</cvename>
<cvename>CVE-2016-7429</cvename>
<cvename>CVE-2016-7431</cvename>
<cvename>CVE-2016-7433</cvename>
<cvename>CVE-2016-7434</cvename>
<cvename>CVE-2016-9310</cvename>
<cvename>CVE-2016-9311</cvename>
<cvename>CVE-2016-9312</cvename>
<url>http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se</url>
<url>http://www.kb.cert.org/vuls/id/633847</url>
</references>
<dates>
<discovery>2016-11-21</discovery>
<entry>2016-11-22</entry>
</dates>
</vuln>
<vuln vid="81fc7705-b002-11e6-b20a-14dae9d5a9d2">
<topic>teeworlds -- Remote code execution</topic>
<affects>
<package>
<name>teeworlds</name>
<range><lt>0.6.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Teeworlds project reports:</p>
<blockquote cite="https://www.teeworlds.com/?page=news&id=12086">
<p>Attacker controlled memory-writes and possibly arbitrary code
execution on the client, abusable by any server the client joins</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.teeworlds.com/?page=news&id=12086</url>
</references>
<dates>
<discovery>2016-11-13</discovery>
<entry>2016-11-21</entry>
</dates>
</vuln>
<vuln vid="27eee66d-9474-44a5-b830-21ec12a1c307">
<topic>jenkins -- Remote code execution vulnerability in remoting module</topic>
<affects>
<package>
<name>jenkins</name>
<range><le>2.31</le></range>
</package>
<package>
<name>jenkins-lts</name>
<range><le>2.19.2</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jenkins Security Advisory:</p>
<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16">
<p>An unauthenticated remote code execution vulnerability allowed
attackers to transfer a serialized Java object to the Jenkins CLI,
making Jenkins connect to an attacker-controlled LDAP server, which
in turn can send a serialized payload leading to code execution,
bypassing existing protection mechanisms.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-9299</cvename>
<url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16</url>
</references>
<dates>
<discovery>2016-11-11</discovery>
<entry>2016-11-16</entry>
</dates>
</vuln>
<vuln vid="f6565fbf-ab9e-11e6-ae1b-002590263bf5">
<topic>moodle -- multiple vulnerabilities</topic>
<affects>
<package>
<name>moodle29</name>
<range><lt>2.9.9</lt></range>
</package>
<package>
<name>moodle30</name>
<range><lt>3.0.7</lt></range>
</package>
<package>
<name>moodle31</name>
<range><lt>3.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Marina Glancy reports:</p>
<blockquote cite="https://moodle.org/security/">
<ul>
<li><p>MSA-16-0023: Question engine allows access to files that
should not be available</p></li>
<li><p>MSA-16-0024: Non-admin site managers may accidentally edit
admins via web services</p></li>
<li><p>MSA-16-0025: Capability to view course notes is checked in
the wrong context</p></li>
<li><p>MSA-16-0026: When debugging is enabled, error exceptions
returned from webservices could contain private data</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-8642</cvename>
<cvename>CVE-2016-8643</cvename>
<cvename>CVE-2016-8644</cvename>
<url>https://moodle.org/security/</url>
</references>
<dates>
<discovery>2016-11-14</discovery>
<entry>2016-11-16</entry>
<modified>2016-11-27</modified>
</dates>
</vuln>
<vuln vid="ab02f981-ab9e-11e6-ae1b-002590263bf5">
<topic>moodle -- multiple vulnerabilities</topic>
<affects>
<package>
<name>moodle29</name>
<range><lt>2.9.8</lt></range>
</package>
<package>
<name>moodle30</name>
<range><lt>3.0.6</lt></range>
</package>
<package>
<name>moodle31</name>
<range><lt>3.1.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Marina Glancy reports:</p>
<blockquote cite="https://moodle.org/security/">
<ul>
<li><p>MSA-16-0022: Web service tokens should be invalidated when
the user password is changed or forced to be changed.</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-7038</cvename>
<url>https://moodle.org/security/</url>
</references>
<dates>
<discovery>2016-09-12</discovery>
<entry>2016-11-16</entry>
</dates>
</vuln>
<vuln vid="d1853110-07f4-4645-895b-6fd462ad0589">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>50.0_1,1</lt></range>
</package>
<package>
<name>seamonkey</name>
<name>linux-seamonkey</name>
<range><lt>2.47</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><lt>45.5.0,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>45.5.0,2</lt></range>
</package>
<package>
<name>libxul</name>
<name>thunderbird</name>
<name>linux-thunderbird</name>
<range><lt>45.5.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/">
<p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-5289</cvename>
<cvename>CVE-2016-5290</cvename>
<cvename>CVE-2016-5291</cvename>
<cvename>CVE-2016-5292</cvename>
<cvename>CVE-2016-5293</cvename>
<cvename>CVE-2016-5294</cvename>
<cvename>CVE-2016-5295</cvename>
<cvename>CVE-2016-5296</cvename>
<cvename>CVE-2016-5297</cvename>
<cvename>CVE-2016-5298</cvename>
<cvename>CVE-2016-5299</cvename>
<cvename>CVE-2016-9061</cvename>
<cvename>CVE-2016-9062</cvename>
<cvename>CVE-2016-9063</cvename>
<cvename>CVE-2016-9064</cvename>
<cvename>CVE-2016-9065</cvename>
<cvename>CVE-2016-9066</cvename>
<cvename>CVE-2016-9067</cvename>
<cvename>CVE-2016-9068</cvename>
<cvename>CVE-2016-9070</cvename>
<cvename>CVE-2016-9071</cvename>
<cvename>CVE-2016-9072</cvename>
<cvename>CVE-2016-9073</cvename>
<cvename>CVE-2016-9074</cvename>
<cvename>CVE-2016-9075</cvename>
<cvename>CVE-2016-9076</cvename>
<cvename>CVE-2016-9077</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2016-89/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-90/</url>
</references>
<dates>
<discovery>2016-11-15</discovery>
<entry>2016-11-16</entry>
</dates>
</vuln>
<vuln vid="a8e9d834-a916-11e6-b9b4-bcaec524bf84">
<topic>lives -- insecure files permissions</topic>
<affects>
<package>
<name>lives</name>
<range><lt>2.8.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Debian reports:</p>
<blockquote cite="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756565">
<p>smogrify script creates insecure temporary files.</p>
</blockquote>
<blockquote cite="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798043">
<p>lives creates and uses world-writable directory.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756565</url>
<url>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798043</url>
</references>
<dates>
<discovery>2016-07-30</discovery>
<entry>2016-11-12</entry>
</dates>
</vuln>
<vuln vid="50751310-a763-11e6-a881-b499baebfeaf">
<topic>openssl -- multiple vulnerabilities</topic>
<affects>
<package>
<name>openssl-devel</name>
<range><lt>1.1.0c</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenSSL reports:</p>
<blockquote cite="https://www.openssl.org/news/secadv/20161110.txt">
<ul>
<li>ChaCha20/Poly1305 heap-buffer-overflow (CVE-2016-7054)<br/>
Severity: High<br/>
TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS
attack by corrupting larger payloads. This can result in an OpenSSL crash. This
issue is not considered to be exploitable beyond a DoS.</li>
<li>CMS Null dereference (CVE-2016-7053)<br/>
Severity: Medium<br/>
Applications parsing invalid CMS structures can crash with a NULL pointer
dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type
in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure
callback if an attempt is made to free certain invalid encodings. Only CHOICE
structures using a callback which do not handle NULL value are affected.</li>
<li>Montgomery multiplication may produce incorrect results (CVE-2016-7055)i<br/>
Severity: Low<br/>
There is a carry propagating bug in the Broadwell-specific Montgomery
multiplication procedure that handles input lengths divisible by, but
longer than 256 bits.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://www.openssl.org/news/secadv/20161110.txt</url>
<cvename>CVE-2016-7054</cvename>
<cvename>CVE-2016-7053</cvename>
<cvename>CVE-2016-7055</cvename>
</references>
<dates>
<discovery>2016-11-10</discovery>
<entry>2016-11-10</entry>
<modified>2016-11-11</modified>
</dates>
</vuln>
<vuln vid="a3473f5a-a739-11e6-afaa-e8e0b747a45a">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>54.0.2840.100</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="https://googlechromereleases.blogspot.nl/2016/11/stable-channel-update-for-desktop_9.html">
<p>4 security fixes in this release, including:</p>
<ul>
<li>[643948] High CVE-2016-5199: Heap corruption in FFmpeg. Credit to
Paul Mehta</li>
<li>[658114] High CVE-2016-5200: Out of bounds memory access in V8. Credit to
Choongwoo Han</li>
<li>[660678] Medium CVE-2016-5201: Info leak in extensions. Credit to
Rob Wu</li>
<li>[662843] CVE-2016-5202: Various fixes from internal audits,
fuzzing and other initiatives</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-5199</cvename>
<cvename>CVE-2016-5200</cvename>
<cvename>CVE-2016-5201</cvename>
<cvename>CVE-2016-5202</cvename>
<url>https://googlechromereleases.blogspot.nl/2016/11/stable-channel-update-for-desktop_9.html</url>
</references>
<dates>
<discovery>2016-11-09</discovery>
<entry>2016-11-10</entry>
</dates>
</vuln>
<vuln vid="96f6bf10-a731-11e6-95ca-0011d823eebd">
<topic>flash -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-c6-flashplugin</name>
<name>linux-c7-flashplugin</name>
<name>linux-f10-flashplugin</name>
<range><lt>11.2r202.644</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-37.html">
<ul>
<li>These updates resolve type confusion vulnerabilities that
could lead to code execution (CVE-2016-7860, CVE-2016-7861,
CVE-2016-7865).</li>
<li>These updates resolve use-after-free vulnerabilities that
could lead to code execution (CVE-2016-7857, CVE-2016-7858,
CVE-2016-7859, CVE-2016-7862, CVE-2016-7863, CVE-2016-7864).</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://helpx.adobe.com/security/products/flash-player/apsb16-37.html</url>
<cvename>CVE-2016-7857</cvename>
<cvename>CVE-2016-7858</cvename>
<cvename>CVE-2016-7859</cvename>
<cvename>CVE-2016-7860</cvename>
<cvename>CVE-2016-7861</cvename>
<cvename>CVE-2016-7862</cvename>
<cvename>CVE-2016-7863</cvename>
<cvename>CVE-2016-7864</cvename>
<cvename>CVE-2016-7865</cvename>
</references>
<dates>
<discovery>2016-11-08</discovery>
<entry>2016-11-10</entry>
</dates>
</vuln>
<vuln vid="10968dfd-a687-11e6-b2d3-60a44ce6887b">
<topic>gitlab -- Directory traversal via "import/export" feature</topic>
<affects>
<package>
<name>gitlab</name>
<range><ge>8.10.0</ge><le>8.10.12</le></range>
<range><ge>8.11.0</ge><le>8.11.9</le></range>
<range><ge>8.12.0</ge><le>8.12.7</le></range>
<range><ge>8.13.0</ge><le>8.13.2</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GitLab reports:</p>
<blockquote cite="https://about.gitlab.com/2016/11/02/cve-2016-9086-patches/">
<p>The import/export feature did not properly check for symbolic links
in user-provided archives and therefore it was possible for an
authenticated user to retrieve the contents of any file
accessible to the GitLab service account. This included
sensitive files such as those that contain secret tokens used
by the GitLab service to authenticate users.</p>
</blockquote>
</body>
</description>
<references>
<url>https://about.gitlab.com/2016/11/02/cve-2016-9086-patches/</url>
<cvename>CVE-2016-9086</cvename>
<freebsdpr>ports/214360</freebsdpr>
</references>
<dates>
<discovery>2016-11-02</discovery>
<entry>2016-11-09</entry>
<modified>2017-05-18</modified>
</dates>
</vuln>
<vuln vid="ae9cb9b8-a203-11e6-a265-3065ec8fd3ec">
<topic>chromium -- out-of-bounds memory access</topic>
<affects>
<package>
<name>chromium</name>
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>54.0.2840.90</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="https://googlechromereleases.blogspot.nl/2016/11/stable-channel-update-for-desktop.html">
<p>[659475] High CVE-2016-5198: Out of bounds memory access in V8.
Credit to Tencent Keen Security Lab, working with Trend Micro's
Zero Day Initiative.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-5198</cvename>
<url>https://googlechromereleases.blogspot.nl/2016/11/stable-channel-update-for-desktop.html</url>
</references>
<dates>
<discovery>2016-11-01</discovery>
<entry>2016-11-03</entry>
</dates>
</vuln>
<vuln vid="0fcd3af0-a0fe-11e6-b1cf-14dae9d210b8">
<topic>FreeBSD -- OpenSSL Remote DoS vulnerability</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>10.3</ge><lt>10.3_12</lt></range>
<range><ge>10.2</ge><lt>10.2_25</lt></range>
<range><ge>10.1</ge><lt>10.1_42</lt></range>
<range><ge>9.3</ge><lt>9.3_50</lt></range>
</package>
<package>
<name>openssl</name>
<range><lt>1.0.2i,1</lt></range>
</package>
<package>
<name>openssl-devel</name>
<range><lt>1.1.0a</lt></range>
</package>
<package>
<name>linux-c6-openssl</name>
<range><lt>1.0.1e_13</lt></range>
</package>
<package>
<name>linux-c7-openssl-libs</name>
<range><lt>1.0.1e_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>Due to improper handling of alert packets, OpenSSL would
consume an excessive amount of CPU time processing undefined
alert messages.</p>
<h1>Impact:</h1>
<p>A remote attacker who can initiate handshakes with an
OpenSSL based server can cause the server to consume a lot
of computation power with very little bandwidth usage, and
may be able to use this technique in a leveraged Denial of
Service attack.</p>
</body>
</description>
<references>
<cvename>CVE-2016-8610</cvename>
<freebsdsa>SA-16:35.openssl</freebsdsa>
<url>http://seclists.org/oss-sec/2016/q4/224</url>
</references>
<dates>
<discovery>2016-11-02</discovery>
<entry>2016-11-02</entry>
<modified>2017-02-22</modified>
</dates>
</vuln>
<vuln vid="cb116651-79db-4c09-93a2-c38f9df46724">
<topic>django -- multiple vulnerabilities</topic>
<affects>
<package>
<name>py27-django</name>
<name>py33-django</name>
<name>py34-django</name>
<name>py35-django</name>
<range><lt>1.8.16</lt></range>
</package>
<package>
<name>py27-django18</name>
<name>py33-django18</name>
<name>py34-django18</name>
<name>py35-django18</name>
<range><lt>1.8.16</lt></range>
</package>
<package>
<name>py27-django19</name>
<name>py33-django19</name>
<name>py34-django19</name>
<name>py35-django19</name>
<range><lt>1.9.11</lt></range>
</package>
<package>
<name>py27-django110</name>
<name>py33-django110</name>
<name>py34-django110</name>
<name>py35-django110</name>
<range><lt>1.10.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Django project reports:</p>
<blockquote cite="https://www.djangoproject.com/weblog/2016/nov/01/security-releases/">
<p>Today the Django team released Django 1.10.3, Django 1.9.11,
and 1.8.16. These releases addresses two security issues
detailed below. We encourage all users of Django to upgrade
as soon as possible.</p>
<ul>
<li>User with hardcoded password created when running tests on Oracle</li>
<li>DNS rebinding vulnerability when DEBUG=True</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://www.djangoproject.com/weblog/2016/nov/01/security-releases/</url>
<cvename>CVE-2016-9013</cvename>
<cvename>CVE-2016-9014</cvename>
</references>
<dates>
<discovery>2016-11-01</discovery>
<entry>2016-11-02</entry>
</dates>
</vuln>
<vuln vid="765feb7d-a0d1-11e6-a881-b499baebfeaf">
<topic>cURL -- multiple vulnerabilities</topic>
<affects>
<package>
<name>curl</name>
<range><ge>7.1</ge><lt>7.51.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The cURL project reports</p>
<blockquote cite="https://curl.haxx.se/docs/security.html">
<ul>
<li>cookie injection for other servers</li>
<li>case insensitive password comparison</li>
<li>OOB write via unchecked multiplication</li>
<li>double-free in curl_maprintf</li>
<li>double-free in krb5 code</li>
<li>glob parser write/read out of bounds</li>
<li>curl_getdate read out of bounds</li>
<li>URL unescape heap overflow via integer truncation</li>
<li>Use-after-free via shared cookies</li>
<li>invalid URL parsing with '#'</li>
<li>IDNA 2003 makes curl use wrong host</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://curl.haxx.se/docs/security.html</url>
<cvename>CVE-2016-8615</cvename>
<cvename>CVE-2016-8616</cvename>
<cvename>CVE-2016-8617</cvename>
<cvename>CVE-2016-8618</cvename>
<cvename>CVE-2016-8619</cvename>
<cvename>CVE-2016-8620</cvename>
<cvename>CVE-2016-8621</cvename>
<cvename>CVE-2016-8622</cvename>
<cvename>CVE-2016-8623</cvename>
<cvename>CVE-2016-8624</cvename>
<cvename>CVE-2016-8625</cvename>
</references>
<dates>
<discovery>2016-11-02</discovery>
<entry>2016-11-02</entry>
</dates>
</vuln>
<vuln vid="0b8d01a4-a0d2-11e6-9ca2-d050996490d0">
<topic>BIND -- Remote Denial of Service vulnerability</topic>
<affects>
<package>
<name>bind99</name>
<range><lt>9.9.9P4</lt></range>
</package>
<package>
<name>bind910</name>
<range><lt>9.10.4P4</lt></range>
</package>
<package>
<name>bind911</name>
<range><lt>9.11.0P1</lt></range>
</package>
<package>
<name>bind9-devel</name>
<range><le>9.12.0.a.2016.10.21</le></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>9.3</ge><lt>9.3_50</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://kb.isc.org/article/AA-01434/">
<p>A defect in BIND's handling of responses containing
a DNAME answer can cause a resolver to exit after
encountering an assertion failure in db.c or
resolver.c</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-8864</cvename>
<freebsdsa>SA-16:34.bind</freebsdsa>
<url>https://kb.isc.org/article/AA-01434/</url>
</references>
<dates>
<discovery>2016-11-01</discovery>
<entry>2016-11-02</entry>
</dates>
</vuln>
<vuln vid="f4bf713f-6ac7-4b76-8980-47bf90c5419f">
<topic>memcached -- multiple vulnerabilities</topic>
<affects>
<package>
<name>memcached</name>
<range><lt>1.4.33</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Cisco Talos reports:</p>
<blockquote cite="http://blog.talosintel.com/2016/10/memcached-vulnerabilities.html">
<p>Multiple integer overflow vulnerabilities exist within Memcached
that could be exploited to achieve remote code execution on the
targeted system. These vulnerabilities manifest in various Memcached
functions that are used in inserting, appending, prepending, or
modifying key-value data pairs. Systems which also have Memcached
compiled with support for SASL authentication are also vulnerable to
a third flaw due to how Memcached handles SASL authentication
commands.</p>
<p>An attacker could exploit these vulnerabilities by sending a
specifically crafted Memcached command to the targeted server.
Additionally, these vulnerabilities could also be exploited to leak
sensitive process information which an attacker could use to bypass
common exploitation mitigations, such as ASLR, and can be triggered
multiple times. This enables reliable exploitation which makes these
vulnerabilities severe.</p>
</blockquote>
</body>
</description>
<references>
<url>http://blog.talosintel.com/2016/10/memcached-vulnerabilities.html</url>
<cvename>CVE-2016-8704</cvename>
<cvename>CVE-2016-8705</cvename>
<cvename>CVE-2016-8706</cvename>
</references>
<dates>
<discovery>2016-10-31</discovery>
<entry>2016-11-02</entry>
</dates>
</vuln>
<vuln vid="9bc14850-a070-11e6-a881-b499baebfeaf">
<topic>MySQL -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mariadb55-server</name>
<name>mysql55-server</name>
<range><lt>5.5.53</lt></range>
</package>
<package>
<name>mysql56-server</name>
<range><lt>5.6.34</lt></range>
</package>
<package>
<name>mysql57-server</name>
<range><lt>5.7.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MariaDB project reports:</p>
<blockquote cite="https://mariadb.com/kb/en/mariadb/mariadb-5553-release-notes/">
<p>Fixes for the following security vulnerabilities:</p>
<ul>
<li>CVE-2016-7440</li>
<li>CVE-2016-5584</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://mariadb.com/kb/en/mariadb/mariadb-5553-release-notes/</url>
<cvename>CVE-2016-7440</cvename>
<cvename>CVE-2016-5584</cvename>
</references>
<dates>
<discovery>2016-10-17</discovery>
<entry>2016-11-01</entry>
</dates>
</vuln>
<vuln vid="9118961b-9fa5-11e6-a265-3065ec8fd3ec">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>54.0.2840.59</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="https://googlechromereleases.blogspot.nl/2016/10/stable-channel-update-for-desktop.html">
<p>21 security fixes in this release, including:</p>
<ul>
<li>[645211] High CVE-2016-5181: Universal XSS in Blink. Credit to
Anonymous</li>
<li>[638615] High CVE-2016-5182: Heap overflow in Blink. Credit to
Giwan Go of STEALIEN</li>
<li>[645122] High CVE-2016-5183: Use after free in PDFium. Credit
to Anonymous</li>
<li>[630654] High CVE-2016-5184: Use after free in PDFium. Credit
to Anonymous</li>
<li>[621360] High CVE-2016-5185: Use after free in Blink. Credit to
cloudfuzzer</li>
<li>[639702] High CVE-2016-5187: URL spoofing. Credit to Luan
Herrera</li>
<li>[565760] Medium CVE-2016-5188: UI spoofing. Credit to Luan
Herrera</li>
<li>[633885] Medium CVE-2016-5192: Cross-origin bypass in Blink.
Credit to haojunhou@gmail.com</li>
<li>[646278] Medium CVE-2016-5189: URL spoofing. Credit to xisigr
of Tencent's Xuanwu Lab</li>
<li>[644963] Medium CVE-2016-5186: Out of bounds read in DevTools.
Credit to Abdulrahman Alqabandi (@qab)</li>
<li>[639126] Medium CVE-2016-5191: Universal XSS in Bookmarks.
Credit to Gareth Hughes</li>
<li>[642067] Medium CVE-2016-5190: Use after free in Internals.
Credit to Atte Kettunen of OUSPG</li>
<li>[639658] Low CVE-2016-5193: Scheme bypass. Credit to Yuyang
ZHOU (martinzhou96)</li>
<li>[654782] CVE-2016-5194: Various fixes from internal audits,
fuzzing and other initiatives</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-5181</cvename>
<cvename>CVE-2016-5182</cvename>
<cvename>CVE-2016-5183</cvename>
<cvename>CVE-2016-5184</cvename>
<cvename>CVE-2016-5185</cvename>
<cvename>CVE-2016-5186</cvename>
<cvename>CVE-2016-5187</cvename>
<cvename>CVE-2016-5188</cvename>
<cvename>CVE-2016-5189</cvename>
<cvename>CVE-2016-5190</cvename>
<cvename>CVE-2016-5191</cvename>
<cvename>CVE-2016-5192</cvename>
<cvename>CVE-2016-5193</cvename>
<cvename>CVE-2016-5194</cvename>
<url>https://googlechromereleases.blogspot.nl/2016/10/stable-channel-update-for-desktop.html</url>
</references>
<dates>
<discovery>2016-10-12</discovery>
<entry>2016-10-31</entry>
</dates>
</vuln>
<vuln vid="9c135c7e-9fa4-11e6-a265-3065ec8fd3ec">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>53.0.2785.143</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="https://googlechromereleases.blogspot.nl/2016/09/stable-channel-update-for-desktop_29.html">
<p>3 security fixes in this release, including:</p>
<ul>
<li>[642496] High CVE-2016-5177: Use after free in V8. Credit to
Anonymous</li>
<li>[651092] CVE-2016-5178: Various fixes from internal audits,
fuzzing and other initiatives.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-5177</cvename>
<cvename>CVE-2016-5178</cvename>
<url>https://googlechromereleases.blogspot.nl/2016/09/stable-channel-update-for-desktop_29.html</url>
</references>
<dates>
<discovery>2016-09-29</discovery>
<entry>2016-10-31</entry>
</dates>
</vuln>
<vuln vid="6a2cfcdc-9dea-11e6-a298-14dae9d210b8">
<topic>FreeBSD -- OpenSSH Remote Denial of Service vulnerability</topic>
<affects>
<package>
<name>openssh-portable</name>
<range><lt>7.3p1_1</lt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>11.0</ge><lt>11.0_3</lt></range>
<range><ge>10.3</ge><lt>10.3_12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>When processing the SSH_MSG_KEXINIT message, the server
could allocate up to a few hundreds of megabytes of memory
per each connection, before any authentication take place.</p>
<h1>Impact:</h1>
<p>A remote attacker may be able to cause a SSH server to
allocate an excessive amount of memory. Note that the default
MaxStartups setting on FreeBSD will limit the effectiveness
of this attack.</p>
</body>
</description>
<references>
<url>http://seclists.org/oss-sec/2016/q4/191</url>
<cvename>CVE-2016-8858</cvename>
<freebsdsa>SA-16:33.openssh</freebsdsa>
</references>
<dates>
<discovery>2016-10-19</discovery>
<entry>2016-10-29</entry>
<modified>2016-11-02</modified>
</dates>
</vuln>
<vuln vid="2e4fbc9a-9d23-11e6-a298-14dae9d210b8">
<topic>sudo -- Potential bypass of sudo_noexec.so via wordexp()</topic>
<affects>
<package>
<name>sudo</name>
<range><ge>1.6.8</ge><lt>1.8.18p1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Todd C. Miller reports:</p>
<blockquote cite="https://www.sudo.ws/alerts/noexec_wordexp.html">
<p>A flaw exists in sudo's noexec functionality that may allow
a user with sudo privileges to run additional commands even when the
NOEXEC tag has been applied to a command that uses the wordexp()
function.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.sudo.ws/alerts/noexec_wordexp.html</url>
<cvename>CVE-2016-7076</cvename>
</references>
<dates>
<discovery>2016-10-28</discovery>
<entry>2016-10-28</entry>
</dates>
</vuln>
<vuln vid="ac18046c-9b08-11e6-8011-005056925db4">
<topic>Axis2 -- Security vulnerabilities on dependency Apache HttpClient</topic>
<affects>
<package>
<name>axis2</name>
<range><lt>1.7.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Apache Axis2 reports:</p>
<blockquote cite="http://axis.apache.org/axis2/java/core/release-notes/1.7.4.html">
<p>Apache Axis2 1.7.4 is a maintenance release that includes fixes for
several issues, including the following security issues:
Session fixation (AXIS2-4739) and XSS (AXIS2-5683) vulnerabilities
affecting the admin console.
A dependency on an Apache HttpClient version affected by known security
vulnerabilities (CVE-2012-6153 and CVE-2014-3577); see AXIS2-5757.</p>
</blockquote>
</body>
</description>
<references>
<url>http://axis.apache.org/axis2/java/core/release-notes/1.7.4.html</url>
<url>https://issues.apache.org/jira/browse/AXIS2-4739</url>
<url>https://issues.apache.org/jira/browse/AXIS2-5683</url>
<url>https://issues.apache.org/jira/browse/AXIS2-5757</url>
<cvename>CVE-2012-6153</cvename>
<cvename>CVE-2014-3577</cvename>
</references>
<dates>
<discovery>2012-12-06</discovery>
<entry>2016-10-28</entry>
</dates>
</vuln>
<vuln vid="28bb6ee5-9b5c-11e6-b799-19bef72f4b7c">
<topic>node.js -- ares_create_query single byte out of buffer write</topic>
<affects>
<package>
<name>node010</name>
<range><lt>0.10.48</lt></range>
</package>
<package>
<name>node012</name>
<range><lt>0.12.17</lt></range>
</package>
<package>
<name>node4</name>
<range><lt>4.6.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Node.js has released new versions containing the following security fix:</p>
<blockquote cite="https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/">
<p>The following releases all contain fixes for CVE-2016-5180 "ares_create_query single
byte out of buffer write": Node.js v0.10.48 (Maintenance), Node.js v0.12.17 (Maintenance),
Node.js v4.6.1 (LTS "Argon")
</p>
<p>While this is not a critical update, all users of these release lines should upgrade at
their earliest convenience.
</p>
</blockquote>
</body>
</description>
<references>
<url>https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/</url>
<cvename>CVE-2016-5180</cvename>
<freebsdpr>ports/213800</freebsdpr>
</references>
<dates>
<discovery>2016-10-18</discovery>
<entry>2016-10-26</entry>
</dates>
</vuln>
<vuln vid="27180c99-9b5c-11e6-b799-19bef72f4b7c">
<topic>node.js -- multiple vulnerabilities</topic>
<affects>
<package>
<name>node</name>
<range><ge>6.0.0</ge><lt>6.9.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Node.js v6.9.0 LTS contains the following security fixes, specific to v6.x:</p>
<blockquote cite="https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/">
<p>Disable auto-loading of openssl.cnf: Don't automatically attempt to load an OpenSSL
configuration file, from the OPENSSL_CONF environment variable or from the default
location for the current platform. Always triggering a configuration file load attempt
may allow an attacker to load compromised OpenSSL configuration into a Node.js process
if they are able to place a file in a default location.
</p>
<p>Patched V8 arbitrary memory read (CVE-2016-5172): The V8 parser mishandled scopes,
potentially allowing an attacker to obtain sensitive information from arbitrary memory
locations via crafted JavaScript code. This vulnerability would require an attacker to
be able to execute arbitrary JavaScript code in a Node.js process.
</p>
<p>Create a unique v8_inspector WebSocket address: Generate a UUID for each execution of
the inspector. This provides additional security to prevent unauthorized clients from
connecting to the Node.js process via the v8_inspector port when running with --inspect.
Since the debugging protocol allows extensive access to the internals of a running process,
and the execution of arbitrary code, it is important to limit connections to authorized
tools only. Note that the v8_inspector protocol in Node.js is still considered an
experimental feature. Vulnerability originally reported by Jann Horn.
</p>
<p>All of these vulnerabilities are considered low-severity for Node.js users, however,
users of Node.js v6.x should upgrade at their earliest convenience.</p>
</blockquote>
</body>
</description>
<references>
<url>https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/</url>
<cvename>CVE-2016-5172</cvename>
</references>
<dates>
<discovery>2016-10-18</discovery>
<entry>2016-10-28</entry>
</dates>
</vuln>
<vuln vid="c5c6e293-9cc7-11e6-823f-b8aeed92ecc4">
<topic>urllib3 -- certificate verification failure</topic>
<affects>
<package>
<name>py-urllib3</name>
<range><lt>1.18</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>urllib3 reports:</p>
<blockquote cite="https://github.com/shazow/urllib3/blob/1.18.1/CHANGES.rst">
<p>CVE-2016-9015: Certification verification failure</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-9015</cvename>
<url>https://github.com/shazow/urllib3/blob/1.18.1/CHANGES.rst</url>
</references>
<dates>
<discovery>2016-10-27</discovery>
<entry>2016-10-28</entry>
</dates>
</vuln>
<vuln vid="de6d01d5-9c44-11e6-ba67-0011d823eebd">
<topic>flash -- remote code execution</topic>
<affects>
<package>
<name>linux-f10-flashplugin</name>
<name>linux-c6-flashplugin</name>
<name>linux-c7-flashplugin</name>
<range><lt>11.2r202.643</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-36.html">
<p>Adobe has released security updates for Adobe Flash Player for
Windows, Macintosh, Linux and Chrome OS. These updates address a
critical vulnerability that could potentially allow an attacker to
take control of the affected system.</p>
<p>Adobe is aware of a report that an exploit for CVE-2016-7855
exists in the wild, and is being used in limited, targeted attacks
against users running Windows versions 7, 8.1 and 10.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-7855</cvename>
<url>https://helpx.adobe.com/security/products/flash-player/apsb16-36.html</url>
</references>
<dates>
<discovery>2016-10-26</discovery>
<entry>2016-10-27</entry>
</dates>
</vuln>
<vuln vid="a479a725-9adb-11e6-a298-14dae9d210b8">
<topic>FreeBSD -- bhyve - privilege escalation vulnerability</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>11.0</ge><lt>11.0_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>An unchecked array reference in the VGA device emulation
code could potentially allow guests access to the heap of
the bhyve process. Since the bhyve process is running as
root, this may allow guests to obtain full control of the
hosts they are running on.</p>
<h1>Impact:</h1>
<p>For bhyve virtual machines with the "fbuf" framebuffer
device configured, if exploited, a malicious guest could
obtain full access to not just the host system, but to other
virtual machines running on the system.</p>
</body>
</description>
<references>
<freebsdsa>SA-16:32.bhyve</freebsdsa>
</references>
<dates>
<discovery>2016-10-25</discovery>
<entry>2016-10-25</entry>
<modified>2016-10-25</modified>
</dates>
</vuln>
<vuln vid="2482c798-93c6-11e6-846f-bc5ff4fb5ea1">
<topic>flash -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-c6-flashplugin</name>
<name>linux-c6_64-flashplugin</name>
<name>linux-c7-flashplugin</name>
<name>linux-f10-flashplugin</name>
<range><lt>11.2r202.637</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-32.html">
<p>Adobe has released security updates for Adobe Flash Player for
Windows, Macintosh, Linux and ChromeOS. These updates address
critical vulnerabilities that could potentially allow an attacker
to take control of the affected system.</p>
<p>These updates resolve a type confusion vulnerability that could
lead to code execution (CVE-2016-6992).</p>
<p>These updates resolve use-after-free vulnerabilities that could
lead to code execution (CVE-2016-6981, CVE-2016-6987).</p>
<p>These updates resolve a security bypass vulnerability
(CVE-2016-4286).</p>
<p>These updates resolve memory corruption vulnerabilities that could
lead to code execution (CVE-2016-4273, CVE-2016-6982,
CVE-2016-6983, CVE-2016-6984, CVE-2016-6985, CVE-2016-6986,
CVE-2016-6989, CVE-2016-6990).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-4273</cvename>
<cvename>CVE-2016-4286</cvename>
<cvename>CVE-2016-6981</cvename>
<cvename>CVE-2016-6982</cvename>
<cvename>CVE-2016-6983</cvename>
<cvename>CVE-2016-6984</cvename>
<cvename>CVE-2016-6985</cvename>
<cvename>CVE-2016-6986</cvename>
<cvename>CVE-2016-6987</cvename>
<cvename>CVE-2016-6989</cvename>
<cvename>CVE-2016-6990</cvename>
<cvename>CVE-2016-6992</cvename>
<url>https://helpx.adobe.com/security/products/flash-player/apsb16-32.html</url>
</references>
<dates>
<discovery>2016-10-11</discovery>
<entry>2016-10-24</entry>
</dates>
</vuln>
<vuln vid="aaa9f3db-13b5-4a0e-9ed7-e5ab287098fa">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>49.0.2,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/">
<p>CVE-2016-5287: Crash in nsTArray_base<T>::SwapArrayElements</p>
<p>CVE-2016-5288: Web content can read cache entries</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-5287</cvename>
<cvename>CVE-2016-5288</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2016-87/</url>
</references>
<dates>
<discovery>2016-10-20</discovery>
<entry>2016-10-21</entry>
</dates>
</vuln>
<vuln vid="0baadc45-92d0-11e6-8011-005056925db4">
<topic>Axis2 -- Cross-site scripting (XSS) vulnerability</topic>
<affects>
<package>
<name>axis2</name>
<range><lt>1.7.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Apache Axis2 reports:</p>
<blockquote cite="http://axis.apache.org/axis2/java/core/release-notes/1.7.3.html">
<p>Apache Axis2 1.7.3 is a security release that contains a fix
for CVE-2010-3981. That security vulnerability affects the admin console
that is part of the Axis2 Web application and was originally reported
for SAP BusinessObjects (which includes a version of Axis2). That report
didn’t mention Axis2 at all and the Axis2 project only recently became
aware (thanks to Devesh Bhatt and Nishant Agarwala) that the issue
affects Apache Axis2 as well.</p>
</blockquote>
</body>
</description>
<references>
<url>http://axis.apache.org/axis2/java/core/release-notes/1.7.3.html</url>
<cvename>CVE-2010-3981</cvename>
<freebsdpr>ports/213546</freebsdpr>
</references>
<dates>
<discovery>2010-10-18</discovery>
<entry>2016-10-18</entry>
</dates>
</vuln>
<vuln vid="c1dc55dc-9556-11e6-b154-3065ec8fd3ec">
<topic>Tor -- remote denial of service</topic>
<affects>
<package>
<name>tor</name>
<range><lt>0.2.8.9</lt></range>
</package>
<package>
<name>tor-devel</name>
<range><lt>0.2.9.4-alpha</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Tor Blog reports:</p>
<blockquote cite="https://blog.torproject.org/blog/tor-0289-released-important-fixes">
<p>Prevent a class of security bugs caused by treating the contents
of a buffer chunk as if they were a NUL-terminated string. At least
one such bug seems to be present in all currently used versions of
Tor, and would allow an attacker to remotely crash most Tor
instances, especially those compiled with extra compiler hardening.
With this defense in place, such bugs can't crash Tor, though we
should still fix them as they occur. Closes ticket 20384
(TROVE-2016-10-001).</p>
</blockquote>
</body>
</description>
<references>
<url>https://blog.torproject.org/blog/tor-0289-released-important-fixes</url>
</references>
<dates>
<discovery>2016-10-17</discovery>
<entry>2016-10-18</entry>
</dates>
</vuln>
<vuln vid="43f1c867-654a-11e6-8286-00248c0c745d">
<topic>Rails 4 -- Possible XSS Vulnerability in Action View</topic>
<affects>
<package>
<name>rubygem-actionview</name>
<range><gt>3.0.0</gt><lt>4.2.7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ruby Security team reports:</p>
<blockquote cite="https://groups.google.com/forum/#!topic/ruby-security-ann/8B2iV2tPRSE">
<p>There is a possible XSS vulnerability in Action View. Text declared as "HTML
safe" will not have quotes escaped when used as attribute values in tag
helpers. This vulnerability has been assigned the CVE identifier
CVE-2016-6316.</p>
</blockquote>
</body>
</description>
<references>
<url>https://groups.google.com/forum/#!topic/ruby-security-ann/8B2iV2tPRSE</url>
<cvename>CVE-2016-6316</cvename>
</references>
<dates>
<discovery>2016-08-11</discovery>
<entry>2016-08-18</entry>
</dates>
</vuln>
<vuln vid="7e61cf44-6549-11e6-8286-00248c0c745d">
<topic>Rails 4 -- Unsafe Query Generation Risk in Active Record</topic>
<affects>
<package>
<name>rubygem-activerecord4</name>
<range><gt>4.2.0</gt><lt>4.2.7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ruby Security team reports:</p>
<blockquote cite="https://groups.google.com/forum/#!topic/ruby-security-ann/WccgKSKiPZA">
<p>There is a vulnerability when Active Record is used in conjunction with JSON
parameter parsing. This vulnerability has been assigned the CVE identifier
CVE-2016-6317. This vulnerability is similar to CVE-2012-2660, CVE-2012-2694
and CVE-2013-0155.</p>
</blockquote>
</body>
</description>
<references>
<url>https://groups.google.com/forum/#!topic/ruby-security-ann/WccgKSKiPZA</url>
<cvename>CVE-2016-6317</cvename>
</references>
<dates>
<discovery>2016-08-11</discovery>
<entry>2016-08-18</entry>
</dates>
</vuln>
<vuln vid="f471032a-8700-11e6-8d93-00248c0c745d">
<topic>PHP -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php70</name>
<range><lt>7.0.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PHP reports:</p>
<blockquote cite="http://php.net/ChangeLog-7.php#7.0.11">
<ul>
<li><p>Fixed bug #73007 (add locale length check)</p></li>
<li><p>Fixed bug #72293 (Heap overflow in mysqlnd related to BIT fields)</p></li>
<li><p>Fixed bug #72928 (Out of bound when verify signature of zip phar in phar_parse_zipfile)</p></li>
<li><p>Fixed bug #73029 (Missing type check when unserializing SplArray)</p></li>
<li><p>Fixed bug #73052 (Memory Corruption in During Deserialized-object Destruction)</p></li>
<li><p>Fixed bug #72860 (wddx_deserialize use-after-free)</p></li>
<li><p>Fixed bug #73065 (Out-Of-Bounds Read in php_wddx_push_element)</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://php.net/ChangeLog-7.php#7.0.11</url>
<cvename>CVE-2016-7416</cvename>
<cvename>CVE-2016-7412</cvename>
<cvename>CVE-2016-7414</cvename>
<cvename>CVE-2016-7417</cvename>
<cvename>CVE-2016-7413</cvename>
<cvename>CVE-2016-7418</cvename>
</references>
<dates>
<discovery>2016-09-15</discovery>
<entry>2016-09-30</entry>
</dates>
</vuln>
<vuln vid="8d5180a6-86fe-11e6-8d93-00248c0c745d">
<topic>PHP -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php56</name>
<range><lt>5.6.26</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PHP reports:</p>
<blockquote cite="http://php.net/ChangeLog-5.php#5.6.26">
<ul>
<li><p>Fixed bug #73007 (add locale length check)</p></li>
<li><p>Fixed bug #72293 (Heap overflow in mysqlnd related to BIT fields)</p></li>
<li><p>Fixed bug #72928 (Out of bound when verify signature of zip phar in phar_parse_zipfile)</p></li>
<li><p>Fixed bug #73029 (Missing type check when unserializing SplArray)</p></li>
<li><p>Fixed bug #73052 (Memory Corruption in During Deserialized-object Destruction)</p></li>
<li><p>Fixed bug #72860 (wddx_deserialize use-after-free)</p></li>
<li><p>Fixed bug #73065 (Out-Of-Bounds Read in php_wddx_push_element)</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://php.net/ChangeLog-5.php#5.6.26</url>
<cvename>CVE-2016-7416</cvename>
<cvename>CVE-2016-7412</cvename>
<cvename>CVE-2016-7414</cvename>
<cvename>CVE-2016-7417</cvename>
<cvename>CVE-2016-7411</cvename>
<cvename>CVE-2016-7413</cvename>
<cvename>CVE-2016-7418</cvename>
</references>
<dates>
<discovery>2016-09-16</discovery>
<entry>2016-09-30</entry>
</dates>
</vuln>
<vuln vid="ad479f89-9020-11e6-a590-14dae9d210b8">
<topic>file-roller -- path traversal vulnerability</topic>
<affects>
<package>
<name>file-roller</name>
<range><ge>3.5.4,1</ge><lt>3.20.2,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p> reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2016/09/08/4">
<p>File Roller 3.5.4 through 3.20.2 was affected by a path
traversal bug that could result in deleted files if a user
were tricked into opening a malicious archive.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openwall.com/lists/oss-security/2016/09/08/4</url>
<cvename>CVE-2016-7162</cvename>
<freebsdpr>ports/213199</freebsdpr>
</references>
<dates>
<discovery>2016-09-08</discovery>
<entry>2016-10-12</entry>
<modified>2016-10-18</modified>
</dates>
</vuln>
<vuln vid="7d40edd1-901e-11e6-a590-14dae9d210b8">
<topic>VirtualBox -- undisclosed vulnerabilities</topic>
<affects>
<package>
<name>virtualbox-ose</name>
<range><ge>5.0</ge><lt>5.0.8</lt></range>
<range><ge>4.3</ge><lt>4.3.32</lt></range>
<range><ge>4.2</ge><lt>4.2.34</lt></range>
<range><ge>4.1</ge><lt>4.1.42</lt></range>
<range><ge>4.0</ge><lt>4.0.34</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Oracle reports reports:</p>
<blockquote cite="http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html">
<p>Unspecified vulnerability in the Oracle VM VirtualBox
component in Oracle Virtualization VirtualBox prior to 4.0.34, 4.1.42,
4.2.34, 4.3.32, and 5.0.8, when using a Windows guest, allows local
users to affect availability via unknown vectors related to Core.</p>
<p>Unspecified vulnerability in the Oracle VM VirtualBox
component in Oracle Virtualization VirtualBox before 4.0.34, 4.1.42,
4.2.34, 4.3.32, and 5.0.8, when a VM has the Remote Display feature
(RDP) enabled, allows remote attackers to affect availability via
unknown vectors related to Core.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html</url>
<cvename>CVE-2015-4813</cvename>
<cvename>CVE-2015-4896</cvename>
<freebsdpr>ports/204406</freebsdpr>
</references>
<dates>
<discovery>2015-10-01</discovery>
<entry>2016-10-12</entry>
<modified>2016-10-18</modified>
</dates>
</vuln>
<vuln vid="10f7f782-901c-11e6-a590-14dae9d210b8">
<topic>ImageMagick -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ImageMagick</name>
<name>ImageMagick-nox11</name>
<range><lt>6.9.5.10,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Debian reports:</p>
<blockquote cite="https://www.debian.org/security/2016/dsa-3675">
<p>Various memory handling problems and cases of missing or
incomplete input sanitizing may result in denial of service or the
execution of arbitrary code if malformed SIXEL, PDB, MAP, SGI, TIFF and
CALS files are processed.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.debian.org/security/2016/dsa-3675</url>
<freebsdpr>ports/213032</freebsdpr>
</references>
<dates>
<discovery>2016-09-23</discovery>
<entry>2016-10-12</entry>
<modified>2016-10-18</modified>
</dates>
</vuln>
<vuln vid="2a526c78-84ab-11e6-a4a1-60a44ce6887b">
<topic>libgd -- integer overflow which could lead to heap buffer overflow</topic>
<affects>
<package>
<name>gd</name>
<range><le>2.2.3</le></range>
</package>
<package>
<name>php70-gd</name>
<range><le>7.0.11</le></range>
</package>
<package>
<name>php56-gd</name>
<range><le>5.6.26</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>LibGD reports:</p>
<blockquote cite="https://github.com/libgd/libgd/issues/308">
<p>An integer overflow issue was found in function gdImageWebpCtx of file gd_webp.c which could lead to heap buffer overflow.</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/libgd/libgd/issues/308</url>
<url>https://bugs.php.net/bug.php?id=73003</url>
<freebsdpr>ports/213023</freebsdpr>
</references>
<dates>
<discovery>2016-09-02</discovery>
<entry>2016-10-11</entry>
<modified>2016-10-18</modified>
</dates>
</vuln>
<vuln vid="cb3f036d-8c7f-11e6-924a-60a44ce6887b">
<topic>libvncserver -- multiple security vulnerabilities</topic>
<affects>
<package>
<name>libvncserver</name>
<range><lt>0.9.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Nicolas Ruff reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2014/q3/639">
<p>Integer overflow in MallocFrameBuffer() on client side.</p>
<p>Lack of malloc() return value checking on client side.</p>
<p>Server crash on a very large ClientCutText message.</p>
<p>Server crash when scaling factor is set to zero.</p>
<p>Multiple stack overflows in File Transfer feature.</p>
</blockquote>
</body>
</description>
<references>
<url>http://seclists.org/oss-sec/2014/q3/639</url>
<cvename>CVE-2014-6051</cvename>
<cvename>CVE-2014-6052</cvename>
<cvename>CVE-2014-6053</cvename>
<cvename>CVE-2014-6054</cvename>
<cvename>CVE-2014-6055</cvename>
<freebsdpr>ports/212380</freebsdpr>
</references>
<dates>
<discovery>2014-09-23</discovery>
<entry>2016-10-11</entry>
<modified>2016-10-18</modified>
</dates>
</vuln>
<vuln vid="ab947396-9018-11e6-a590-14dae9d210b8">
<topic>openoffice -- information disclosure vulnerability</topic>
<affects>
<package>
<name>apache-openoffice</name>
<name>apache-openoffice-devel</name>
<range><lt>4.1.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Apache reports:</p>
<blockquote cite="http://www.openoffice.org/security/cves/CVE-2014-3575.html">
<p>The exposure exploits the way OLE previews are generated to
embed arbitrary file data into a specially crafted document when it is
opened. Data exposure is possible if the updated document is distributed
to other parties.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openoffice.org/security/cves/CVE-2014-3575.html</url>
<cvename>CVE-2014-3575</cvename>
<freebsdpr>ports/212379</freebsdpr>
</references>
<dates>
<discovery>2014-08-21</discovery>
<entry>2016-10-12</entry>
<modified>2016-10-18</modified>
</dates>
</vuln>
<vuln vid="47157c14-9013-11e6-a590-14dae9d210b8">
<topic>mupdf -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mupdf</name>
<range><lt>1.9a_1,1</lt></range>
</package>
<package>
<name>llpp</name>
<range><lt>22_2</lt></range>
</package>
<package>
<name>zathura-pdf-mupdf</name>
<range><lt>0.3.0_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Tobias Kortkamp reports:</p>
<blockquote cite="http://openbsd-archive.7691.n7.nabble.com/mupdf-CVE-2016-6525-amp-CVE-2016-6265-td302904.html">
<p>Heap-based buffer overflow in the pdf_load_mesh_params
function in pdf/pdf-shade.c in MuPDF allows remote attackers to cause a
denial of service (crash) or execute arbitrary code via a large decode
array.</p>
<p>Use-after-free vulnerability in the pdf_load_xref function in
pdf/pdf-xref.c in MuPDF allows remote attackers to cause a denial of
service (crash) via a crafted PDF file.</p>
</blockquote>
</body>
</description>
<references>
<url>http://openbsd-archive.7691.n7.nabble.com/mupdf-CVE-2016-6525-amp-CVE-2016-6265-td302904.html</url>
<url>http://bugs.ghostscript.com/show_bug.cgi?id=696941</url>
<url>http://bugs.ghostscript.com/show_bug.cgi?id=696954</url>
<cvename>CVE-2016-6525</cvename>
<cvename>CVE-2016-6265</cvename>
<freebsdpr>ports/212207</freebsdpr>
</references>
<dates>
<discovery>2016-08-27</discovery>
<entry>2016-10-12</entry>
<modified>2016-10-18</modified>
</dates>
</vuln>
<vuln vid="b7d56d0b-7a11-11e6-af78-589cfc0654e1">
<topic>openjpeg -- multiple vulnerabilities</topic>
<affects>
<package>
<name>openjpeg</name>
<range><lt>2.1.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Tencent's Xuanwu LAB reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2016/09/08/2">
<p>A Heap Buffer Overflow (Out-of-Bounds Write) issue was found in
function opj_dwt_interleave_v of dwt.c. This vulnerability allows
remote attackers to execute arbitrary code on vulnerable installations
of OpenJPEG.</p>
<p>An integer overflow issue exists in function opj_pi_create_decode of
pi.c. It can lead to Out-Of-Bounds Read and Out-Of-Bounds Write in
function opj_pi_next_cprl of pi.c (function opj_pi_next_lrcp,
opj_pi_next_rlcp, opj_pi_next_rpcl, opj_pi_next_pcrl may also be
vulnerable). This vulnerability allows remote attackers to execute
arbitrary code on vulnerable installations of OpenJPEG.</p>
</blockquote>
</body>
</description>
<references>
<url>"http://www.openwall.com/lists/oss-security/2016/09/08/2"</url>
<url>"http://www.openwall.com/lists/oss-security/2016/09/08/3"</url>
<cvename>CVE-2016-5157</cvename>
<cvename>CVE-2016-7163</cvename>
</references>
<dates>
<discovery>2016-09-08</discovery>
<entry>2016-10-11</entry>
</dates>
</vuln>
<vuln vid="fa175f30-8c75-11e6-924a-60a44ce6887b">
<topic>redis -- sensitive information leak through command history file</topic>
<affects>
<package>
<name>redis</name>
<name>redis-devel</name>
<range><lt>3.2.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Redis team reports:</p>
<blockquote cite="https://github.com/antirez/redis/pull/1418">
<p>The redis-cli history file (in linenoise) is created with the
default OS umask value which makes it world readable in most systems
and could potentially expose authentication credentials to other
users.</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/antirez/redis/pull/1418</url>
<url>https://github.com/antirez/redis/issues/3284</url>
<cvename>CVE-2013-7458</cvename>
</references>
<dates>
<discovery>2013-11-30</discovery>
<entry>2016-10-11</entry>
</dates>
</vuln>
<vuln vid="1a71a972-8ee7-11e6-a590-14dae9d210b8">
<topic>FreeBSD -- Multiple libarchive vulnerabilities</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>11.0</ge><lt>11.0_1</lt></range>
<range><ge>10.3</ge><lt>10.3_10</lt></range>
<range><ge>10.2</ge><lt>10.2_23</lt></range>
<range><ge>10.1</ge><lt>10.1_40</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>Flaws in libarchive's handling of symlinks and hard links
allow overwriting files outside the extraction directory,
or permission changes to a directory outside the extraction
directory.</p>
<h1>Impact:</h1>
<p>An attacker who can control freebsd-update's or portsnap's
input to tar(1) can change file content or permissions on
files outside of the update tool's working sandbox.</p>
</body>
</description>
<references>
<freebsdsa>SA-16:31.libarchive</freebsdsa>
</references>
<dates>
<discovery>2016-10-05</discovery>
<entry>2016-10-10</entry>
</dates>
</vuln>
<vuln vid="e7dcd69d-8ee6-11e6-a590-14dae9d210b8">
<topic>FreeBSD -- Multiple portsnap vulnerabilities</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>11.0</ge><lt>11.0_1</lt></range>
<range><ge>10.3</ge><lt>10.3_10</lt></range>
<range><ge>10.2</ge><lt>10.2_23</lt></range>
<range><ge>10.1</ge><lt>10.1_40</lt></range>
<range><ge>9.3</ge><lt>9.3_48</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>Flaws in portsnap's verification of downloaded tar files
allows additional files to be included without causing the
verification to fail. Portsnap may then use or execute these
files.</p>
<h1>Impact:</h1>
<p>An attacker who can conduct man in the middle attack on
the network at the time when portsnap is run can cause
portsnap to execute arbitrary commands under the credentials
of the user who runs portsnap, typically root.</p>
</body>
</description>
<references>
<freebsdsa>SA-16:30.portsnap</freebsdsa>
</references>
<dates>
<discovery>2016-10-10</discovery>
<entry>2016-10-10</entry>
</dates>
</vuln>
<vuln vid="ce808022-8ee6-11e6-a590-14dae9d210b8">
<topic>FreeBSD -- Heap overflow vulnerability in bspatch</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>11.0</ge><lt>11.0_1</lt></range>
<range><ge>10.3</ge><lt>10.3_10</lt></range>
<range><ge>10.2</ge><lt>10.2_23</lt></range>
<range><ge>10.1</ge><lt>10.1_40</lt></range>
<range><ge>9.3</ge><lt>9.3_48</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The implementation of bspatch is susceptible to integer
overflows with carefully crafted input, potentially allowing
an attacker who can control the patch file to write at
arbitrary locations in the heap. This issue was partially
addressed in FreeBSD-SA-16:25.bspatch, but some possible
integer overflows remained.</p>
<h1>Impact:</h1>
<p>An attacker who can control the patch file can cause a
crash or run arbitrary code under the credentials of the
user who runs bspatch, in many cases, root.</p>
</body>
</description>
<references>
<freebsdsa>SA-16:29.bspatch</freebsdsa>
</references>
<dates>
<discovery>2016-10-10</discovery>
<entry>2016-10-10</entry>
</dates>
</vuln>
<vuln vid="aeb7874e-8df1-11e6-a082-5404a68ad561">
<topic>mkvtoolnix -- code execution via specially crafted files</topic>
<affects>
<package>
<name>mkvtoolnix</name>
<range><lt>9.4.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Moritz Bunkus reports:</p>
<blockquote cite="https://mkvtoolnix.download/doc/ChangeLog">
<p>most of the bugs fixed on 2016-09-06 and 2016-09-07 for
issue #1780 are potentially exploitable. The scenario is arbitrary
code execution with specially-crafted files.</p>
</blockquote>
</body>
</description>
<references>
<url>https://mkvtoolnix.download/doc/ChangeLog</url>
</references>
<dates>
<discovery>2016-09-07</discovery>
<entry>2016-10-09</entry>
</dates>
</vuln>
<vuln vid="1cf65085-a760-41d2-9251-943e1af62eb8">
<topic>X.org libraries -- multiple vulnerabilities</topic>
<affects>
<package>
<name>libX11</name>
<range><lt>1.6.4,1</lt></range>
</package>
<package>
<name>libXfixes</name>
<range><lt>5.0.3</lt></range>
</package>
<package>
<name>libXi</name>
<range><lt>1.7.7,1</lt></range>
</package>
<package>
<name>libXrandr</name>
<range><lt>1.5.1</lt></range>
</package>
<package>
<name>libXrender</name>
<range><lt>0.9.10</lt></range>
</package>
<package>
<name>libXtst</name>
<range><lt>1.2.3</lt></range>
</package>
<package>
<name>libXv</name>
<range><lt>1.0.11,1</lt></range>
</package>
<package>
<name>libXvMC</name>
<range><lt>1.0.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Matthieu Herrb reports:</p>
<blockquote cite="https://lists.x.org/archives/xorg-announce/2016-October/002720.html">
<p>Tobias Stoeckmann from the OpenBSD project has discovered a
number of issues in the way various X client libraries handle
the responses they receive from servers, and has worked with
X.Org's security team to analyze, confirm, and fix these issues.
These issue come in addition to the ones discovered by Ilja van
Sprundel in 2013.</p>
<p>Most of these issues stem from the client libraries trusting
the server to send correct protocol data, and not verifying
that the values will not overflow or cause other damage. Most
of the time X clients and servers are run by the same user, with
the server more privileged than the clients, so this is not a
problem, but there are scenarios in which a privileged client
can be connected to an unprivileged server, for instance,
connecting a setuid X client (such as a screen lock program)
to a virtual X server (such as Xvfb or Xephyr) which the user
has modified to return invalid data, potentially allowing the
user to escalate their privileges.</p>
</blockquote>
</body>
</description>
<references>
<url>https://lists.x.org/archives/xorg-announce/2016-October/002720.html</url>
<cvename>CVE-2016-5407</cvename>
</references>
<dates>
<discovery>2016-10-04</discovery>
<entry>2016-10-07</entry>
<modified>2016-10-10</modified>
</dates>
</vuln>
<vuln vid="c8d902b1-8550-11e6-81e7-d050996490d0">
<topic>BIND -- Remote Denial of Service vulnerability</topic>
<affects>
<package>
<name>bind99</name>
<range><lt>9.9.9P3</lt></range>
</package>
<package>
<name>bind910</name>
<range><lt>9.10.4P3</lt></range>
</package>
<package>
<name>bind911</name>
<range><lt>9.11.0.rc3</lt></range>
</package>
<package>
<name>bind9-devel</name>
<range><lt>9.12.0.a.2016.09.10</lt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>9.3</ge><lt>9.3_48</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://kb.isc.org/article/AA-01419">
<p>Testing by ISC has uncovered a critical error condition
which can occur when a nameserver is constructing a
response. A defect in the rendering of messages into
packets can cause named to exit with an assertion
failure in buffer.c while constructing a response
to a query that meets certain criteria.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2776</cvename>
<freebsdsa>SA-16:28.bind</freebsdsa>
<url>https://kb.isc.org/article/AA-01419</url>
</references>
<dates>
<discovery>2016-09-27</discovery>
<entry>2016-09-28</entry>
<modified>2016-10-10</modified>
</dates>
</vuln>
<vuln vid="bb022643-84fb-11e6-a4a1-60a44ce6887b">
<topic>django -- CSRF protection bypass on a site with Google Analytics</topic>
<affects>
<package>
<name>py-django19</name>
<range><lt>1.9.10</lt></range>
</package>
<package>
<name>py-django18</name>
<range><lt>1.8.15</lt></range>
</package>
<package>
<name>py-django</name>
<range><lt>1.8.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Django Software Foundation reports:</p>
<blockquote cite="https://www.djangoproject.com/weblog/2016/sep/26/security-releases/">
<p>An interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.djangoproject.com/weblog/2016/sep/26/security-releases/</url>
<cvename>CVE-2016-7401</cvename>
</references>
<dates>
<discovery>2016-09-26</discovery>
<entry>2016-09-27</entry>
</dates>
</vuln>
<vuln vid="91a337d8-83ed-11e6-bf52-b499baebfeaf">
<topic>OpenSSL -- multiple vulnerabilities</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.0.2j,1</lt></range>
</package>
<package>
<name>openssl-devel</name>
<range><lt>1.1.0b</lt></range>
</package>
<package>
<name>libressl</name>
<range><lt>2.4.3</lt></range>
</package>
<package>
<name>libressl-devel</name>
<range><lt>2.4.3</lt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>11.0</ge><lt>11.0_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenSSL reports:</p>
<blockquote cite="https://www.openssl.org/news/secadv/20160926.txt">
<p>Critical vulnerability in OpenSSL 1.1.0a<br/>
Fix Use After Free for large message sizes (CVE-2016-6309)</p>
<p>Moderate vulnerability in OpenSSL 1.0.2i<br/>
Missing CRL sanity check (CVE-2016-7052)</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.openssl.org/news/secadv/20160926.txt</url>
<cvename>CVE-2016-6309</cvename>
<cvename>CVE-2016-7052</cvename>
<freebsdsa>SA-16:27.openssl</freebsdsa>
</references>
<dates>
<discovery>2016-09-26</discovery>
<entry>2016-09-26</entry>
<modified>2016-10-10</modified>
</dates>
</vuln>
<vuln vid="43eaa656-80bc-11e6-bf52-b499baebfeaf">
<topic>OpenSSL -- multiple vulnerabilities</topic>
<affects>
<package>
<name>openssl-devel</name>
<range><ge>1.1.0</ge><lt>1.1.0_1</lt></range>
</package>
<package>
<name>openssl</name>
<range><lt>1.0.2i,1</lt></range>
</package>
<package>
<name>linux-c6-openssl</name>
<range><lt>1.0.1e_11</lt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>10.3</ge><lt>10.3_8</lt></range>
<range><ge>10.2</ge><lt>10.2_21</lt></range>
<range><ge>10.1</ge><lt>10.1_38</lt></range>
<range><ge>9.3</ge><lt>9.3_46</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenSSL reports:</p>
<blockquote cite="https://www.openssl.org/news/secadv/20160922.txt">
<p>High: OCSP Status Request extension unbounded memory growth</p>
<p>SSL_peek() hang on empty record</p>
<p>SWEET32 Mitigation</p>
<p>OOB write in MDC2_Update()</p>
<p>Malformed SHA512 ticket DoS</p>
<p>OOB write in BN_bn2dec()</p>
<p>OOB read in TS_OBJ_print_bio()</p>
<p>Pointer arithmetic undefined behaviour</p>
<p>Constant time flag not preserved in DSA signing</p>
<p>DTLS buffered message DoS</p>
<p>DTLS replay protection DoS</p>
<p>Certificate message OOB reads</p>
<p>Excessive allocation of memory in tls_get_message_header()</p>
<p>Excessive allocation of memory in dtls1_preprocess_fragment()</p>
<p>NB: LibreSSL is only affected by CVE-2016-6304</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.openssl.org/news/secadv/20160922.txt</url>
<cvename>CVE-2016-6304</cvename>
<cvename>CVE-2016-6305</cvename>
<cvename>CVE-2016-2183</cvename>
<cvename>CVE-2016-6303</cvename>
<cvename>CVE-2016-6302</cvename>
<cvename>CVE-2016-2182</cvename>
<cvename>CVE-2016-2180</cvename>
<cvename>CVE-2016-2177</cvename>
<cvename>CVE-2016-2178</cvename>
<cvename>CVE-2016-2179</cvename>
<cvename>CVE-2016-2181</cvename>
<cvename>CVE-2016-6306</cvename>
<cvename>CVE-2016-6307</cvename>
<cvename>CVE-2016-6308</cvename>
<freebsdsa>SA-16:26.openssl</freebsdsa>
</references>
<dates>
<discovery>2016-09-22</discovery>
<entry>2016-09-22</entry>
<modified>2016-10-11</modified>
</dates>
</vuln>
<vuln vid="e78261e4-803d-11e6-a590-14dae9d210b8">
<topic>irssi -- heap corruption and missing boundary checks</topic>
<affects>
<package>
<name>irssi</name>
<name>zh-irssi</name>
<range><ge>0.8.17</ge><lt>0.8.20</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Irssi reports:</p>
<blockquote cite="https://irssi.org/security/irssi_sa_2016.txt">
<p>Remote crash and heap corruption. Remote code execution seems
difficult since only Nuls are written.</p>
</blockquote>
</body>
</description>
<references>
<url>https://irssi.org/security/irssi_sa_2016.txt</url>
<cvename>CVE-2016-7044</cvename>
<cvename>CVE-2016-7045</cvename>
</references>
<dates>
<discovery>2016-09-21</discovery>
<entry>2016-09-21</entry>
<modified>2016-09-22</modified>
</dates>
</vuln>
<vuln vid="2c57c47e-8bb3-4694-83c8-9fc3abad3964">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>49.0,1</lt></range>
</package>
<package>
<name>seamonkey</name>
<name>linux-seamonkey</name>
<range><lt>2.46</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><lt>45.4.0,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>45.4.0,2</lt></range>
</package>
<package>
<name>libxul</name>
<name>thunderbird</name>
<name>linux-thunderbird</name>
<range><lt>45.4.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-85/">
<p>CVE-2016-2827 - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy [low]</p>
<p>CVE-2016-5256 - Memory safety bugs fixed in Firefox 49 [critical]</p>
<p>CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 [critical]</p>
<p>CVE-2016-5270 - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString [high]</p>
<p>CVE-2016-5271 - Out-of-bounds read in PropertyProvider::GetSpacingInternal [low]</p>
<p>CVE-2016-5272 - Bad cast in nsImageGeometryMixin [high]</p>
<p>CVE-2016-5273 - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset [high]</p>
<p>CVE-2016-5274 - use-after-free in nsFrameManager::CaptureFrameState [high]</p>
<p>CVE-2016-5275 - global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions [critical]</p>
<p>CVE-2016-5276 - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList [high]</p>
<p>CVE-2016-5277 - Heap-use-after-free in nsRefreshDriver::Tick [high]</p>
<p>CVE-2016-5278 - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame [critical]</p>
<p>CVE-2016-5279 - Full local path of files is available to web pages after drag and drop [moderate]</p>
<p>CVE-2016-5280 - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap [high]</p>
<p>CVE-2016-5281 - use-after-free in DOMSVGLength [high]</p>
<p>CVE-2016-5282 - Don't allow content to request favicons from non-whitelisted schemes [moderate]</p>
<p>CVE-2016-5283 - <iframe src> fragment timing attack can reveal cross-origin data [high]</p>
<p>CVE-2016-5284 - Add-on update site certificate pin expiration [high]</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2827</cvename>
<cvename>CVE-2016-5256</cvename>
<cvename>CVE-2016-5257</cvename>
<cvename>CVE-2016-5270</cvename>
<cvename>CVE-2016-5271</cvename>
<cvename>CVE-2016-5272</cvename>
<cvename>CVE-2016-5273</cvename>
<cvename>CVE-2016-5274</cvename>
<cvename>CVE-2016-5275</cvename>
<cvename>CVE-2016-5276</cvename>
<cvename>CVE-2016-5277</cvename>
<cvename>CVE-2016-5278</cvename>
<cvename>CVE-2016-5279</cvename>
<cvename>CVE-2016-5280</cvename>
<cvename>CVE-2016-5281</cvename>
<cvename>CVE-2016-5282</cvename>
<cvename>CVE-2016-5283</cvename>
<cvename>CVE-2016-5284</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2016-85/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-86/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-88/</url>
</references>
<dates>
<discovery>2016-09-13</discovery>
<entry>2016-09-20</entry>
<modified>2016-10-21</modified>
</dates>
</vuln>
<vuln vid="653a8059-7c49-11e6-9242-3065ec8fd3ec">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>53.0.2785.113</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="https://googlechromereleases.blogspot.nl/2016/09/stable-channel-update-for-desktop_13.html">
<p>Several security fixes in this release, including:</p>
<ul>
<li>[641101] High CVE-2016-5170: Use after free in Blink.Credit to
Anonymous</li>
<li>[643357] High CVE-2016-5171: Use after free in Blink. Credit to
Anonymous</li>
<li>[616386] Medium CVE-2016-5172: Arbitrary Memory Read in v8.
Credit to Choongwoo Han</li>
<li>[468931] Medium CVE-2016-5173: Extension resource access.
Credit to Anonymous</li>
<li>[579934] Medium CVE-2016-5174: Popup not correctly suppressed.
Credit to Andrey Kovalev (@L1kvID) Yandex Security Team</li>
<li>[646394] CVE-2016-5175: Various fixes from internal audits,
fuzzing and other initiatives.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-5170</cvename>
<cvename>CVE-2016-5171</cvename>
<cvename>CVE-2016-5172</cvename>
<cvename>CVE-2016-5173</cvename>
<cvename>CVE-2016-5174</cvename>
<cvename>CVE-2016-5175</cvename>
<url>https://googlechromereleases.blogspot.nl/2016/09/stable-channel-update-for-desktop_13.html</url>
</references>
<dates>
<discovery>2016-09-13</discovery>
<entry>2016-09-16</entry>
</dates>
</vuln>
<vuln vid="b64a7389-7c27-11e6-8aaa-5404a68ad561">
<topic>Remote-Code-Execution vulnerability in mysql and its variants CVE 2016-6662</topic>
<affects>
<package>
<name>mysql57-client</name>
<name>mysql57-server</name>
<range><lt>5.7.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>LegalHackers' reports:</p>
<blockquote cite="http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html">
<p>RCE Bugs discovered in MySQL and its variants like MariaDB.
It works by manipulating my.cnf files and using --malloc-lib.
The bug seems fixed in MySQL 5.7.15 by Oracle</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-6662</cvename>
<url>http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html</url>
<url>https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-15.html</url>
</references>
<dates>
<discovery>2016-09-12</discovery>
<entry>2016-09-14</entry>
</dates>
</vuln>
<vuln vid="bc19dcca-7b13-11e6-b99e-589cfc0654e1">
<topic>dropbear -- multiple vulnerabilities</topic>
<affects>
<package>
<name>dropbear</name>
<range><lt>2016.74</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Matt Johnston reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2016/09/15/2">
<p>If specific usernames including "%" symbols can be created on a system
(validated by getpwnam()) then an attacker could run arbitrary code as root
when connecting to Dropbear server.
A dbclient user who can control username or host arguments could potentially
run arbitrary code as the dbclient user. This could be a problem if scripts
or webpages pass untrusted input to the dbclient program.</p>
<p>dropbearconvert import of OpenSSH keys could run arbitrary code as
the local dropbearconvert user when parsing malicious key files.</p>
<p>dbclient could run arbitrary code as the local dbclient user if
particular -m or -c arguments are provided. This could be an issue where
dbclient is used in scripts.</p>
<p>dbclient or dropbear server could expose process memory to the
running user if compiled with DEBUG_TRACE and running with -v</p>
</blockquote>
</body>
</description>
<references>
<url>"http://www.openwall.com/lists/oss-security/2016/09/15/2"</url>
<cvename>CVE-2016-7406</cvename>
<cvename>CVE-2016-7407</cvename>
<cvename>CVE-2016-7408</cvename>
<cvename>CVE-2016-7409</cvename>
</references>
<dates>
<discovery>2016-07-12</discovery>
<entry>2016-09-15</entry>
</dates>
</vuln>
<vuln vid="08664d42-7989-11e6-b7a8-74d02b9a84d5">
<topic>h2o -- fix DoS attack vector</topic>
<affects>
<package>
<name>h2o</name>
<range>
<lt>2.0.4</lt>
</range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Frederik Deweerdt reported a denial-of-service attack vector
due to an unhandled error condition during socket connection.</p>
</body>
</description>
<references>
<url>https://github.com/h2o/h2o/issues/1077</url>
<cvename>CVE-2016-4864</cvename>
</references>
<dates>
<discovery>2016-06-09</discovery>
<entry>2016-09-14</entry>
</dates>
</vuln>
<vuln vid="b018121b-7a4b-11e6-bf52-b499baebfeaf">
<topic>cURL -- Escape and unescape integer overflows</topic>
<affects>
<package>
<name>curl</name>
<range><ge>7.11.1</ge><lt>7.50.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The cURL project reports</p>
<blockquote cite="https://curl.haxx.se/docs/adv_20160914.html">
<p>The four libcurl functions curl_escape(), curl_easy_escape(),
curl_unescape and curl_easy_unescape perform string URL percent
escaping and unescaping. They accept custom string length inputs
in signed integer arguments.</p>
<p>The provided string length arguments were not properly checked
and due to arithmetic in the functions, passing in the length
0xffffffff (2^32-1 or UINT_MAX or even just -1) would end up
causing an allocation of zero bytes of heap memory that curl
would attempt to write gigabytes of data into.</p>
</blockquote>
</body>
</description>
<references>
<url>https://curl.haxx.se/docs/adv_20160914.html</url>
<cvename>CVE-2016-7167</cvename>
</references>
<dates>
<discovery>2016-09-14</discovery>
<entry>2016-09-14</entry>
</dates>
</vuln>
<vuln vid="769ba449-79e1-11e6-bf75-3065ec8fd3ec">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>53.0.2785.92</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="https://googlechromereleases.blogspot.nl/2016/08/stable-channel-update-for-desktop_31.html">
<p>33 security fixes in this release</p>
<p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-5147</cvename>
<cvename>CVE-2016-5148</cvename>
<cvename>CVE-2016-5149</cvename>
<cvename>CVE-2016-5150</cvename>
<cvename>CVE-2016-5151</cvename>
<cvename>CVE-2016-5152</cvename>
<cvename>CVE-2016-5153</cvename>
<cvename>CVE-2016-5154</cvename>
<cvename>CVE-2016-5155</cvename>
<cvename>CVE-2016-5156</cvename>
<cvename>CVE-2016-5157</cvename>
<cvename>CVE-2016-5158</cvename>
<cvename>CVE-2016-5159</cvename>
<cvename>CVE-2016-5160</cvename>
<cvename>CVE-2016-5161</cvename>
<cvename>CVE-2016-5162</cvename>
<cvename>CVE-2016-5163</cvename>
<cvename>CVE-2016-5164</cvename>
<cvename>CVE-2016-5165</cvename>
<cvename>CVE-2016-5166</cvename>
<cvename>CVE-2016-5167</cvename>
<url>https://googlechromereleases.blogspot.nl/2016/08/stable-channel-update-for-desktop_31.html</url>
</references>
<dates>
<discovery>2016-08-31</discovery>
<entry>2016-09-13</entry>
</dates>
</vuln>
<vuln vid="958b9cee-79da-11e6-bf75-3065ec8fd3ec">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>52.0.2743.116</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="https://googlechromereleases.blogspot.nl/2016/08/stable-channel-update-for-desktop.html">
<p>10 security fixes in this release, including:</p>
<ul>
<li>[629542] High CVE-2016-5141 Address bar spoofing. Credit to
anonymous</li>
<li>[626948] High CVE-2016-5142 Use-after-free in Blink. Credit to
anonymous</li>
<li>[625541] High CVE-2016-5139 Heap overflow in pdfium. Credit to
GiWan Go of Stealien</li>
<li>[619405] High CVE-2016-5140 Heap overflow in pdfium. Credit to
Ke Liu of Tencent's Xuanwu LAB</li>
<li>[623406] Medium CVE-2016-5145 Same origin bypass for images in
Blink. Credit to anonymous</li>
<li>[619414] Medium CVE-2016-5143 Parameter sanitization failure in
DevTools. Credit to Gregory Panakkal</li>
<li>[618333] Medium CVE-2016-5144 Parameter sanitization failure in
DevTools. Credit to Gregory Panakkal</li>
<li>[633486] CVE-2016-5146: Various fixes from internal audits,
fuzzing and other initiatives.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-5139</cvename>
<cvename>CVE-2016-5140</cvename>
<cvename>CVE-2016-5141</cvename>
<cvename>CVE-2016-5142</cvename>
<cvename>CVE-2016-5143</cvename>
<cvename>CVE-2016-5144</cvename>
<cvename>CVE-2016-5145</cvename>
<cvename>CVE-2016-5146</cvename>
<url>https://googlechromereleases.blogspot.nl/2016/08/stable-channel-update-for-desktop.html</url>
</references>
<dates>
<discovery>2016-08-03</discovery>
<entry>2016-09-13</entry>
</dates>
</vuln>
<vuln vid="856b88bf-7984-11e6-81e7-d050996490d0">
<topic>mysql -- Remote Root Code Execution</topic>
<affects>
<package>
<name>mariadb55-server</name>
<range><lt>5.5.51</lt></range>
</package>
<package>
<name>mariadb100-server</name>
<range><lt>10.0.27</lt></range>
</package>
<package>
<name>mariadb101-server</name>
<range><lt>10.1.17</lt></range>
</package>
<package>
<name>mysql55-server</name>
<range><lt>5.5.52</lt></range>
</package>
<package>
<name>mysql56-server</name>
<range><lt>5.6.33</lt></range>
</package>
<package>
<name>mysql57-server</name>
<range><lt>5.7.15</lt></range>
</package>
<package>
<name>percona55-server</name>
<range><lt>5.5.51.38.1</lt></range>
</package>
<package>
<name>percona56-server</name>
<range><lt>5.6.32.78.0</lt></range>
</package>
<package>
<name>percona57-server</name>
<range><lt>5.7.14.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dawid Golunski reports:</p>
<blockquote cite="http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.txt">
<p>An independent research has revealed multiple severe MySQL
vulnerabilities. This advisory focuses on a critical
vulnerability with a CVEID of CVE-2016-6662 which can allow
attackers to (remotely) inject malicious settings into MySQL
configuration files (my.cnf) leading to critical
consequences.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-6662</cvename>
<url>http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.txt</url>
<url>https://jira.mariadb.org/browse/MDEV-10465</url>
<url>https://www.percona.com/blog/2016/09/12/percona-server-critical-update-cve-2016-6662/</url>
<url>https://www.percona.com/blog/2016/09/12/database-affected-cve-2016-6662/</url>
<url>https://www.psce.com/blog/2016/09/12/how-to-quickly-patch-mysql-server-against-cve-2016-6662/</url>
</references>
<dates>
<discovery>2016-09-12</discovery>
<entry>2016-09-13</entry>
</dates>
</vuln>
<vuln vid="331eabb3-85b1-466a-a2af-66ac864d395a">
<topic>wolfssl -- leakage of private key information</topic>
<affects>
<package>
<name>wolfssl</name>
<range><lt>3.6.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Florian Weimer of Redhat discovered that an optimization in
RSA signature validation can result in disclosure of the
server's private key under certain fault conditions.</p>
</body>
</description>
<references>
<url>https://www.wolfssl.com/wolfSSL/Blog/Entries/2015/9/17_Two_Vulnerabilities_Recently_Found%2C_An_Attack_on_RSA_using_CRT_and_DoS_Vulnerability_With_DTLS.html</url>
<url>https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/</url>
<cvename>CVE-2015-7744</cvename>
</references>
<dates>
<discovery>2015-09-17</discovery>
<entry>2016-01-05</entry>
</dates>
</vuln>
<vuln vid="3d1372e1-7822-4fd8-b56e-5ee832afbd96">
<topic>wolfssl -- DDoS amplification in DTLS</topic>
<affects>
<package>
<name>wolfssl</name>
<range><lt>3.6.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Sebastian Ramacher identified an error in wolfSSL's implementation
of the server side of the DTLS handshake, which could be abused
for DDoS amplification or a DoS on the DTLS server itself.</p>
</body>
</description>
<references>
<url>https://www.wolfssl.com/wolfSSL/Blog/Entries/2015/9/17_Two_Vulnerabilities_Recently_Found%2C_An_Attack_on_RSA_using_CRT_and_DoS_Vulnerability_With_DTLS.html</url>
<url>https://github.com/IAIK/wolfSSL-DoS</url>
<cvename>CVE-2015-6925</cvename>
</references>
<dates>
<discovery>2015-09-18</discovery>
<entry>2016-01-05</entry>
</dates>
</vuln>
<vuln vid="a0128291-7690-11e6-95a8-0011d823eebd">
<topic>gnutls -- OCSP validation issue</topic>
<affects>
<package>
<name>gnutls</name>
<range><lt>3.4.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>gnutls.org reports:</p>
<blockquote cite="https://gnutls.org/security.html#GNUTLS-SA-2016-3">
<p>Stefan Bühler discovered an issue that affects validation
of certificates using OCSP responses, which can falsely report a
certificate as valid under certain circumstances.</p>
</blockquote>
</body>
</description>
<references>
<url>https://gnutls.org/security.html#GNUTLS-SA-2016-3</url>
</references>
<dates>
<discovery>2016-09-08</discovery>
<entry>2016-09-09</entry>
</dates>
</vuln>
<vuln vid="aa1aefe3-6e37-47db-bfda-343ef4acb1b5">
<topic>Mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>48.0,1</lt></range>
</package>
<package>
<name>seamonkey</name>
<name>linux-seamonkey</name>
<range><lt>2.45</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><lt>45.3.0,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>45.3.0,2</lt></range>
</package>
<package>
<name>libxul</name>
<name>thunderbird</name>
<name>linux-thunderbird</name>
<range><lt>45.3.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox48">
<p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-0718</cvename>
<cvename>CVE-2016-2830</cvename>
<cvename>CVE-2016-2835</cvename>
<cvename>CVE-2016-2836</cvename>
<cvename>CVE-2016-2837</cvename>
<cvename>CVE-2016-2838</cvename>
<cvename>CVE-2016-2839</cvename>
<cvename>CVE-2016-5250</cvename>
<cvename>CVE-2016-5251</cvename>
<cvename>CVE-2016-5252</cvename>
<cvename>CVE-2016-5253</cvename>
<cvename>CVE-2016-5254</cvename>
<cvename>CVE-2016-5255</cvename>
<cvename>CVE-2016-5258</cvename>
<cvename>CVE-2016-5259</cvename>
<cvename>CVE-2016-5260</cvename>
<cvename>CVE-2016-5261</cvename>
<cvename>CVE-2016-5262</cvename>
<cvename>CVE-2016-5263</cvename>
<cvename>CVE-2016-5264</cvename>
<cvename>CVE-2016-5265</cvename>
<cvename>CVE-2016-5266</cvename>
<cvename>CVE-2016-5267</cvename>
<cvename>CVE-2016-5268</cvename>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-62/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-63/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-64/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-65/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-66/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-67/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-68/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-69/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-70/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-71/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-72/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-73/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-74/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-75/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-76/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-77/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-78/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-79/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-80/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-81/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-82/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-83/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-84/</url>
</references>
<dates>
<discovery>2016-08-02</discovery>
<entry>2016-09-07</entry>
<modified>2016-09-20</modified>
</dates>
</vuln>
<vuln vid="5cb18881-7604-11e6-b362-001999f8d30b">
<topic>asterisk -- RTP Resource Exhaustion</topic>
<affects>
<package>
<name>asterisk11</name>
<range><lt>11.23.1</lt></range>
</package>
<package>
<name>asterisk13</name>
<range><lt>13.11.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="http://www.asterisk.org/downloads/security-advisories">
<p>The overlap dialing feature in chan_sip allows chan_sip
to report to a device that the number that has been dialed
is incomplete and more digits are required. If this
functionality is used with a device that has performed
username/password authentication RTP resources are leaked.
This occurs because the code fails to release the old RTP
resources before allocating new ones in this scenario.
If all resources are used then RTP port exhaustion will
occur and no RTP sessions are able to be set up.</p>
<p>If overlap dialing support is not needed the "allowoverlap"
option can be set to no. This will stop any usage of the
scenario which causes the resource exhaustion.</p>
</blockquote>
</body>
</description>
<references>
<url>http://downloads.asterisk.org/pub/security/AST-2016-007.html</url>
</references>
<dates>
<discovery>2016-08-05</discovery>
<entry>2016-09-08</entry>
</dates>
</vuln>
<vuln vid="7fda7920-7603-11e6-b362-001999f8d30b">
<topic>asterisk -- Crash on ACK from unknown endpoint</topic>
<affects>
<package>
<name>asterisk13</name>
<range><ge>13.10.0</ge><lt>13.11.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="http://www.asterisk.org/downloads/security-advisories">
<p>Asterisk can be crashed remotely by sending an ACK to
it from an endpoint username that Asterisk does not
recognize. Most SIP request types result in an "artificial"
endpoint being looked up, but ACKs bypass this lookup.
The resulting NULL pointer results in a crash when
attempting to determine if ACLs should be applied.</p>
<p>This issue was introduced in the Asterisk 13.10 release
and only affects that release.</p>
<p>This issue only affects users using the PJSIP stack
with Asterisk. Those users that use chan_sip are
unaffected.</p>
</blockquote>
</body>
</description>
<references>
<url>http://downloads.asterisk.org/pub/security/AST-2016-006.html</url>
</references>
<dates>
<discovery>2016-08-03</discovery>
<entry>2016-09-08</entry>
</dates>
</vuln>
<vuln vid="70c85c93-743c-11e6-a590-14dae9d210b8">
<topic>inspircd -- authentication bypass vulnerability</topic>
<affects>
<package>
<name>inspircd</name>
<range><lt>2.0.23</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adam reports:</p>
<blockquote cite="http://www.inspircd.org/2016/09/03/v2023-released.html">
<p>A serious vulnerability exists in when using m_sasl in
combination with any services that support SASL EXTERNAL.
To be vulnerable you must have m_sasl loaded, and have services which
support SASL EXTERNAL authentication.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.inspircd.org/2016/09/03/v2023-released.html</url>
</references>
<dates>
<discovery>2016-09-03</discovery>
<entry>2016-09-06</entry>
</dates>
</vuln>
<vuln vid="9e50dcc3-740b-11e6-94a2-080027ef73ec">
<topic>mailman -- CSRF hardening in parts of the web interface</topic>
<affects>
<package>
<name>mailman</name>
<range><lt>2.1.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The late Tokio Kikuchi reported:</p>
<blockquote cite="https://bugs.launchpad.net/mailman/+bug/775294">
<p>We may have to set lifetime for input forms because of recent
activities on cross-site request forgery (CSRF). The form lifetime
is successfully deployed in frameworks like web.py or plone etc.
Proposed branch lp:~tkikuchi/mailman/form-lifetime implement
lifetime in admin, admindb, options and edithtml interfaces.
[...]</p>
</blockquote>
<blockquote cite="https://launchpad.net/mailman/2.1/2.1.15">
<p>The web admin interface has been hardened against CSRF attacks by
adding a hidden, encrypted token with a time stamp to form submissions
and not accepting authentication by cookie if the token is missing,
invalid or older than the new mm_cfg.py setting FORM_LIFETIME which
defaults to one hour. Posthumous thanks go to Tokio Kikuchi for this implementation [...].</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugs.launchpad.net/mailman/+bug/775294</url>
<url>https://launchpad.net/mailman/2.1/2.1.15</url>
<cvename>CVE-2016-7123</cvename>
</references>
<dates>
<discovery>2011-05-02</discovery>
<entry>2016-09-06</entry>
</dates>
</vuln>
<vuln vid="adccefd1-7080-11e6-a2cb-c80aa9043978">
<topic>openssh -- sshd -- remote valid user discovery and PAM /bin/login attack</topic>
<affects>
<package>
<name>openssh-portable</name>
<range><lt>7.3.p1,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenSSH project reports:</p>
<blockquote cite="http://www.openssh.com/txt/release-7.3">
<p>* sshd(8): Mitigate timing differences in password authentication
that could be used to discern valid from invalid account names
when long passwords were sent and particular password hashing
algorithms are in use on the server. CVE-2016-6210, reported by
EddieEzra.Harari at verint.com
</p>
<p> * sshd(8): (portable only) Ignore PAM environment vars when
UseLogin=yes. If PAM is configured to read user-specified
environment variables and UseLogin=yes in sshd_config, then a
hostile local user may attack /bin/login via LD_PRELOAD or
similar environment variables set via PAM. CVE-2015-8325,
found by Shayan Sadigh.
</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openssh.com/txt/release-7.3</url>
<cvename>CVE-2016-6210</cvename>
<cvename>CVE-2015-8325</cvename>
</references>
<dates>
<discovery>2016-08-01</discovery>
<entry>2016-09-01</entry>
</dates>
</vuln>
<vuln vid="b11ab01b-6e19-11e6-ab24-080027ef73ec">
<topic>mailman -- CSRF protection enhancements</topic>
<affects>
<package>
<name>mailman</name>
<range><lt>2.1.23</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mark Sapiro reports:</p>
<blockquote cite="http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1668">
<p>CSRF protection has been extended to the user options page. This
was actually fixed by Tokio Kikuchi as part of the fix for LP:
#775294 and intended for Mailman 2.1.15, but that fix wasn't
completely merged at the time. The full fix also addresses the
admindb, and edithtml pages as well as the user options page and the
previously fixed admin pages. Thanks to Nishant Agarwala for reporting the issue.</p>
</blockquote>
</body>
</description>
<references>
<url>http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1668</url>
<url>https://mail.python.org/pipermail/mailman-announce/2016-August/000226.html</url>
<cvename>CVE-2016-6893</cvename>
</references>
<dates>
<discovery>2016-08-19</discovery>
<entry>2016-08-29</entry>
</dates>
</vuln>
<vuln vid="e195679d-045b-4953-bb33-be0073ba2ac6">
<topic>libxml2 -- multiple vulnerabilities</topic>
<affects>
<package>
<name>libxml2</name>
<range><lt>2.9.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Daniel Veillard reports:</p>
<blockquote cite="https://mail.gnome.org/archives/xml/2016-May/msg00023.html">
<p>More format string warnings with possible format string
vulnerability (David Kilzer)</p>
<p>Avoid building recursive entities (Daniel Veillard)</p>
<p>Heap-based buffer overread in htmlCurrentChar (Pranjal Jumde)</p>
<p>Heap-based buffer-underreads due to xmlParseName (David Kilzer)</p>
<p>Heap use-after-free in xmlSAX2AttributeNs (Pranjal Jumde)</p>
<p>Heap use-after-free in htmlParsePubidLiteral and
htmlParseSystemiteral (Pranjal Jumde)</p>
<p>Fix some format string warnings with possible format string
vulnerability (David Kilzer)</p>
<p>Detect change of encoding when parsing HTML names (Hugh Davenport)</p>
<p>Fix inappropriate fetch of entities content (Daniel Veillard)</p>
<p>Bug 759398: Heap use-after-free in xmlDictComputeFastKey
(Pranjal Jumde)</p>
<p>Bug 758605: Heap-based buffer overread in xmlDictAddString
(Pranjal Jumde)</p>
<p>Bug 758588: Heap-based buffer overread in
xmlParserPrintFileContextInternal (David Kilzer)</p>
<p>Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup
(Pranjal Jumde)</p>
<p>Add missing increments of recursion depth counter to XML parser.
(Peter Simons)</p>
<p>Fix NULL pointer deref in XPointer range-to</p>
</blockquote>
</body>
</description>
<references>
<url>https://mail.gnome.org/archives/xml/2016-May/msg00023.html</url>
<url>https://bugzilla.gnome.org/show_bug.cgi?id=759398</url>
<url>https://bugzilla.gnome.org/show_bug.cgi?id=758605</url>
<url>https://bugzilla.gnome.org/show_bug.cgi?id=758588</url>
<url>https://bugzilla.gnome.org/show_bug.cgi?id=757711</url>
<url>https://git.gnome.org/browse/libxml2/patch/?id=d8083bf77955b7879c1290f0c0a24ab8cc70f7fb</url>
<cvename>CVE-2016-1762</cvename>
<cvename>CVE-2016-1833</cvename>
<cvename>CVE-2016-1834</cvename>
<cvename>CVE-2016-1835</cvename>
<cvename>CVE-2016-1836</cvename>
<cvename>CVE-2016-1837</cvename>
<cvename>CVE-2016-1838</cvename>
<cvename>CVE-2016-1839</cvename>
<cvename>CVE-2016-1840</cvename>
<cvename>CVE-2016-3627</cvename>
<cvename>CVE-2016-3705</cvename>
<cvename>CVE-2016-4449</cvename>
<cvename>CVE-2016-4483</cvename>
</references>
<dates>
<discovery>2016-05-23</discovery>
<entry>2016-08-28</entry>
</dates>
</vuln>
<vuln vid="4472ab39-6c66-11e6-9ca5-50e549ebab6c">
<topic>kdelibs -- directory traversal vulnerability</topic>
<affects>
<package>
<name>kdelibs</name>
<range><lt>4.14.10_7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>David Faure reports:</p>
<blockquote cite="https://www.kde.org/info/security/advisory-20160724-1.txt">
<p>A maliciously crafted archive (.zip or .tar.bz2) with "../" in the
file paths could be offered for download via the KNewStuff
framework (e.g. on www.kde-look.org), and upon extraction would
install files anywhere in the user's home directory.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-6232</cvename>
<url>https://www.kde.org/info/security/advisory-20160724-1.txt</url>
</references>
<dates>
<discovery>2016-07-24</discovery>
<entry>2016-08-27</entry>
</dates>
</vuln>
<vuln vid="f5035ead-688b-11e6-8b1d-c86000169601">
<topic>eog -- out-of-bounds write</topic>
<affects>
<package>
<name>eog</name>
<range><lt>3.18.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Felix Riemann reports:</p>
<blockquote cite="https://mail.gnome.org/archives/ftp-release-list/2016-August/msg00123.html">
<p>CVE-2016-6855 out-of-bounds write in eog 3.10.2.</p>
</blockquote>
</body>
</description>
<references>
<url>https://mail.gnome.org/archives/ftp-release-list/2016-August/msg00123.html</url>
<cvename>CVE-2016-6855</cvename>
</references>
<dates>
<discovery>2016-08-21</discovery>
<entry>2016-08-22</entry>
</dates>
</vuln>
<vuln vid="44989c29-67d1-11e6-8b1d-c86000169601">
<topic>fontconfig -- insufficiently cache file validation</topic>
<affects>
<package>
<name>fontconfig</name>
<range><lt>1.12.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Debian security team reports:</p>
<blockquote cite="https://packetstormsecurity.com/files/138236/Debian-Security-Advisory-3644-1.html">
<p>Tobias Stoeckmann discovered that cache files are insufficiently
validated in fontconfig, a generic font configuration library. An
attacker can trigger arbitrary free() calls, which in turn allows
double free attacks and therefore arbitrary code execution. In
combination with setuid binaries using crafted cache files, this
could allow privilege escalation.</p>
</blockquote>
</body>
</description>
<references>
<url>https://packetstormsecurity.com/files/138236/Debian-Security-Advisory-3644-1.html</url>
<cvename>CVE-2016-5384</cvename>
</references>
<dates>
<discovery>2016-08-05</discovery>
<entry>2016-08-21</entry>
</dates>
</vuln>
<vuln vid="7fe7df75-6568-11e6-a590-14dae9d210b8">
<topic>End of Life Ports</topic>
<affects>
<package>
<name>python32</name>
<name>python31</name>
<name>python30</name>
<name>python26</name>
<name>python25</name>
<name>python24</name>
<name>python23</name>
<name>python22</name>
<name>python21</name>
<name>python20</name>
<name>python15</name>
<range><ge>0</ge></range>
</package>
<package>
<name>php54</name>
<name>php53</name>
<name>php52</name>
<name>php5</name>
<name>php4</name>
<range><ge>0</ge></range>
</package>
<package>
<name>perl5</name>
<range><lt>5.18</lt></range>
</package>
<package>
<name>perl5.16</name>
<name>perl5.14</name>
<name>perl5.12</name>
<name>perl</name> <!-- Perl 5.10 and earlier were called "perl" -->
<range><ge>0</ge></range>
</package>
<package>
<name>ruby</name>
<name>ruby_static</name>
<range><lt>2.1,1</lt></range>
</package>
<package>
<name>unifi2</name>
<name>unifi3</name>
<range><ge>0</ge></range>
</package>
<package>
<name>apache21</name>
<name>apache20</name>
<name>apache13</name>
<range><ge>0</ge></range>
</package>
<package>
<name>tomcat55</name>
<name>tomcat41</name>
<range><ge>0</ge></range>
</package>
<package>
<name>mysql51-client</name>
<name>mysql51-server</name>
<name>mysql50-client</name>
<name>mysql50-server</name>
<name>mysql41-client</name>
<name>mysql41-server</name>
<name>mysql40-client</name>
<name>mysql40-server</name>
<range><ge>0</ge></range>
</package>
<package>
<name>postgresql90-client</name>
<name>postgresql90-server</name>
<name>postgresql84-client</name>
<name>postgresql84-server</name>
<name>postgresql83-client</name>
<name>postgresql83-server</name>
<name>postgresql82-client</name>
<name>postgresql82-server</name>
<name>postgresql81-client</name>
<name>postgresql81-server</name>
<name>postgresql80-client</name>
<name>postgresql80-server</name>
<name>postgresql74-client</name>
<name>postgresql74-server</name>
<name>postgresql73-client</name>
<name>postgresql73-server</name>
<name>postgresql72-client</name>
<name>postgresql72-server</name>
<name>postgresql71-client</name>
<name>postgresql71-server</name>
<name>postgresql7-client</name>
<name>postgresql7-server</name>
<range><ge>0</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>These packages have reached End of Life status and/or have
been removed from the Ports Tree. They may contain undocumented
security issues. Please take caution and find alternative
software as soon as possible.</p>
</body>
</description>
<references>
<freebsdpr>ports/211975</freebsdpr>
</references>
<dates>
<discovery>2016-08-18</discovery>
<entry>2016-08-18</entry>
<modified>2016-10-18</modified>
</dates>
</vuln>
<vuln vid="e1c71d8d-64d9-11e6-b38a-25a46b33f2ed">
<topic>gnupg -- attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output</topic>
<affects>
<package>
<name>gnupg1</name>
<range><lt>1.4.21</lt></range>
</package>
<package>
<name>libgcrypt</name>
<range><lt>1.7.3</lt></range>
</package>
<package>
<name>linux-c6-libgcrypt</name>
<range><lt>1.4.5_4</lt></range>
</package>
<package>
<name>linux-c7-libgcrypt</name>
<range><lt>1.5.3_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Werner Koch reports:</p>
<blockquote cite="https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html">
<p>There was a bug in the mixing functions of Libgcrypt's random
number generator: An attacker who obtains 4640 bits from the RNG can
trivially predict the next 160 bits of output. This bug exists since
1998 in all GnuPG and Libgcrypt versions.</p>
</blockquote>
</body>
</description>
<references>
<url>https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html</url>
<cvename>CVE-2016-6313</cvename>
</references>
<dates>
<discovery>2016-08-17</discovery>
<entry>2016-08-18</entry>
<modified>2016-11-30</modified>
</dates>
</vuln>
<vuln vid="ef70b201-645d-11e6-9cdc-6805ca0b3d42">
<topic>phpmyadmin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>phpmyadmin</name>
<range><ge>4.6.0</ge><lt>4.6.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpmyadmin development team reports:</p>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-29/">
<p>Weakness with cookie encryption</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-30/">
<p>Multiple XSS vulnerabilities</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-31/">
<p>Multiple XSS vulnerabilities</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-32/">
<p>PHP code injection</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-33/">
<p>Full path disclosure</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-34/">
<p>SQL injection attack</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-35/">
<p>Local file exposure</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-36/">
<p>Local file exposure through symlinks with
UploadDir</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-37/">
<p>Path traversal with SaveDir and UploadDir</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-38/">
<p>Multiple XSS vulnerabilities</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-39/">
<p>SQL injection attack</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-40/">
<p>SQL injection attack</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-41/">
<p>Denial of service (DOS) attack in transformation
feature</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-42/">
<p>SQL injection attack as control user</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-43/">
<p>Unvalidated data passed to unserialize()</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-45/">
<p>DOS attack with forced persistent connections</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-46/">
<p>Denial of service (DOS) attack by for loops</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-47/">
<p>IPv6 and proxy server IP-based authentication rule
circumvention</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-48/">
<p>Detect if user is logged in</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-49/">
<p>Bypass URL redirect protection</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-50/">
<p>Referrer leak in url.php</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-51/">
<p>Reflected File Download attack</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-52/">
<p>ArbitraryServerRegexp bypass</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-53/">
<p>Denial of service (DOS) attack by changing password to a
very long string</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-54/">
<p>Remote code execution vulnerability when run as CGI</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-55/">
<h3>Summary</h3>
<p>Denial of service (DOS) attack with dbase extension</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-56/">
<p>Remote code execution vulnerability when PHP is running
with dbase extension</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.phpmyadmin.net/security/PMASA-2016-29/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-30/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-31/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-32/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-33/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-34/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-35/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-36/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-37/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-38/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-39/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-40/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-41/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-42/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-43/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-45/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-46/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-47/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-48/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-49/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-50/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-51/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-52/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-53/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-54/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-55/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-56/</url>
<cvename>CVE-2016-6606</cvename>
<cvename>CVE-2016-6607</cvename>
<cvename>CVE-2016-6608</cvename>
<cvename>CVE-2016-6609</cvename>
<cvename>CVE-2016-6610</cvename>
<cvename>CVE-2016-6611</cvename>
<cvename>CVE-2016-6612</cvename>
<cvename>CVE-2016-6613</cvename>
<cvename>CVE-2016-6614</cvename>
<cvename>CVE-2016-6615</cvename>
<cvename>CVE-2016-6616</cvename>
<cvename>CVE-2016-6617</cvename>
<cvename>CVE-2016-6618</cvename>
<cvename>CVE-2016-6619</cvename>
<cvename>CVE-2016-6620</cvename>
<cvename>CVE-2016-6622</cvename>
<cvename>CVE-2016-6623</cvename>
<cvename>CVE-2016-6624</cvename>
<cvename>CVE-2016-6625</cvename>
<cvename>CVE-2016-6626</cvename>
<cvename>CVE-2016-6627</cvename>
<cvename>CVE-2016-6628</cvename>
<cvename>CVE-2016-6629</cvename>
<cvename>CVE-2016-6630</cvename>
<cvename>CVE-2016-6631</cvename>
<cvename>CVE-2016-6632</cvename>
<cvename>CVE-2016-6633</cvename>
</references>
<dates>
<discovery>2016-08-17</discovery>
<entry>2016-08-17</entry>
</dates>
</vuln>
<vuln vid="f7dd2d09-625e-11e6-828b-fcaa14edc6a6">
<topic>TeamSpeak Server 3 -- Multiple vulnerabilities including Remote Code Execution</topic>
<affects>
<package>
<name>teamspeak3-server</name>
<range><le>3.0.13_1,1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Hanz Jenson audit report:</p>
<blockquote cite="http://seclists.org/fulldisclosure/2016/Aug/61">
<p>I found 10 vulnerabilities. Some of these are critical and allow remote code
execution. For the average user, that means that these vulnerabilities can be
exploited by a malicious attacker in order to take over any Teamspeak server,
not only becoming serveradmin, but getting a shell on the affected machine.</p>
</blockquote>
</body>
</description>
<references>
<url>http://seclists.org/fulldisclosure/2016/Aug/61</url>
</references>
<dates>
<discovery>2016-08-12</discovery>
<entry>2016-08-14</entry>
</dates>
</vuln>
<vuln vid="df502a2f-61f6-11e6-a461-643150d3111d">
<topic>puppet-agent MCollective plugin -- Remote Code Execution vulnerability</topic>
<affects>
<package>
<name>mcollective-puppet-agent</name>
<range><lt>1.11.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Puppet reports:</p>
<blockquote cite="https://puppet.com/security/cve/cve-2015-7331">
<p>Puppet Enterprise previously included a puppet-agent MCollective plugin that allowed you to pass the `--server` argument to MCollective. This insecure argument enabled remote code execution via connection to an untrusted host. The puppet-agent MCollective version included in PE 2016.2.1, this option is disabled by default.</p>
</blockquote>
</body>
</description>
<references>
<url>https://puppet.com/security/cve/cve-2015-7331</url>
<cvename>CVE-2015-7331</cvename>
</references>
<dates>
<discovery>2016-08-09</discovery>
<entry>2016-08-15</entry>
</dates>
</vuln>
<vuln vid="7d4f4955-600a-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Heap vulnerability in bspatch</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>10.3</ge><lt>10.3_6</lt></range>
<range><ge>10.2</ge><lt>10.2_20</lt></range>
<range><ge>10.1</ge><lt>10.1_37</lt></range>
<range><ge>9.3</ge><lt>9.3_45</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The implementation of bspatch does not check for a
negative value on numbers of bytes read from the diff and
extra streams, allowing an attacker who can control the
patch file to write at arbitrary locations in the heap.</p>
<p>This issue was first discovered by The Chromium Project
and reported independently by Lu Tung-Pin to the FreeBSD
project.</p>
<h1>Impact:</h1>
<p>An attacker who can control the patch file can cause a
crash or run arbitrary code under the credentials of the
user who runs bspatch, in many cases, root.</p>
</body>
</description>
<references>
<cvename>CVE-2014-9862</cvename>
<freebsdsa>SA-16:25.bspatch</freebsdsa>
</references>
<dates>
<discovery>2016-07-25</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="7cfcea05-600a-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Multiple ntp vulnerabilities</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>10.3</ge><lt>10.3_5</lt></range>
<range><ge>10.2</ge><lt>10.2_19</lt></range>
<range><ge>10.1</ge><lt>10.1_36</lt></range>
<range><ge>9.3</ge><lt>9.3_44</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>Multiple vulnerabilities have been discovered in the NTP
suite:</p>
<p>The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that
could cause ntpd to crash. [CVE-2016-4957, Reported by
Nicolas Edet of Cisco]</p>
<p>An attacker who knows the origin timestamp and can send
a spoofed packet containing a CRYPTO-NAK to an ephemeral
peer target before any other response is sent can demobilize
that association. [CVE-2016-4953, Reported by Miroslav
Lichvar of Red Hat]</p>
<p>An attacker who is able to spoof packets with correct
origin timestamps from enough servers before the expected
response packets arrive at the target machine can affect
some peer variables and, for example, cause a false leap
indication to be set. [CVE-2016-4954, Reported by Jakub
Prokes of Red Hat]</p>
<p>An attacker who is able to spoof a packet with a correct
origin timestamp before the expected response packet arrives
at the target machine can send a CRYPTO_NAK or a bad MAC
and cause the association's peer variables to be cleared.
If this can be done often enough, it will prevent that
association from working. [CVE-2016-4955, Reported by
Miroslav Lichvar of Red Hat]</p>
<p>The fix for NtpBug2978 does not cover broadcast associations,
so broadcast clients can be triggered to flip into interleave
mode. [CVE-2016-4956, Reported by Miroslav Lichvar of Red
Hat.]</p>
<h1>Impact:</h1>
<p>Malicious remote attackers may be able to break time
synchronization, or cause the ntpd(8) daemon to crash.</p>
</body>
</description>
<references>
<cvename>CVE-2016-4953</cvename>
<cvename>CVE-2016-4954</cvename>
<cvename>CVE-2016-4955</cvename>
<cvename>CVE-2016-4956</cvename>
<cvename>CVE-2016-4957</cvename>
<freebsdsa>SA-16:24.ntp</freebsdsa>
</references>
<dates>
<discovery>2016-06-04</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="7cad4795-600a-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Kernel stack disclosure in 4.3BSD compatibility layer</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>10.3</ge><lt>10.3_4</lt></range>
<range><ge>10.2</ge><lt>10.2_18</lt></range>
<range><ge>10.1</ge><lt>10.1_35</lt></range>
<range><ge>9.3</ge><lt>9.3_43</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The implementation of historic stat(2) system call does
not clear the output struct before copying it out to
userland.</p>
<h1>Impact:</h1>
<p>An unprivileged user can read a portion of uninitialised
kernel stack data, which may contain sensitive information,
such as the stack guard, portions of the file cache or
terminal buffers, which an attacker might leverage to obtain
elevated privileges.</p>
</body>
</description>
<references>
<freebsdsa>SA-16:21.43bsd</freebsdsa>
</references>
<dates>
<discovery>2016-05-31</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="7c5d64dd-600a-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Kernel stack disclosure in Linux compatibility layer</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>10.3</ge><lt>10.3_4</lt></range>
<range><ge>10.2</ge><lt>10.2_18</lt></range>
<range><ge>10.1</ge><lt>10.1_35</lt></range>
<range><ge>9.3</ge><lt>9.3_43</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The implementation of the TIOCGSERIAL ioctl(2) does not
clear the output struct before copying it out to userland.</p>
<p>The implementation of the Linux sysinfo() system call
does not clear the output struct before copying it out to
userland.</p>
<h1>Impact:</h1>
<p>An unprivileged user can read a portion of uninitialised
kernel stack data, which may contain sensitive information,
such as the stack guard, portions of the file cache or
terminal buffers, which an attacker might leverage to obtain
elevated privileges.</p>
</body>
</description>
<references>
<freebsdsa>SA-16:20.linux</freebsdsa>
</references>
<dates>
<discovery>2016-05-31</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="7c0bac69-600a-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Incorrect argument handling in sendmsg(2)</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>10.3</ge><lt>10.3_3</lt></range>
<range><ge>10.2</ge><lt>10.2_17</lt></range>
<range><ge>10.1</ge><lt>10.1_34</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>Incorrect argument handling in the socket code allows
malicious local user to overwrite large portion of the
kernel memory.</p>
<h1>Impact:</h1>
<p>Malicious local user may crash kernel or execute arbitrary
code in the kernel, potentially gaining superuser privileges.</p>
</body>
</description>
<references>
<cvename>CVE-2016-1887</cvename>
<freebsdsa>SA-16:19.sendmsg</freebsdsa>
</references>
<dates>
<discovery>2016-05-17</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="7bbc0e8c-600a-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Buffer overflow in keyboard driver</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>10.3</ge><lt>10.3_3</lt></range>
<range><ge>10.2</ge><lt>10.2_17</lt></range>
<range><ge>10.1</ge><lt>10.1_34</lt></range>
<range><ge>9.3</ge><lt>9.3_42</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>Incorrect signedness comparison in the ioctl(2) handler
allows a malicious local user to overwrite a portion of the
kernel memory.</p>
<h1>Impact:</h1>
<p>A local user may crash the kernel, read a portion of
kernel memory and execute arbitrary code in kernel context.
The result of executing an arbitrary kernel code is privilege
escalation.</p>
</body>
</description>
<references>
<cvename>CVE-2016-1886</cvename>
<freebsdsa>SA-16:18.atkbd</freebsdsa>
</references>
<dates>
<discovery>2016-05-17</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="7b6a11b5-600a-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Incorrect argument validation in sysarch(2)</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>11.0</ge><lt>11.0_2</lt></range>
<range><ge>10.3</ge><lt>10.3_11</lt></range>
<range><ge>10.2</ge><lt>10.2_24</lt></range>
<range><ge>10.1</ge><lt>10.1_41</lt></range>
<range><ge>9.3</ge><lt>9.3_49</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>A special combination of sysarch(2) arguments, specify
a request to uninstall a set of descriptors from the LDT.
The start descriptor is cleared and the number of descriptors
are provided. Due to lack of sufficient bounds checking
during argument validity verification, unbound zero'ing of
the process LDT and adjacent memory can be initiated from
usermode.</p>
<h1>Impact:</h1>
<p>This vulnerability could cause the kernel to panic. In
addition it is possible to perform a local Denial of Service
against the system by unprivileged processes.</p>
</body>
</description>
<references>
<cvename>CVE-2016-1885</cvename>
<freebsdsa>SA-16:15.sysarch</freebsdsa>
</references>
<dates>
<discovery>2016-03-16</discovery>
<entry>2016-08-11</entry>
<modified>2016-10-25</modified>
</dates>
</vuln>
<vuln vid="7b1a4a27-600a-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Multiple OpenSSL vulnerabilities</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>10.2</ge><lt>10.2_13</lt></range>
<range><ge>10.1</ge><lt>10.1_30</lt></range>
<range><ge>9.3</ge><lt>9.3_38</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>A cross-protocol attack was discovered that could lead
to decryption of TLS sessions by using a server supporting
SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA
padding oracle. Note that traffic between clients and
non-vulnerable servers can be decrypted provided another
server supporting SSLv2 and EXPORT ciphers (even with a
different protocol such as SMTP, IMAP or POP3) shares the
RSA keys of the non-vulnerable server. This vulnerability
is known as DROWN. [CVE-2016-0800]</p>
<p>A double free bug was discovered when OpenSSL parses
malformed DSA private keys and could lead to a DoS attack
or memory corruption for applications that receive DSA
private keys from untrusted sources. This scenario is
considered rare. [CVE-2016-0705]</p>
<p>The SRP user database lookup method SRP_VBASE_get_by_user
had confusing memory management semantics; the returned
pointer was sometimes newly allocated, and sometimes owned
by the callee. The calling code has no way of distinguishing
these two cases. [CVE-2016-0798]</p>
<p>In the BN_hex2bn function, the number of hex digits is
calculated using an int value |i|. Later |bn_expand| is
called with a value of |i * 4|. For large values of |i|
this can result in |bn_expand| not allocating any memory
because |i * 4| is negative. This can leave the internal
BIGNUM data field as NULL leading to a subsequent NULL
pointer dereference. For very large values of |i|, the
calculation |i * 4| could be a positive value smaller than
|i|. In this case memory is allocated to the internal BIGNUM
data field, but it is insufficiently sized leading to heap
corruption. A similar issue exists in BN_dec2bn. This could
have security consequences if BN_hex2bn/BN_dec2bn is ever
called by user applications with very large untrusted hex/dec
data. This is anticipated to be a rare occurrence.
[CVE-2016-0797]</p>
<p>The internal |fmtstr| function used in processing a "%s"
formatted string in the BIO_*printf functions could overflow
while calculating the length of a string and cause an
out-of-bounds read when printing very long strings.
[CVE-2016-0799]</p>
<p>A side-channel attack was found which makes use of
cache-bank conflicts on the Intel Sandy-Bridge microarchitecture
which could lead to the recovery of RSA keys. [CVE-2016-0702]</p>
<p>s2_srvr.c did not enforce that clear-key-length is 0 for
non-export ciphers. If clear-key bytes are present for these
ciphers, they displace encrypted-key bytes. [CVE-2016-0703]</p>
<p>s2_srvr.c overwrites the wrong bytes in the master key
when applying Bleichenbacher protection for export cipher
suites. [CVE-2016-0704]</p>
<h1>Impact:</h1>
<p>Servers that have SSLv2 protocol enabled are vulnerable
to the "DROWN" attack which allows a remote attacker to
fast attack many recorded TLS connections made to the server,
even when the client did not make any SSLv2 connections
themselves.</p>
<p>An attacker who can supply malformed DSA private keys
to OpenSSL applications may be able to cause memory corruption
which would lead to a Denial of Service condition.
[CVE-2016-0705]</p>
<p>An attacker connecting with an invalid username can cause
memory leak, which could eventually lead to a Denial of
Service condition. [CVE-2016-0798]</p>
<p>An attacker who can inject malformed data into an
application may be able to cause memory corruption which
would lead to a Denial of Service condition. [CVE-2016-0797,
CVE-2016-0799]</p>
<p>A local attacker who has control of code in a thread
running on the same hyper-threaded core as the victim thread
which is performing decryptions could recover RSA keys.
[CVE-2016-0702]</p>
<p>An eavesdropper who can intercept SSLv2 handshake can
conduct an efficient divide-and-conquer key recovery attack
and use the server as an oracle to determine the SSLv2
master-key, using only 16 connections to the server and
negligible computation. [CVE-2016-0703]</p>
<p>An attacker can use the Bleichenbacher oracle, which
enables more efficient variant of the DROWN attack.
[CVE-2016-0704]</p>
</body>
</description>
<references>
<cvename>CVE-2016-0702</cvename>
<cvename>CVE-2016-0703</cvename>
<cvename>CVE-2016-0704</cvename>
<cvename>CVE-2016-0705</cvename>
<cvename>CVE-2016-0797</cvename>
<cvename>CVE-2016-0798</cvename>
<cvename>CVE-2016-0799</cvename>
<cvename>CVE-2016-0800</cvename>
<freebsdsa>SA-16:12.openssl</freebsdsa>
</references>
<dates>
<discovery>2016-03-10</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="7ac28df1-600a-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Linux compatibility layer issetugid(2) system call</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>10.2</ge><lt>10.2_11</lt></range>
<range><ge>10.1</ge><lt>10.1_28</lt></range>
<range><ge>9.3</ge><lt>9.3_35</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>A programming error in the Linux compatibility layer
could cause the issetugid(2) system call to return incorrect
information.</p>
<h1>Impact:</h1>
<p>If an application relies on output of the issetugid(2)
system call and that information is incorrect, this could
lead to a privilege escalation.</p>
</body>
</description>
<references>
<cvename>CVE-2016-1883</cvename>
<freebsdsa>SA-16:10.linux</freebsdsa>
</references>
<dates>
<discovery>2016-01-27</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="7a31dfba-600a-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Insecure default snmpd.config permissions</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>10.2</ge><lt>10.2_9</lt></range>
<range><ge>10.1</ge><lt>10.1_26</lt></range>
<range><ge>9.3</ge><lt>9.3_33</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The SNMP protocol supports an authentication model called
USM, which relies on a shared secret. The default permission
of the snmpd configuration file, /etc/snmpd.config, is
weak and does not provide adequate protection against local
unprivileged users.</p>
<h1>Impact:</h1>
<p>A local user may be able to read the shared secret, if
configured and used by the system administrator.</p>
</body>
</description>
<references>
<cvename>CVE-2015-5677</cvename>
<freebsdsa>SA-16:06.bsnmpd</freebsdsa>
</references>
<dates>
<discovery>2016-01-14</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="79dfc135-600a-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- TCP MD5 signature denial of service</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>10.2</ge><lt>10.2_9</lt></range>
<range><ge>10.1</ge><lt>10.1_26</lt></range>
<range><ge>9.3</ge><lt>9.3_33</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>A programming error in processing a TCP connection with
both TCP_MD5SIG and TCP_NOOPT socket options may lead to
kernel crash.</p>
<h1>Impact:</h1>
<p>A local attacker can crash the kernel, resulting in a
denial-of-service.</p>
<p>A remote attack is theoretically possible, if server has
a listening socket with TCP_NOOPT set, and server is either
out of SYN cache entries, or SYN cache is disabled by
configuration.</p>
</body>
</description>
<references>
<cvename>CVE-2016-1882</cvename>
<freebsdsa>SA-16:05.tcp</freebsdsa>
</references>
<dates>
<discovery>2016-01-14</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="798f63e0-600a-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Linux compatibility layer setgroups(2) system call</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>10.2</ge><lt>10.2_9</lt></range>
<range><ge>10.1</ge><lt>10.1_26</lt></range>
<range><ge>9.3</ge><lt>9.3_33</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>A programming error in the Linux compatibility layer
setgroups(2) system call can lead to an unexpected results,
such as overwriting random kernel memory contents.</p>
<h1>Impact:</h1>
<p>It is possible for a local attacker to overwrite portions
of kernel memory, which may result in a privilege escalation
or cause a system panic.</p>
</body>
</description>
<references>
<cvename>CVE-2016-1881</cvename>
<freebsdsa>SA-16:04.linux</freebsdsa>
</references>
<dates>
<discovery>2016-01-14</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="793fb19c-600a-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Linux compatibility layer incorrect futex handling</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>10.2</ge><lt>10.2_9</lt></range>
<range><ge>10.1</ge><lt>10.1_26</lt></range>
<range><ge>9.3</ge><lt>9.3_33</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>A programming error in the handling of Linux futex robust
lists may result in incorrect memory locations being
accessed.</p>
<h1>Impact:</h1>
<p>It is possible for a local attacker to read portions of
kernel memory, which may result in a privilege escalation.</p>
</body>
</description>
<references>
<cvename>CVE-2016-1880</cvename>
<freebsdsa>SA-16:03.linux</freebsdsa>
</references>
<dates>
<discovery>2016-01-14</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="78f06a6c-600a-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- SCTP ICMPv6 error message vulnerability</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>10.2</ge><lt>10.2_9</lt></range>
<range><ge>10.1</ge><lt>10.1_26</lt></range>
<range><ge>9.3</ge><lt>9.3_33</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>A lack of proper input checks in the ICMPv6 processing
in the SCTP stack can lead to either a failed kernel assertion
or to a NULL pointer dereference. In either case, a kernel
panic will follow.</p>
<h1>Impact:</h1>
<p>A remote, unauthenticated attacker can reliably trigger
a kernel panic in a vulnerable system running IPv6. Any
kernel compiled with both IPv6 and SCTP support is vulnerable.
There is no requirement to have an SCTP socket open.</p>
<p>IPv4 ICMP processing is not impacted by this vulnerability.</p>
</body>
</description>
<references>
<cvename>CVE-2016-1879</cvename>
<freebsdsa>SA-16:01.sctp</freebsdsa>
</references>
<dates>
<discovery>2016-01-14</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="0e5d6969-600a-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- rpcbind(8) remote denial of service [REVISED]</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>10.2</ge><lt>10.2_5</lt></range>
<range><ge>10.1</ge><lt>10.1_22</lt></range>
<range><ge>9.3</ge><lt>9.3_28</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>In rpcbind(8), netbuf structures are copied directly,
which would result in two netbuf structures that reference
to one shared address buffer. When one of the two netbuf
structures is freed, access to the other netbuf structure
would result in an undefined result that may crash the
rpcbind(8) daemon.</p>
<h1>Impact:</h1>
<p>A remote attacker who can send specifically crafted
packets to the rpcbind(8) daemon can cause it to crash,
resulting in a denial of service condition.</p>
</body>
</description>
<references>
<cvename>CVE-2015-7236</cvename>
<freebsdsa>SA-15:24.rpcbind</freebsdsa>
</references>
<dates>
<discovery>2015-09-29</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="0dfa5dde-600a-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Local privilege escalation in IRET handler</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>10.1</ge><lt>10.1_19</lt></range>
<range><ge>9.3</ge><lt>9.3_24</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>If the kernel-mode IRET instruction generates an #SS or
#NP exception, but the exception handler does not properly
ensure that the right GS register base for kernel is reloaded,
the userland GS segment may be used in the context of the
kernel exception handler.</p>
<h1>Impact:</h1>
<p>By causing an IRET with #SS or #NP exceptions, a local
attacker can cause the kernel to use an arbitrary GS base,
which may allow escalated privileges or panic the system.</p>
</body>
</description>
<references>
<cvename>CVE-2015-5675</cvename>
<freebsdsa>SA-15:21.amd64</freebsdsa>
</references>
<dates>
<discovery>2015-08-25</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="0da8a68e-600a-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Multiple integer overflows in expat (libbsdxml) XML parser</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>10.1</ge><lt>10.1_18</lt></range>
<range><ge>10.2</ge><lt>10.2_1</lt></range>
<range><ge>9.3</ge><lt>9.3_23</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>Multiple integer overflows have been discovered in the
XML_GetBuffer() function in the expat library.</p>
<h1>Impact:</h1>
<p>The integer overflows may be exploited by using specifically
crafted XML data and lead to infinite loop, or a heap buffer
overflow, which results in a Denial of Service condition,
or enables remote attackers to execute arbitrary code.</p>
</body>
</description>
<references>
<cvename>CVE-2015-1283</cvename>
<freebsdsa>SA-15:20.expat</freebsdsa>
</references>
<dates>
<discovery>2015-08-18</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="0d584493-600a-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- routed(8) remote denial of service vulnerability</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>10.1</ge><lt>10.1_17</lt></range>
<range><ge>9.3</ge><lt>9.3_22</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The input path in routed(8) will accept queries from any
source and attempt to answer them. However, the output path
assumes that the destination address for the response is
on a directly connected network.</p>
<h1>Impact:</h1>
<p>Upon receipt of a query from a source which is not on a
directly connected network, routed(8) will trigger an
assertion and terminate. The affected system's routing table
will no longer be updated. If the affected system is a
router, its routes will eventually expire from other routers'
routing tables, and its networks will no longer be reachable
unless they are also connected to another router.</p>
</body>
</description>
<references>
<cvename>CVE-2015-5674</cvename>
<freebsdsa>SA-15:19.routed</freebsdsa>
</references>
<dates>
<discovery>2015-08-05</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="0d090952-600a-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- shell injection vulnerability in patch(1)</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>10.1</ge><lt>10.1_17</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>Due to insufficient sanitization of the input patch
stream, it is possible for a patch file to cause patch(1)
to pass certain ed(1) scripts to the ed(1) editor, which
would run commands.</p>
<h1>Impact:</h1>
<p>This issue could be exploited to execute arbitrary
commands as the user invoking patch(1) against a specially
crafted patch file, which could be leveraged to obtain
elevated privileges.</p>
</body>
</description>
<references>
<cvename>CVE-2015-1418</cvename>
<freebsdsa>SA-15:18.bsdpatch</freebsdsa>
</references>
<dates>
<discovery>2015-08-05</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="0cb9d5bb-600a-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Resource exhaustion in TCP reassembly</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>10.1</ge><lt>10.1_16</lt></range>
<range><ge>9.3</ge><lt>9.3_21</lt></range>
<range><ge>8.4</ge><lt>8.4_35</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>There is a mistake with the introduction of VNET, which
converted the global limit on the number of segments that
could belong to reassembly queues into a per-VNET limit.
Because mbufs are allocated from a global pool, in the
presence of a sufficient number of VNETs, the total number
of mbufs attached to reassembly queues can grow to the total
number of mbufs in the system, at which point all network
traffic would cease.</p>
<h1>Impact:</h1>
<p>An attacker who can establish concurrent TCP connections
across a sufficient number of VNETs and manipulate the
inbound packet streams such that the maximum number of mbufs
are enqueued on each reassembly queue can cause mbuf cluster
exhaustion on the target system, resulting in a Denial of
Service condition.</p>
<p>As the default per-VNET limit on the number of segments
that can belong to reassembly queues is 1/16 of the total
number of mbuf clusters in the system, only systems that
have 16 or more VNET instances are vulnerable.</p>
</body>
</description>
<references>
<cvename>CVE-2015-1417</cvename>
<freebsdsa>SA-15:15.tcp</freebsdsa>
</references>
<dates>
<discovery>2015-07-28</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="0c6759dd-600a-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- shell injection vulnerability in patch(1)</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>10.1</ge><lt>10.1_16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>Due to insufficient sanitization of the input patch
stream, it is possible for a patch file to cause patch(1)
to run commands in addition to the desired SCCS or RCS
commands.</p>
<h1>Impact:</h1>
<p>This issue could be exploited to execute arbitrary
commands as the user invoking patch(1) against a specially
crafted patch file, which could be leveraged to obtain
elevated privileges.</p>
</body>
</description>
<references>
<cvename>CVE-2015-1416</cvename>
<freebsdsa>SA-15:14.bsdpatch</freebsdsa>
</references>
<dates>
<discovery>2015-07-28</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="0c064c43-600a-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Resource exhaustion due to sessions stuck in LAST_ACK state</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>10.1</ge><lt>10.1_15</lt></range>
<range><ge>9.3</ge><lt>9.3_20</lt></range>
<range><ge>8.4</ge><lt>8.4_34</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>TCP connections transitioning to the LAST_ACK state can
become permanently stuck due to mishandling of protocol
state in certain situations, which in turn can lead to
accumulated consumption and eventual exhaustion of system
resources, such as mbufs and sockets.</p>
<h1>Impact:</h1>
<p>An attacker who can repeatedly establish TCP connections
to a victim system (for instance, a Web server) could create
many TCP connections that are stuck in LAST_ACK state and
cause resource exhaustion, resulting in a denial of service
condition. This may also happen in normal operation where
no intentional attack is conducted, but an attacker who can
send specifically crafted packets can trigger this more
reliably.</p>
</body>
</description>
<references>
<cvename>CVE-2015-5358</cvename>
<freebsdsa>SA-15:13.tcp</freebsdsa>
</references>
<dates>
<discovery>2015-07-21</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="0bb55a18-600a-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Denial of Service with IPv6 Router Advertisements</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>10.1</ge><lt>10.1_9</lt></range>
<range><ge>9.3</ge><lt>9.3_13</lt></range>
<range><ge>8.4</ge><lt>8.4_27</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The Neighbor Discover Protocol allows a local router to
advertise a suggested Current Hop Limit value of a link,
which will replace Current Hop Limit on an interface connected
to the link on the FreeBSD system.</p>
<h1>Impact:</h1>
<p>When the Current Hop Limit (similar to IPv4's TTL) is
small, IPv6 packets may get dropped before they reached
their destinations.</p>
<p>By sending specifically crafted Router Advertisement
packets, an attacker on the local network can cause the
FreeBSD system to lose the ability to communicate with
another IPv6 node on a different network.</p>
</body>
</description>
<references>
<cvename>CVE-2015-2923</cvename>
<freebsdsa>SA-15:09.ipv6</freebsdsa>
</references>
<dates>
<discovery>2015-04-07</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="0b65f297-600a-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Insecure default GELI keyfile permissions</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>10.1</ge><lt>10.1_9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The default permission set by bsdinstall(8) installer
when configuring full disk encrypted ZFS is too open.</p>
<h1>Impact:</h1>
<p>A local attacker may be able to get a copy of the geli(8)
provider's keyfile which is located at a fixed location.</p>
</body>
</description>
<references>
<cvename>CVE-2015-1415</cvename>
<freebsdsa>SA-15:08.bsdinstall</freebsdsa>
</references>
<dates>
<discovery>2015-04-07</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="0afe8b29-600a-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Integer overflow in IGMP protocol</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>10.1</ge><lt>10.1_9</lt></range>
<range><ge>9.3</ge><lt>9.3_13</lt></range>
<range><ge>8.4</ge><lt>8.4_27</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>An integer overflow in computing the size of IGMPv3 data
buffer can result in a buffer which is too small for the
requested operation.</p>
<h1>Impact:</h1>
<p>An attacker who can send specifically crafted IGMP packets
could cause a denial of service situation by causing the
kernel to crash.</p>
</body>
</description>
<references>
<cvename>CVE-2015-1414</cvename>
<freebsdsa>SA-15:04.igmp</freebsdsa>
</references>
<dates>
<discovery>2015-02-25</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="0aad3ce5-600a-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- SCTP stream reset vulnerability</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>10.1</ge><lt>10.1_5</lt></range>
<range><ge>10.0</ge><lt>10.0_17</lt></range>
<range><ge>9.3</ge><lt>9.3_9</lt></range>
<range><ge>8.4</ge><lt>8.4_23</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The input validation of received SCTP RE_CONFIG chunks
is insufficient, and can result in a NULL pointer deference
later.</p>
<h1>Impact:</h1>
<p>A remote attacker who can send a malformed SCTP packet
to a FreeBSD system that serves SCTP can cause a kernel
panic, resulting in a Denial of Service.</p>
</body>
</description>
<references>
<cvename>CVE-2014-8613</cvename>
<freebsdsa>SA-15:03.sctp</freebsdsa>
</references>
<dates>
<discovery>2015-01-27</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="0a5cf6d8-600a-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- SCTP SCTP_SS_VALUE kernel memory corruption and disclosure</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>10.1</ge><lt>10.1_5</lt></range>
<range><ge>10.0</ge><lt>10.0_17</lt></range>
<range><ge>9.3</ge><lt>9.3_9</lt></range>
<range><ge>8.4</ge><lt>8.4_23</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>Due to insufficient validation of the SCTP stream ID,
which serves as an array index, a local unprivileged attacker
can read or write 16-bits of kernel memory.</p>
<h1>Impact:</h1>
<p>An unprivileged process can read or modify 16-bits of
memory which belongs to the kernel. This may lead to
exposure of sensitive information or allow privilege
escalation.</p>
</body>
</description>
<references>
<cvename>CVE-2014-8612</cvename>
<freebsdsa>SA-15:02.kmem</freebsdsa>
</references>
<dates>
<discovery>2015-01-27</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="74ded00e-6007-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Buffer overflow in stdio</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>10.1</ge><lt>10.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>A programming error in the standard I/O library's
__sflush() function could erroneously adjust the buffered
stream's internal state even when no write actually occurred
in the case when write(2) system call returns an error.</p>
<h1>Impact:</h1>
<p>The accounting mismatch would accumulate, if the caller
does not check for stream status and will eventually lead
to a heap buffer overflow.</p>
<p>Such overflows may lead to data corruption or the execution
of arbitrary code at the privilege level of the calling
program.</p>
</body>
</description>
<references>
<cvename>CVE-2014-8611</cvename>
<freebsdsa>SA-14:27.stdio</freebsdsa>
</references>
<dates>
<discovery>2014-12-10</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="7488378d-6007-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Remote command execution in ftp(1)</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>10.0</ge><lt>10.0_12</lt></range>
<range><ge>9.3</ge><lt>9.3_5</lt></range>
<range><ge>9.2</ge><lt>9.2_15</lt></range>
<range><ge>9.1</ge><lt>9.1_22</lt></range>
<range><ge>8.4</ge><lt>8.4_19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>A malicious HTTP server could cause ftp(1) to execute
arbitrary commands.</p>
<h1>Impact:</h1>
<p>When operating on HTTP URIs, the ftp(1) client follows
HTTP redirects, and uses the part of the path after the
last '/' from the last resource it accesses as the output
filename if '-o' is not specified.</p>
<p>If the output file name provided by the server begins
with a pipe ('|'), the output is passed to popen(3), which
might be used to execute arbitrary commands on the ftp(1)
client machine.</p>
</body>
</description>
<references>
<cvename>CVE-2014-8517</cvename>
<freebsdsa>SA-14:26.ftp</freebsdsa>
</references>
<dates>
<discovery>2014-11-04</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="74389f22-6007-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Kernel stack disclosure in setlogin(2) / getlogin(2)</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>10.0</ge><lt>10.0_12</lt></range>
<range><ge>9.3</ge><lt>9.3_5</lt></range>
<range><ge>9.2</ge><lt>9.2_15</lt></range>
<range><ge>9.1</ge><lt>9.1_22</lt></range>
<range><ge>8.4</ge><lt>8.4_19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>When setlogin(2) is called while setting up a new login
session, the login name is copied into an uninitialized
stack buffer, which is then copied into a buffer of the
same size in the session structure. The getlogin(2) system
call returns the entire buffer rather than just the portion
occupied by the login name associated with the session.</p>
<h1>Impact:</h1>
<p>An unprivileged user can access this memory by calling
getlogin(2) and reading beyond the terminating NUL character
of the resulting string. Up to 16 (FreeBSD 8) or 32 (FreeBSD
9 and 10) bytes of kernel memory may be leaked in this
manner for each invocation of setlogin(2).</p>
<p>This memory may contain sensitive information, such as
portions of the file cache or terminal buffers, which an
attacker might leverage to obtain elevated privileges.</p>
</body>
</description>
<references>
<cvename>CVE-2014-8476</cvename>
<freebsdsa>SA-14:25.setlogin</freebsdsa>
</references>
<dates>
<discovery>2014-11-04</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="73e9a137-6007-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Denial of service attack against sshd(8)</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>10.0</ge><lt>10.0_12</lt></range>
<range><ge>9.2</ge><lt>9.2_15</lt></range>
<range><ge>9.1</ge><lt>9.1_22</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>Although OpenSSH is not multithreaded, when OpenSSH is
compiled with Kerberos support, the Heimdal libraries bring
in the POSIX thread library as a dependency. Due to incorrect
library ordering while linking sshd(8), symbols in the C
library which are shadowed by the POSIX thread library may
not be resolved correctly at run time.</p>
<p>Note that this problem is specific to the FreeBSD build
system and does not affect other operating systems or the
version of OpenSSH available from the FreeBSD ports tree.</p>
<h1>Impact:</h1>
<p>An incorrectly linked sshd(8) child process may deadlock
while handling an incoming connection. The connection may
then time out or be interrupted by the client, leaving the
deadlocked sshd(8) child process behind. Eventually, the
sshd(8) parent process stops accepting new connections.</p>
<p>An attacker may take advantage of this by repeatedly
connecting and then dropping the connection after having
begun, but not completed, the authentication process.</p>
</body>
</description>
<references>
<cvename>CVE-2014-8475</cvename>
<freebsdsa>SA-14:24.sshd</freebsdsa>
</references>
<dates>
<discovery>2014-11-04</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="73964eac-6007-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- memory leak in sandboxed namei lookup</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>10.0</ge><lt>10.0_10</lt></range>
<range><ge>9.3</ge><lt>9.3_3</lt></range>
<range><ge>9.2</ge><lt>9.2_13</lt></range>
<range><ge>9.1</ge><lt>9.1_20</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The namei facility will leak a small amount of kernel
memory every time a sandboxed process looks up a nonexistent
path name.</p>
<h1>Impact:</h1>
<p>A remote attacker that can cause a sandboxed process
(for instance, a web server) to look up a large number of
nonexistent path names can cause memory exhaustion.</p>
</body>
</description>
<references>
<cvename>CVE-2014-3711</cvename>
<freebsdsa>SA-14:22.namei</freebsdsa>
</references>
<dates>
<discovery>2014-10-21</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="734233f4-6007-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- routed(8) remote denial of service vulnerability</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>10.0</ge><lt>10.0_10</lt></range>
<range><ge>9.3</ge><lt>9.3_3</lt></range>
<range><ge>9.2</ge><lt>9.2_13</lt></range>
<range><ge>9.1</ge><lt>9.1_20</lt></range>
<range><ge>8.4</ge><lt>8.4_17</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The input path in routed(8) will accept queries from any
source and attempt to answer them. However, the output path
assumes that the destination address for the response is
on a directly connected network.</p>
<h1>Impact:</h1>
<p>Upon receipt of a query from a source which is not on a
directly connected network, routed(8) will trigger an
assertion and terminate. The affected system's routing table
will no longer be updated. If the affected system is a
router, its routes will eventually expire from other routers'
routing tables, and its networks will no longer be reachable
unless they are also connected to another router.</p>
</body>
</description>
<references>
<cvename>CVE-2014-3955</cvename>
<freebsdsa>SA-14:21.routed</freebsdsa>
</references>
<dates>
<discovery>2014-10-21</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="72ee7111-6007-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- rtsold(8) remote buffer overflow vulnerability</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>10.0</ge><lt>10.0_10</lt></range>
<range><ge>9.3</ge><lt>9.3_3</lt></range>
<range><ge>9.2</ge><lt>9.2_13</lt></range>
<range><ge>9.1</ge><lt>9.1_20</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>Due to a missing length check in the code that handles
DNS parameters, a malformed router advertisement message
can result in a stack buffer overflow in rtsold(8).</p>
<h1>Impact:</h1>
<p>Receipt of a router advertisement message with a malformed
DNSSL option, for instance from a compromised host on the
same network, can cause rtsold(8) to crash.</p>
<p>While it is theoretically possible to inject code into
rtsold(8) through malformed router advertisement messages,
it is normally compiled with stack protection enabled,
rendering such an attack extremely difficult.</p>
<p>When rtsold(8) crashes, the existing DNS configuration
will remain in force, and the kernel will continue to receive
and process periodic router advertisements.</p>
</body>
</description>
<references>
<cvename>CVE-2014-3954</cvename>
<freebsdsa>SA-14:20.rtsold</freebsdsa>
</references>
<dates>
<discovery>2014-10-21</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="729c4a9f-6007-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Denial of Service in TCP packet processing</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>10.0</ge><lt>10.0_9</lt></range>
<range><ge>9.3</ge><lt>9.3_2</lt></range>
<range><ge>9.2</ge><lt>9.2_12</lt></range>
<range><ge>9.1</ge><lt>9.1_19</lt></range>
<range><ge>8.4</ge><lt>8.4_16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>When a segment with the SYN flag for an already existing
connection arrives, the TCP stack tears down the connection,
bypassing a check that the sequence number in the segment
is in the expected window.</p>
<h1>Impact:</h1>
<p>An attacker who has the ability to spoof IP traffic can
tear down a TCP connection by sending only 2 packets, if
they know both TCP port numbers. In case one of the two
port numbers is unknown, a successful attack requires less
than 2**17 packets spoofed, which can be generated within
less than a second on a decent connection to the Internet.</p>
</body>
</description>
<references>
<cvename>CVE-2004-0230</cvename>
<freebsdsa>SA-14:19.tcp</freebsdsa>
</references>
<dates>
<discovery>2014-09-16</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="7240de58-6007-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Kernel memory disclosure in control messages and SCTP</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>10.0</ge><lt>10.0_7</lt></range>
<range><ge>9.2</ge><lt>9.2_10</lt></range>
<range><ge>9.1</ge><lt>9.1_17</lt></range>
<range><ge>8.4</ge><lt>8.4_14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>Buffer between control message header and data may not
be completely initialized before being copied to userland.
[CVE-2014-3952]</p>
<p>Three SCTP cmsgs, SCTP_SNDRCV, SCTP_EXTRCV and SCTP_RCVINFO,
have implicit padding that may not be completely initialized
before being copied to userland. In addition, three SCTP
notifications, SCTP_PEER_ADDR_CHANGE, SCTP_REMOTE_ERROR and
SCTP_AUTHENTICATION_EVENT, have padding in the returning
data structure that may not be completely initialized before
being copied to userland. [CVE-2014-3953]</p>
<h1>Impact:</h1>
<p>An unprivileged local process may be able to retrieve
portion of kernel memory.</p>
<p>For the generic control message, the process may be able
to retrieve a maximum of 4 bytes of kernel memory.</p>
<p>For SCTP, the process may be able to retrieve 2 bytes
of kernel memory for all three control messages, plus 92
bytes for SCTP_SNDRCV and 76 bytes for SCTP_EXTRCV. If the
local process is permitted to receive SCTP notification, a
maximum of 112 bytes of kernel memory may be returned to
userland.</p>
<p>This information might be directly useful, or it might
be leveraged to obtain elevated privileges in some way. For
example, a terminal buffer might include a user-entered
password.</p>
</body>
</description>
<references>
<cvename>CVE-2014-3952</cvename>
<cvename>CVE-2014-3953</cvename>
<freebsdsa>SA-14:17.kmem</freebsdsa>
</references>
<dates>
<discovery>2014-07-08</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="70140f20-6007-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Multiple vulnerabilities in file(1) and libmagic(3)</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>10.0</ge><lt>10.0_6</lt></range>
<range><ge>9.2</ge><lt>9.2_9</lt></range>
<range><ge>9.1</ge><lt>9.1_16</lt></range>
<range><ge>8.4</ge><lt>8.4_13</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>A specifically crafted Composite Document File (CDF)
file can trigger an out-of-bounds read or an invalid pointer
dereference. [CVE-2012-1571]</p>
<p>A flaw in regular expression in the awk script detector
makes use of multiple wildcards with unlimited repetitions.
[CVE-2013-7345]</p>
<p>A malicious input file could trigger infinite recursion
in libmagic(3). [CVE-2014-1943]</p>
<p>A specifically crafted Portable Executable (PE) can
trigger out-of-bounds read. [CVE-2014-2270]</p>
<h1>Impact:</h1>
<p>An attacker who can cause file(1) or any other applications
using the libmagic(3) library to be run on a maliciously
constructed input can the application to crash or consume
excessive CPU resources, resulting in a denial-of-service.</p>
</body>
</description>
<references>
<cvename>CVE-2012-1571</cvename>
<cvename>CVE-2013-7345</cvename>
<cvename>CVE-2014-1943</cvename>
<cvename>CVE-2014-2270</cvename>
<freebsdsa>SA-14:16.file</freebsdsa>
</references>
<dates>
<discovery>2014-06-24</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="6f91a709-6007-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- iconv(3) NULL pointer dereference and out-of-bounds array access</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>10.0</ge><lt>10.0_6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>A NULL pointer dereference in the initialization code
of the HZ module and an out of bounds array access in the
initialization code of the VIQR module make iconv_open(3)
calls involving HZ or VIQR result in an application crash.</p>
<h1>Impact:</h1>
<p>Services where an attacker can control the arguments of
an iconv_open(3) call can be caused to crash resulting in
a denial-of-service. For example, an email encoded in HZ
may cause an email delivery service to crash if it converts
emails to a more generic encoding like UTF-8 before applying
filtering rules.</p>
</body>
</description>
<references>
<cvename>CVE-2014-3951</cvename>
<freebsdsa>SA-14:15.iconv</freebsdsa>
</references>
<dates>
<discovery>2014-06-24</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="6e8f9003-6007-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Incorrect error handling in PAM policy parser</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>9.2</ge><lt>9.2_7</lt></range>
<range><ge>10.0</ge><lt>10.0_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The OpenPAM library searches for policy definitions in
several locations. While doing so, the absence of a policy
file is a soft failure (handled by searching in the next
location) while the presence of an invalid file is a hard
failure (handled by returning an error to the caller).</p>
<p>The policy parser returns the same error code (ENOENT)
when a syntactically valid policy references a non-existent
module as when the requested policy file does not exist.
The search loop regards this as a soft failure and looks
for the next similarly-named policy, without discarding the
partially-loaded configuration.</p>
<p>A similar issue can arise if a policy contains an include
directive that refers to a non-existent policy.</p>
<h1>Impact:</h1>
<p>If a module is removed, or the name of a module is
misspelled in the policy file, the PAM library will proceed
with a partially loaded configuration. Depending on the
exact circumstances, this may result in a fail-open scenario
where users are allowed to log in without a password, or
with an incorrect password.</p>
<p>In particular, if a policy references a module installed
by a package or port, and that package or port is being
reinstalled or upgraded, there is a brief window of time
during which the module is absent and policies that use it
may fail open. This can be especially damaging to Internet-facing
SSH servers, which are regularly subjected to brute-force
scans.</p>
</body>
</description>
<references>
<cvename>CVE-2014-3879</cvename>
<freebsdsa>SA-14:13.pam</freebsdsa>
</references>
<dates>
<discovery>2014-06-03</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="6e04048b-6007-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- ktrace kernel memory disclosure</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>9.2</ge><lt>9.2_7</lt></range>
<range><ge>9.1</ge><lt>9.1_14</lt></range>
<range><ge>8.4</ge><lt>8.4_11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>Due to an overlooked merge to -STABLE branches, the size
for page fault kernel trace entries was set incorrectly.</p>
<h1>Impact:</h1>
<p>A user who can enable kernel process tracing could end
up reading the contents of kernel memory.</p>
<p>Such memory might contain sensitive information, such
as portions of the file cache or terminal buffers. This
information might be directly useful, or it might be leveraged
to obtain elevated privileges in some way; for example, a
terminal buffer might include a user-entered password.</p>
</body>
</description>
<references>
<cvename>CVE-2014-3873</cvename>
<freebsdsa>SA-14:12.ktrace</freebsdsa>
</references>
<dates>
<discovery>2014-06-03</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="6d9eadaf-6007-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- sendmail improper close-on-exec flag handling</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>10.0</ge><lt>10.0_4</lt></range>
<range><ge>9.2</ge><lt>9.2_7</lt></range>
<range><ge>9.1</ge><lt>9.1_14</lt></range>
<range><ge>8.4</ge><lt>8.4_11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>There is a programming error in sendmail(8) that prevented
open file descriptors have close-on-exec properly set.
Consequently a subprocess will be able to access all open
files that the parent process have open.</p>
<h1>Impact:</h1>
<p>A local user who can execute their own program for mail
delivery will be able to interfere with an open SMTP
connection.</p>
</body>
</description>
<references>
<freebsdsa>SA-14:11.sendmail</freebsdsa>
</references>
<dates>
<discovery>2014-06-03</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="6d472244-6007-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- TCP reassembly vulnerability</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>8.4</ge><lt>8.4_9</lt></range>
<range><ge>8.3</ge><lt>8.3_16</lt></range>
<range><ge>9.2</ge><lt>9.2_5</lt></range>
<range><ge>9.1</ge><lt>9.1_12</lt></range>
<range><ge>10.0</ge><lt>10.0_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>FreeBSD may add a reassemble queue entry on the stack
into the segment list when the reassembly queue reaches its
limit. The memory from the stack is undefined after the
function returns. Subsequent iterations of the reassembly
function will attempt to access this entry.</p>
<h1>Impact:</h1>
<p>An attacker who can send a series of specifically crafted
packets with a connection could cause a denial of service
situation by causing the kernel to crash.</p>
<p>Additionally, because the undefined on stack memory may
be overwritten by other kernel threads, while extremely
difficult, it may be possible for an attacker to construct
a carefully crafted attack to obtain portion of kernel
memory via a connected socket. This may result in the
disclosure of sensitive information such as login credentials,
etc. before or even without crashing the system.</p>
</body>
</description>
<references>
<cvename>CVE-2014-3000</cvename>
<freebsdsa>SA-14:08.tcp</freebsdsa>
</references>
<dates>
<discovery>2014-04-30</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="6b6ca5b6-6007-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- devfs rules not applied by default for jails</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>10.0</ge><lt>10.0_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The default devfs rulesets are not loaded on boot, even
when jails are used. Device nodes will be created in the
jail with their normal default access permissions, while
most of them should be hidden and inaccessible.</p>
<h1>Impact:</h1>
<p>Jailed processes can get access to restricted resources
on the host system. For jailed processes running with
superuser privileges this implies access to all devices on
the system. This level of access could lead to information
leakage and privilege escalation.</p>
</body>
</description>
<references>
<cvename>CVE-2014-3001</cvename>
<freebsdsa>SA-14:07.devfs</freebsdsa>
</references>
<dates>
<discovery>2014-04-30</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="6a384960-6007-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Deadlock in the NFS server</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>10.0</ge><lt>10.0_1</lt></range>
<range><ge>9.2</ge><lt>9.2_4</lt></range>
<range><ge>9.1</ge><lt>9.1_11</lt></range>
<range><ge>8.4</ge><lt>8.4_8</lt></range>
<range><ge>8.3</ge><lt>8.3_15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The kernel holds a lock over the source directory vnode
while trying to convert the target directory file handle
to a vnode, which needs to be returned with the lock held,
too. This order may be in violation of normal lock order,
which in conjunction with other threads that grab locks in
the right order, constitutes a deadlock condition because
no thread can proceed.</p>
<h1>Impact:</h1>
<p>An attacker on a trusted client could cause the NFS
server become deadlocked, resulting in a denial of service.</p>
</body>
</description>
<references>
<cvename>CVE-2014-1453</cvename>
<freebsdsa>SA-14:05.nfsserver</freebsdsa>
</references>
<dates>
<discovery>2014-04-08</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="4c96ecf2-5fd9-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- bsnmpd remote denial of service vulnerability</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>9.2</ge><lt>9.2_3</lt></range>
<range><ge>9.1</ge><lt>9.1_10</lt></range>
<range><ge>8.4</ge><lt>8.4_7</lt></range>
<range><ge>8.3</ge><lt>8.3_14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Problem Description:</p>
<p>The bsnmpd(8) daemon is prone to a stack-based
buffer-overflow when it has received a specifically crafted
GETBULK PDU request.</p>
<p>Impact:</p>
<p>This issue could be exploited to execute arbitrary code in
the context of the service daemon, or crash the service daemon, causing
a denial-of-service.</p>
</body>
</description>
<references>
<cvename>CVE-2014-1452</cvename>
<freebsdsa>SA-14:01.bsnmpd</freebsdsa>
</references>
<dates>
<discovery>2014-01-14</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="ca16fd0b-5fd1-11e6-a6f2-6cc21735f730">
<topic>PostgreSQL -- Denial-of-Service and Code Injection Vulnerabilities</topic>
<affects>
<package>
<name>postgresql91-server</name>
<range><ge>9.1.0</ge><lt>9.1.23</lt></range>
</package>
<package>
<name>postgresql92-server</name>
<range><ge>9.2.0</ge><lt>9.2.18</lt></range>
</package>
<package>
<name>postgresql93-server</name>
<range><ge>9.3.0</ge><lt>9.3.11</lt></range>
</package>
<package>
<name>postgresql94-server</name>
<range><ge>9.4.0</ge><lt>9.4.9</lt></range>
</package>
<package>
<name>postgresql95-server</name>
<range><ge>9.5.0</ge><lt>9.5.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PostgreSQL project reports:</p>
<blockquote cite="http://www.postgresql.org/about/news/1688/">
<p>
Security Fixes nested CASE expressions +
database and role names with embedded special characters
</p>
<ul>
<li>CVE-2016-5423: certain nested CASE expressions can cause the
server to crash.
</li>
<li>CVE-2016-5424: database and role names with embedded special
characters can allow code injection during administrative operations
like pg_dumpall.
</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-5423</cvename>
<cvename>CVE-2016-5424</cvename>
</references>
<dates>
<discovery>2016-08-11</discovery>
<entry>2016-08-11</entry>
</dates>
</vuln>
<vuln vid="28bf62ef-5e2c-11e6-a15f-00248c0c745d">
<topic>piwik -- XSS vulnerability</topic>
<affects>
<package>
<name>piwik</name>
<range><lt>2.16.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Piwik reports:</p>
<blockquote cite="https://piwik.org/changelog/piwik-2-16-2/">
<p>We have identified and fixed several XSS security issues in this release.</p>
</blockquote>
</body>
</description>
<references>
<url>We have identified and fixed several XSS security issues in this release.</url>
</references>
<dates>
<discovery>2016-08-03</discovery>
<entry>2016-08-09</entry>
</dates>
</vuln>
<vuln vid="7d08e608-5e95-11e6-b334-002590263bf5">
<topic>BIND,Knot,NSD,PowerDNS -- denial over service via oversized zone transfers</topic>
<affects>
<package>
<name>bind99</name>
<range><le>9.9.9P2</le></range>
</package>
<package>
<name>bind910</name>
<range><le>9.10.4P2</le></range>
</package>
<package>
<name>bind911</name>
<range><le>9.11.0.b2</le></range>
</package>
<package>
<name>bind9-devel</name>
<range><le>9.12.0.a.2016.11.02</le></range>
</package>
<package>
<name>knot</name>
<name>knot1</name>
<range><lt>1.6.8</lt></range>
</package>
<package>
<name>knot2</name>
<range><lt>2.3.0</lt></range>
</package>
<package>
<name>nsd</name>
<range><lt>4.1.11</lt></range>
</package>
<package>
<name>powerdns</name>
<range><lt>4.0.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://kb.isc.org/article/AA-01390">
<p>DNS protocols were designed with the assumption that a certain
amount of trust could be presumed between the operators of primary
and secondary servers for a given zone. However, in current
practice some organizations have scenarios which require them to
accept zone data from sources that are not fully trusted (for
example: providers of secondary name service). A party who is
allowed to feed data into a zone (e.g. by AXFR, IXFR, or Dynamic DNS
updates) can overwhelm the server which is accepting data by
intentionally or accidentally exhausting that server's memory.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-6170</cvename>
<cvename>CVE-2016-6171</cvename>
<cvename>CVE-2016-6172</cvename>
<cvename>CVE-2016-6173</cvename>
<url>https://kb.isc.org/article/AA-01390</url>
<mlist>http://www.openwall.com/lists/oss-security/2016/07/06/4</mlist>
</references>
<dates>
<discovery>2016-07-06</discovery>
<entry>2016-08-10</entry>
<modified>2017-04-24</modified>
</dates>
</vuln>
<vuln vid="dd48d9b9-5e7e-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Kernel memory disclosure in sctp(4)</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>9.1</ge><lt>9.1_6</lt></range>
<range><ge>8.4</ge><lt>8.4_3</lt></range>
<range><ge>8.3</ge><lt>8.3_10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Problem Description:</p>
<p>When initializing the SCTP state cookie being sent in INIT-ACK chunks,
a buffer allocated from the kernel stack is not completely initialized.</p>
<p>Impact:</p>
<p>Fragments of kernel memory may be included in SCTP packets and
transmitted over the network. For each SCTP session, there are two
separate instances in which a 4-byte fragment may be transmitted.</p>
<p>This memory might contain sensitive information, such as portions of the
file cache or terminal buffers. This information might be directly
useful, or it might be leveraged to obtain elevated privileges in
some way. For example, a terminal buffer might include a user-entered
password.</p>
</body>
</description>
<references>
<freebsdsa>SA-13:10.sctp</freebsdsa>
<cvename>CVE-2013-5209</cvename>
</references>
<dates>
<discovery>2013-08-22</discovery>
<entry>2016-08-09</entry>
</dates>
</vuln>
<vuln vid="0844632f-5e78-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- integer overflow in IP_MSFILTER</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>9.1</ge><lt>9.1_6</lt></range>
<range><ge>8.4</ge><lt>8.4_3</lt></range>
<range><ge>8.3</ge><lt>8.3_10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Problem Description:</p>
<p>An integer overflow in computing the size of a temporary
buffer can result in a buffer which is too small for the requested
operation.</p>
<p>Impact:</p>
<p>An unprivileged process can read or write pages of memory
which belong to the kernel. These may lead to exposure of sensitive
information or allow privilege escalation.</p>
</body>
</description>
<references>
<cvename>CVE-2013-3077</cvename>
<freebsdsa>SA-13:09.ip_multicast</freebsdsa>
</references>
<dates>
<discovery>2013-08-22</discovery>
<entry>2016-08-09</entry>
</dates>
</vuln>
<vuln vid="e5d2442d-5e76-11e6-a6c3-14dae9d210b8">
<topic>FreeBSD -- Incorrect privilege validation in the NFS server</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>9.1</ge><lt>9.1_5</lt></range>
<range><ge>8.3</ge><lt>8.3_9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Problem Description:</p>
<p>The kernel incorrectly uses client supplied credentials
instead of the one configured in exports(5) when filling out the
anonymous credential for a NFS export, when -network or -host
restrictions are used at the same time.</p>
<p>Impact:</p>
<p>The remote client may supply privileged credentials (e.g. the
root user) when accessing a file under the NFS share, which will bypass
the normal access checks.</p>
</body>
</description>
<references>
<cvename>CVE-2013-4851</cvename>
<freebsdsa>SA-13:08.nfsserver</freebsdsa>
</references>
<dates>
<discovery>2013-07-06</discovery>
<entry>2016-08-09</entry>
</dates>
</vuln>
<vuln vid="6da45e38-5b55-11e6-8859-000c292ee6b8">
<topic>collectd -- Network plugin heap overflow</topic>
<affects>
<package>
<name>collectd5</name>
<range><lt>5.5.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The collectd Project reports:</p>
<blockquote cite="http://collectd.org/news.shtml#news98">
<p>Emilien Gaspar has identified a heap overflow in collectd's
network plugin which can be triggered remotely and is potentially
exploitable.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-6254</cvename>
<url>http://collectd.org/news.shtml#news98</url>
</references>
<dates>
<discovery>2016-07-26</discovery>
<entry>2016-08-05</entry>
</dates>
</vuln>
<vuln vid="3ddcb42b-5b78-11e6-b334-002590263bf5">
<topic>moodle -- multiple vulnerabilities</topic>
<affects>
<package>
<name>moodle28</name>
<range><le>2.8.12</le></range>
</package>
<package>
<name>moodle29</name>
<range><lt>2.9.7</lt></range>
</package>
<package>
<name>moodle30</name>
<range><lt>3.0.5</lt></range>
</package>
<package>
<name>moodle31</name>
<range><lt>3.1.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Marina Glancy reports:</p>
<blockquote cite="https://moodle.org/security/">
<ul>
<li><p>MSA-16-0019: Glossary search displays entries without
checking user permissions to view them</p></li>
<li><p>MSA-16-0020: Text injection in email headers</p></li>
<li><p>MSA-16-0021: Unenrolled user still receives event monitor
notifications even though they can no longer access course</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-5012</cvename>
<cvename>CVE-2016-5013</cvename>
<cvename>CVE-2016-5014</cvename>
<url>https://moodle.org/security/</url>
</references>
<dates>
<discovery>2016-07-19</discovery>
<entry>2016-08-06</entry>
</dates>
</vuln>
<vuln vid="7a31e0de-5b6d-11e6-b334-002590263bf5">
<topic>bind -- denial of service vulnerability</topic>
<affects>
<package>
<name>bind99</name>
<range><lt>9.9.9P2</lt></range>
</package>
<package>
<name>bind910</name>
<range><lt>9.10.4P2</lt></range>
</package>
<package>
<name>bind911</name>
<range><lt>9.11.0.b2</lt></range>
</package>
<package>
<name>bind9-devel</name>
<range><lt>9.12.0.a.2016.07.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://kb.isc.org/article/AA-01393">
<p>A query name which is too long can cause a segmentation fault in
lwresd.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2775</cvename>
<url>https://kb.isc.org/article/AA-01393</url>
</references>
<dates>
<discovery>2016-07-18</discovery>
<entry>2016-08-06</entry>
</dates>
</vuln>
<vuln vid="610101ea-5b6a-11e6-b334-002590263bf5">
<topic>wireshark -- multiple vulnerabilities</topic>
<affects>
<package>
<name>wireshark</name>
<name>wireshark-lite</name>
<name>wireshark-qt5</name>
<name>tshark</name>
<name>tshark-lite</name>
<range><lt>2.0.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Wireshark development team reports:</p>
<blockquote cite="https://www.wireshark.org/docs/relnotes/wireshark-2.0.5.html">
<p>The following vulnerabilities have been fixed:</p>
<ul>
<li><p>wnpa-sec-2016-41</p>
<p>PacketBB crash. (Bug 12577)</p></li>
<li><p>wnpa-sec-2016-42</p>
<p>WSP infinite loop. (Bug 12594)</p></li>
<li><p>wnpa-sec-2016-44</p>
<p>RLC long loop. (Bug 12660)</p></li>
<li><p>wnpa-sec-2016-45</p>
<p>LDSS dissector crash. (Bug 12662)</p></li>
<li><p>wnpa-sec-2016-46</p>
<p>RLC dissector crash. (Bug 12664)</p></li>
<li><p>wnpa-sec-2016-47</p>
<p>OpenFlow long loop. (Bug 12659)</p></li>
<li><p>wnpa-sec-2016-48</p>
<p>MMSE, WAP, WBXML, and WSP infinite loop. (Bug 12661)</p></li>
<li><p>wnpa-sec-2016-49</p>
<p>WBXML crash. (Bug 12663)</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-6505</cvename>
<cvename>CVE-2016-6506</cvename>
<cvename>CVE-2016-6508</cvename>
<cvename>CVE-2016-6509</cvename>
<cvename>CVE-2016-6510</cvename>
<cvename>CVE-2016-6511</cvename>
<cvename>CVE-2016-6512</cvename>
<cvename>CVE-2016-6513</cvename>
<url>https://www.wireshark.org/docs/relnotes/wireshark-2.0.5.html</url>
<url>http://www.openwall.com/lists/oss-security/2016/08/01/4</url>
</references>
<dates>
<discovery>2016-07-27</discovery>
<entry>2016-08-06</entry>
</dates>
</vuln>
<vuln vid="3e08047f-5a6c-11e6-a6c3-14dae9d210b8">
<topic>p5-XSLoader -- local arbitrary code execution</topic>
<affects>
<package>
<name>p5-XSLoader</name>
<range><lt>0.22</lt></range>
</package>
<package>
<name>perl5</name>
<name>perl5.18</name>
<name>perl5.20</name>
<name>perl5.22</name>
<name>perl5.24</name>
<name>perl5-devel</name>
<range><lt>5.18.4_24</lt></range>
<range><ge>5.20</ge><lt>5.20.3_15</lt></range>
<range><ge>5.21</ge><lt>5.22.3.r2</lt></range>
<range><ge>5.23</ge><lt>5.24.1.r2</lt></range>
<range><ge>5.25</ge><lt>5.25.2.87</lt></range>
</package>
<package>
<name>perl</name>
<range><ge>0</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jakub Wilk reports:</p>
<blockquote cite="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829578">
<p>XSLoader tries to load code from a subdirectory in the cwd when
called inside a string eval</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829578</url>
<cvename>CVE-2016-6185</cvename>
</references>
<dates>
<discovery>2016-06-30</discovery>
<entry>2016-08-04</entry>
<modified>2016-08-22</modified>
</dates>
</vuln>
<vuln vid="72bfbb09-5a6a-11e6-a6c3-14dae9d210b8">
<topic>perl -- local arbitrary code execution</topic>
<affects>
<package>
<name>perl5</name>
<name>perl5.18</name>
<name>perl5.20</name>
<name>perl5.22</name>
<name>perl5.24</name>
<name>perl5-devel</name>
<range><lt>5.18.4_23</lt></range>
<range><ge>5.20</ge><lt>5.20.3_14</lt></range>
<range><ge>5.21</ge><lt>5.22.3.r2</lt></range>
<range><ge>5.23</ge><lt>5.24.1.r2</lt></range>
<range><ge>5.25</ge><lt>5.25.3.18</lt></range>
</package>
<package>
<name>perl</name>
<range><ge>0</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Sawyer X reports:</p>
<blockquote cite="http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.html">
<p>Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do
not properly remove . (period) characters from the end of the includes
directory array, which might allow local users to gain privileges via a
Trojan horse module under the current working directory.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.html</url>
<cvename>CVE-2016-1238</cvename>
</references>
<dates>
<discovery>2016-07-21</discovery>
<entry>2016-08-04</entry>
<modified>2016-08-22</modified>
</dates>
</vuln>
<vuln vid="556d2286-5a51-11e6-a6c3-14dae9d210b8">
<topic>gd -- multiple vulnerabilities</topic>
<affects>
<package>
<name>gd</name>
<range><lt>2.2.3,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Pierre Joye reports:</p>
<blockquote cite="https://github.com/libgd/libgd/releases/tag/gd-2.2.3">
<ul>
<li><p>fix php bug 72339, Integer Overflow in _gd2GetHeader
(CVE-2016-5766)</p></li>
<li><p>gd: Buffer over-read issue when parsing crafted TGA
file (CVE-2016-6132)</p></li>
<li><p>Integer overflow error within _gdContributionsAlloc()
(CVE-2016-6207)</p></li>
<li><p>fix php bug 72494, invalid color index not handled, can
lead to crash ( CVE-2016-6128)</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/libgd/libgd/releases/tag/gd-2.2.3</url>
<cvename>CVE-2016-5766</cvename>
<cvename>CVE-2016-6132</cvename>
<cvename>CVE-2016-6207</cvename>
<cvename>CVE-2016-6128</cvename>
</references>
<dates>
<discovery>2016-07-21</discovery>
<entry>2016-08-04</entry>
</dates>
</vuln>
<vuln vid="e4bc70fc-5a2f-11e6-a1bc-589cfc0654e1">
<topic>Vulnerabilities in Curl</topic>
<affects>
<package>
<name>curl</name>
<range><ge>7.32.0</ge><lt>7.50.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Curl security team reports:</p>
<blockquote cite="https://curl.haxx.se/docs/security.html">
<p>CVE-2016-5419 - TLS session resumption client cert bypass</p>
<p>CVE-2016-5420 - Re-using connections with wrong client cert</p>
<p>CVE-2016-5421 - use of connection struct after free</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-5419</cvename>
<cvename>CVE-2016-5420</cvename>
<cvename>CVE-2016-5421</cvename>
<url>https://curl.haxx.se/docs/adv_20160803A.html</url>
<url>https://curl.haxx.se/docs/adv_20160803B.html</url>
<url>https://curl.haxx.se/docs/adv_20160803C.html</url>
</references>
<dates>
<discovery>2016-08-03</discovery>
<entry>2016-08-04</entry>
</dates>
</vuln>
<vuln vid="ef0033ad-5823-11e6-80cc-001517f335e2">
<topic>lighttpd - multiple vulnerabilities</topic>
<affects>
<package>
<name>lighttpd</name>
<range><lt>1.4.41</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Lighttpd Project reports:</p>
<blockquote cite="http://www.lighttpd.net/2016/7/31/1.4.41/">
<p>Security fixes for Lighttpd:</p>
<ul>
<li><p>security: encode quoting chars in HTML and XML</p></li>
<li><p>security: ensure gid != 0 if server.username is set, but not server.groupname</p></li>
<li><p>security: disable stat_cache if server.follow-symlink = “disable”</p></li>
<li><p>security: httpoxy defense: do not emit HTTP_PROXY to CGI env</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://www.lighttpd.net/2016/7/31/1.4.41/</url>
<freebsdpr>ports/211495</freebsdpr>
</references>
<dates>
<discovery>2016-07-31</discovery>
<entry>2016-08-03</entry>
</dates>
</vuln>
<vuln vid="06574c62-5854-11e6-b334-002590263bf5">
<topic>xen-tools -- virtio: unbounded memory allocation issue</topic>
<affects>
<package>
<name>xen-tools</name>
<range><lt>4.7.0_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-184.html">
<p>A guest can submit virtio requests without bothering to wait for
completion and is therefore not bound by virtqueue size...</p>
<p>A malicious guest administrator can cause unbounded memory
allocation in QEMU, which can cause an Out-of-Memory condition
in the domain running qemu. Thus, a malicious guest administrator
can cause a denial of service affecting the whole host.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-5403</cvename>
<freebsdpr>ports/211482</freebsdpr>
<url>http://xenbits.xen.org/xsa/advisory-184.html</url>
</references>
<dates>
<discovery>2016-07-27</discovery>
<entry>2016-08-02</entry>
</dates>
</vuln>
<vuln vid="04cf89e3-5854-11e6-b334-002590263bf5">
<topic>xen-kernel -- x86: Missing SMAP whitelisting in 32-bit exception / event delivery</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><gt>4.5</gt><lt>4.7.0_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-183.html">
<p>Supervisor Mode Access Prevention is a hardware feature designed
to make an Operating System more robust, by raising a pagefault
rather than accidentally following a pointer into userspace.
However, legitimate accesses into userspace require whitelisting,
and the exception delivery mechanism for 32bit PV guests wasn't
whitelisted.</p>
<p>A malicious 32-bit PV guest kernel can trigger a safety check,
crashing the hypervisor and causing a denial of service to other
VMs on the host.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-6259</cvename>
<freebsdpr>ports/211482</freebsdpr>
<url>http://xenbits.xen.org/xsa/advisory-183.html</url>
</references>
<dates>
<discovery>2016-07-26</discovery>
<entry>2016-08-02</entry>
</dates>
</vuln>
<vuln vid="032aa524-5854-11e6-b334-002590263bf5">
<topic>xen-kernel -- x86: Privilege escalation in PV guests</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><lt>4.7.0_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-182.html">
<p>The PV pagetable code has fast-paths for making updates to
pre-existing pagetable entries, to skip expensive re-validation
in safe cases (e.g. clearing only Access/Dirty bits). The bits
considered safe were too broad, and not actually safe.</p>
<p>A malicious PV guest administrator can escalate their privilege to
that of the host.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-6258</cvename>
<freebsdpr>ports/211482</freebsdpr>
<url>http://xenbits.xen.org/xsa/advisory-182.html</url>
</references>
<dates>
<discovery>2016-07-26</discovery>
<entry>2016-08-02</entry>
</dates>
</vuln>
<vuln vid="cb5189eb-572f-11e6-b334-002590263bf5">
<topic>libidn -- multiple vulnerabilities</topic>
<affects>
<package>
<name>libidn</name>
<range><lt>1.33</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Simon Josefsson reports:</p>
<blockquote cite="https://lists.gnu.org/archive/html/help-libidn/2016-07/msg00009.html">
<p>libidn: Fix out-of-bounds stack read in idna_to_ascii_4i.</p>
<p>idn: Solve out-of-bounds-read when reading one zero byte as input.
Also replaced fgets with getline.</p>
<p>libidn: stringprep_utf8_nfkc_normalize reject invalid UTF-8. It was
always documented to only accept UTF-8 data, but now it doesn't
crash when presented with such data.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-6261</cvename>
<cvename>CVE-2015-8948</cvename>
<cvename>CVE-2016-6262</cvename>
<cvename>CVE-2016-6263</cvename>
<url>https://lists.gnu.org/archive/html/help-libidn/2016-07/msg00009.html</url>
<url>http://www.openwall.com/lists/oss-security/2016/07/21/4</url>
</references>
<dates>
<discovery>2016-07-20</discovery>
<entry>2016-07-31</entry>
</dates>
</vuln>
<vuln vid="6fb8a90f-c9d5-4d14-b940-aed3d63c2edc">
<topic>The GIMP -- Use after Free vulnerability</topic>
<affects>
<package>
<name>gimp-app</name>
<range><lt>2.8.18,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The GIMP team reports:</p>
<blockquote cite="https://mail.gnome.org/archives/gimp-developer-list/2016-July/msg00020.html">
<p>A Use-after-free vulnerability was found in the xcf_load_image function.</p>
</blockquote>
</body>
</description>
<references>
<url>https://mail.gnome.org/archives/gimp-developer-list/2016-July/msg00020.html</url>
<url>https://bugzilla.gnome.org/show_bug.cgi?id=767873</url>
<cvename>CVE-2016-4994</cvename>
</references>
<dates>
<discovery>2016-06-20</discovery>
<entry>2016-07-19</entry>
</dates>
</vuln>
<vuln vid="cb09a7aa-5344-11e6-a7bd-14dae9d210b8">
<topic>xercesi-c3 -- multiple vulnerabilities</topic>
<affects>
<package>
<name>xerces-c3</name>
<range><lt>3.1.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Apache reports:</p>
<blockquote cite="https://xerces.apache.org/xerces-c/secadv/CVE-2016-4463.txt">
<p>The Xerces-C XML parser fails to successfully parse a
DTD that is deeply nested, and this causes a stack overflow, which
makes a denial of service attack against many applications possible
by an unauthenticated attacker.</p>
<p>Also, CVE-2016-2099: Use-after-free vulnerability in
validators/DTD/DTDScanner.cpp in Apache Xerces C++ 3.1.3 and earlier
allows context-dependent attackers to have unspecified impact via an
invalid character in an XML document.</p>
</blockquote>
</body>
</description>
<references>
<url>https://xerces.apache.org/xerces-c/secadv/CVE-2016-4463.txt</url>
<url>http://www.openwall.com/lists/oss-security/2016/05/09/7</url>
<cvename>CVE-2016-2099</cvename>
<cvename>CVE-2016-4463</cvename>
</references>
<dates>
<discovery>2016-05-09</discovery>
<entry>2016-07-26</entry>
</dates>
</vuln>
<vuln vid="b6402385-533b-11e6-a7bd-14dae9d210b8">
<topic>php -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php55</name>
<range><lt>5.5.38</lt></range>
</package>
<package>
<name>php56</name>
<range><lt>5.6.24</lt></range>
</package>
<package>
<name>php70</name>
<range><lt>7.0.9</lt></range>
</package>
<package>
<name>php70-curl</name>
<range><lt>7.0.9</lt></range>
</package>
<package>
<name>php55-bz2</name>
<range><lt>5.5.38</lt></range>
</package>
<package>
<name>php56-bz2</name>
<range><lt>5.6.24</lt></range>
</package>
<package>
<name>php70-bz2</name>
<range><lt>7.0.9</lt></range>
</package>
<package>
<name>php55-exif</name>
<range><lt>5.5.38</lt></range>
</package>
<package>
<name>php56-exif</name>
<range><lt>5.6.24</lt></range>
</package>
<package>
<name>php70-exif</name>
<range><lt>7.0.9</lt></range>
</package>
<package>
<name>php55-gd</name>
<range><lt>5.5.38</lt></range>
</package>
<package>
<name>php56-gd</name>
<range><lt>5.6.24</lt></range>
</package>
<package>
<name>php70-gd</name>
<range><lt>7.0.9</lt></range>
</package>
<package>
<name>php70-mcrypt</name>
<range><lt>7.0.9</lt></range>
</package>
<package>
<name>php55-odbc</name>
<range><lt>5.5.38</lt></range>
</package>
<package>
<name>php56-odbc</name>
<range><lt>5.6.24</lt></range>
</package>
<package>
<name>php70-odbc</name>
<range><lt>7.0.9</lt></range>
</package>
<package>
<name>php55-snmp</name>
<range><lt>5.5.38</lt></range>
</package>
<package>
<name>php56-snmp</name>
<range><lt>5.6.24</lt></range>
</package>
<package>
<name>php70-snmp</name>
<range><lt>7.0.9</lt></range>
</package>
<package>
<name>php55-xmlrpc</name>
<range><lt>5.5.38</lt></range>
</package>
<package>
<name>php56-xmlrpc</name>
<range><lt>5.6.24</lt></range>
</package>
<package>
<name>php70-xmlrpc</name>
<range><lt>7.0.9</lt></range>
</package>
<package>
<name>php55-zip</name>
<range><lt>5.5.38</lt></range>
</package>
<package>
<name>php56-zip</name>
<range><lt>5.6.24</lt></range>
</package>
<package>
<name>php70-zip</name>
<range><lt>7.0.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PHP reports:</p>
<blockquote cite="http://www.php.net/ChangeLog-5.php#5.5.38">
<ul>
<li><p>Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns)</p></li>
<li><p>Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and unserialize()).</p></li>
<li><p>Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read access).</p></li>
<li><p>Fixed bug #72519 (imagegif/output out-of-bounds access).</p></li>
<li><p>Fixed bug #72520 (Stack-based buffer overflow vulnerability in php_stream_zip_opener).</p></li>
<li><p>Fixed bug #72533 (locale_accept_from_http out-of-bounds access).</p></li>
<li><p>Fixed bug #72541 (size_t overflow lead to heap corruption).</p></li>
<li><p>Fixed bug #72551, bug #72552 (Incorrect casting from size_t to int lead to heap overflow in mdecrypt_generic).</p></li>
<li><p>Fixed bug #72558 (Integer overflow error within _gdContributionsAlloc()).</p></li>
<li><p>Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries and applications).</p></li>
<li><p>Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE).</p></li>
<li><p>Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn simplestring.c).</p></li>
<li><p>Fixed bug #72613 (Inadequate error handling in bzread()).</p></li>
<li><p>Fixed bug #72618 (NULL Pointer Dereference in exif_process_user_comment).</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://www.php.net/ChangeLog-5.php#5.5.38</url>
<url>http://www.php.net/ChangeLog-5.php#5.6.24</url>
<url>http://www.php.net/ChangeLog-7.php#7.0.8</url>
<url>http://seclists.org/oss-sec/2016/q3/121</url>
<cvename>CVE-2015-8879</cvename>
<cvename>CVE-2016-5385</cvename>
<cvename>CVE-2016-5399</cvename>
<cvename>CVE-2016-6288</cvename>
<cvename>CVE-2016-6289</cvename>
<cvename>CVE-2016-6290</cvename>
<cvename>CVE-2016-6291</cvename>
<cvename>CVE-2016-6292</cvename>
<cvename>CVE-2016-6294</cvename>
<cvename>CVE-2016-6295</cvename>
<cvename>CVE-2016-6296</cvename>
<cvename>CVE-2016-6297</cvename>
</references>
<dates>
<discovery>2016-07-21</discovery>
<entry>2016-07-26</entry>
</dates>
</vuln>
<vuln vid="6fae9fe1-5048-11e6-8aa7-3065ec8fd3ec">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>52.0.2743.82</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="https://googlechromereleases.blogspot.nl/2016/07/stable-channel-update.html">
<p>48 security fixes in this release, including:</p>
<ul>
<li>[610600] High CVE-2016-1706: Sandbox escape in PPAPI. Credit to
Pinkie Pie xisigr of Tencent's Xuanwu Lab</li>
<li>[613949] High CVE-2016-1708: Use-after-free in Extensions.
Credit to Adam Varsan</li>
<li>[614934] High CVE-2016-1709: Heap-buffer-overflow in sfntly.
Credit to ChenQin of Topsec Security Team</li>
<li>[616907] High CVE-2016-1710: Same-origin bypass in Blink.
Credit to Mariusz Mlynski</li>
<li>[617495] High CVE-2016-1711: Same-origin bypass in Blink.
Credit to Mariusz Mlynski</li>
<li>[618237] High CVE-2016-5127: Use-after-free in Blink. Credit
to cloudfuzzer</li>
<li>[619166] High CVE-2016-5128: Same-origin bypass in V8. Credit
to Anonymous</li>
<li>[620553] High CVE-2016-5129: Memory corruption in V8. Credit to
Jeonghoon Shin</li>
<li>[623319] High CVE-2016-5130: URL spoofing. Credit to Wadih
Matar</li>
<li>[623378] High CVE-2016-5131: Use-after-free in libxml. Credit
to Nick Wellnhofer</li>
<li>[607543] Medium CVE-2016-5132: Limited same-origin bypass in
Service Workers. Credit to Ben Kelly</li>
<li>[613626] Medium CVE-2016-5133: Origin confusion in proxy
authentication. Credit to Patch Eudor</li>
<li>[593759] Medium CVE-2016-5134: URL leakage via PAC script.
Credit to Paul Stone</li>
<li>[605451] Medium CVE-2016-5135: Content-Security-Policy bypass.
Credit to kingxwy</li>
<li>[625393] Medium CVE-2016-5136: Use after free in extensions.
Credit to Rob Wu</li>
<li>[625945] Medium CVE-2016-5137: History sniffing with HSTS and
CSP. Credit to Xiaoyin Liu</li>
<li>[629852] CVE-2016-1705: Various fixes from internal audits,
fuzzing and other initiatives.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1705</cvename>
<cvename>CVE-2016-1706</cvename>
<cvename>CVE-2016-1708</cvename>
<cvename>CVE-2016-1709</cvename>
<cvename>CVE-2016-1710</cvename>
<cvename>CVE-2016-1711</cvename>
<cvename>CVE-2016-5127</cvename>
<cvename>CVE-2016-5128</cvename>
<cvename>CVE-2016-5129</cvename>
<cvename>CVE-2016-5130</cvename>
<cvename>CVE-2016-5131</cvename>
<cvename>CVE-2016-5132</cvename>
<cvename>CVE-2016-5133</cvename>
<cvename>CVE-2016-5134</cvename>
<cvename>CVE-2016-5135</cvename>
<cvename>CVE-2016-5136</cvename>
<cvename>CVE-2016-5137</cvename>
<url>https://googlechromereleases.blogspot.nl/2016/07/stable-channel-update.html</url>
</references>
<dates>
<discovery>2016-07-20</discovery>
<entry>2016-07-22</entry>
</dates>
</vuln>
<vuln vid="62d45229-4fa0-11e6-9d13-206a8a720317">
<topic>krb5 -- KDC denial of service vulnerability</topic>
<affects>
<package>
<name>krb5-113</name>
<range><lt>1.13.6</lt></range>
</package>
<package>
<name>krb5-114</name>
<range><lt>1.14.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Major changes in krb5 1.14.3 and krb5 1.13.6:</p>
<blockquote cite="http://web.mit.edu/kerberos/krb5-1.14/">
<p>Fix a rare KDC denial of service vulnerability when anonymous
client principals are restricted to obtaining TGTs only
[CVE-2016-3120] .</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-3120</cvename>
<url>http://web.mit.edu/kerberos/krb5-1.14/</url>
</references>
<dates>
<discovery>2016-07-20</discovery>
<entry>2016-07-21</entry>
<modified>2016-07-26</modified>
</dates>
</vuln>
<vuln vid="72f71e26-4f69-11e6-ac37-ac9e174be3af">
<topic>Apache OpenOffice 4.1.2 -- Memory Corruption Vulnerability (Impress Presentations)</topic>
<affects>
<package>
<name>apache-openoffice</name>
<range><lt>4.1.2_8</lt></range>
</package>
<package>
<name>apache-openoffice-devel</name>
<range><lt>4.2.1753426,4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache OpenOffice Project reports:</p>
<blockquote cite="http://www.openoffice.org/security/cves/CVE-2016-1513.html">
<p>An OpenDocument Presentation .ODP or Presentation Template
.OTP file can contain invalid presentation elements that lead
to memory corruption when the document is loaded in Apache
OpenOffice Impress. The defect may cause the document to appear
as corrupted and OpenOffice may crash in a recovery-stuck mode
requiring manual intervention. A crafted exploitation of the
defect can allow an attacker to cause denial of service
(memory corruption and application crash) and possible
execution of arbitrary code.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1513</cvename>
<url>http://www.openoffice.org/security/cves/CVE-2015-4551.html</url>
</references>
<dates>
<discovery>2016-07-17</discovery>
<entry>2016-07-21</entry>
</dates>
</vuln>
<vuln vid="ca5cb202-4f51-11e6-b2ec-b499baebfeaf">
<topic>MySQL -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>mariadb55-server</name>
<range><le>5.5.49</le></range>
</package>
<package>
<name>mariadb100-server</name>
<range><le>10.0.25</le></range>
</package>
<package>
<name>mariadb101-server</name>
<range><le>10.1.14</le></range>
</package>
<package>
<name>mysql55-server</name>
<range><le>5.5.49</le></range>
</package>
<package>
<name>mysql56-server</name>
<range><lt>5.6.30</lt></range>
</package>
<package>
<name>mysql57-server</name>
<range><lt>5.7.12_1</lt></range>
</package>
<package>
<name>percona55-server</name>
<range><le>5.5.49</le></range>
</package>
<package>
<name>percona56-server</name>
<range><le>5.6.30</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Oracle reports:</p>
<blockquote cite="http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL">
<p>The quarterly Critical Patch Update contains 22 new security fixes for
Oracle MySQL 5.5.49, 5.6.30, 5.7.13 and earlier</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixMSQL</url>
<cvename>CVE-2016-3477</cvename>
<cvename>CVE-2016-3440</cvename>
<cvename>CVE-2016-2105</cvename>
<cvename>CVE-2016-3471</cvename>
<cvename>CVE-2016-3486</cvename>
<cvename>CVE-2016-3501</cvename>
<cvename>CVE-2016-3518</cvename>
<cvename>CVE-2016-3521</cvename>
<cvename>CVE-2016-3588</cvename>
<cvename>CVE-2016-3615</cvename>
<cvename>CVE-2016-3614</cvename>
<cvename>CVE-2016-5436</cvename>
<cvename>CVE-2016-3459</cvename>
<cvename>CVE-2016-5437</cvename>
<cvename>CVE-2016-3424</cvename>
<cvename>CVE-2016-5439</cvename>
<cvename>CVE-2016-5440</cvename>
<cvename>CVE-2016-5441</cvename>
<cvename>CVE-2016-5442</cvename>
<cvename>CVE-2016-5443</cvename>
<cvename>CVE-2016-5444</cvename>
<cvename>CVE-2016-3452</cvename>
</references>
<dates>
<discovery>2016-07-20</discovery>
<entry>2016-07-21</entry>
<modified>2016-08-08</modified>
</dates>
</vuln>
<vuln vid="3caf4e6c-4cef-11e6-a15f-00248c0c745d">
<topic>typo3 -- Missing access check in Extbase</topic>
<affects>
<package>
<name>typo3</name>
<range><lt>7.6.8</lt></range>
</package>
<package>
<name>typo3-lts</name>
<range><lt>6.2.24</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>TYPO3 reports:</p>
<blockquote cite="https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013/">
<p>Extbase request handling fails to implement a proper access check for
requested controller/ action combinations, which makes it possible for an
attacker to execute arbitrary Extbase actions by crafting a special request. To
successfully exploit this vulnerability, an attacker must have access to at
least one Extbase plugin or module action in a TYPO3 installation. The missing
access check inevitably leads to information disclosure or remote code
execution, depending on the action that an attacker is able to execute.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-5091</cvename>
<url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-013/</url>
<url>https://wiki.typo3.org/TYPO3_CMS_7.6.8</url>
<url>https://wiki.typo3.org/TYPO3_CMS_6.2.24</url>
</references>
<dates>
<discovery>2016-05-24</discovery>
<entry>2016-07-18</entry>
</dates>
</vuln>
<vuln vid="cf0b5668-4d1b-11e6-b2ec-b499baebfeaf">
<cancelled/>
</vuln>
<vuln vid="00cb1469-4afc-11e6-97ea-002590263bf5">
<topic>atutor -- multiple vulnerabilities</topic>
<affects>
<package>
<name>atutor</name>
<range><lt>2.2.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ATutor reports:</p>
<blockquote cite="https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2">
<p>Security Fixes: Added a new layer of security over all php
superglobals, fixed several XSS, CSRF, and SQL injection
vulnerabilities.</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2</url>
</references>
<dates>
<discovery>2016-07-01</discovery>
<entry>2016-07-16</entry>
</dates>
</vuln>
<vuln vid="ffa8ca79-4afb-11e6-97ea-002590263bf5">
<topic>atutor -- multiple vulnerabilities</topic>
<affects>
<package>
<name>atutor</name>
<range><lt>2.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ATutor reports:</p>
<blockquote cite="https://github.com/atutor/ATutor/releases/tag/atutor_2_2_1">
<p>Security Fixes: A number of minor XSS vulnerabilities discovered in
the previous version of ATutor have been corrected.</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/atutor/ATutor/releases/tag/atutor_2_2_1</url>
</references>
<dates>
<discovery>2016-01-30</discovery>
<entry>2016-07-16</entry>
</dates>
</vuln>
<vuln vid="a522d6ac-4aed-11e6-97ea-002590263bf5">
<topic>flash -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-c6-flashplugin</name>
<name>linux-c6_64-flashplugin</name>
<name>linux-f10-flashplugin</name>
<range><lt>11.2r202.632</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-25.htmL">
<p>These updates resolve a race condition vulnerability that could
lead to information disclosure (CVE-2016-4247).</p>
<p>These updates resolve type confusion vulnerabilities that could
lead to code execution (CVE-2016-4223, CVE-2016-4224,
CVE-2016-4225).</p>
<p>These updates resolve use-after-free vulnerabilities that could
lead to code execution (CVE-2016-4173, CVE-2016-4174, CVE-2016-4222,
CVE-2016-4226, CVE-2016-4227, CVE-2016-4228, CVE-2016-4229,
CVE-2016-4230, CVE-2016-4231, CVE-2016-4248).</p>
<p>These updates resolve a heap buffer overflow vulnerability that
could lead to code execution (CVE-2016-4249).</p>
<p>These updates resolve memory corruption vulnerabilities that could
lead to code execution (CVE-2016-4172, CVE-2016-4175, CVE-2016-4179,
CVE-2016-4180, CVE-2016-4181, CVE-2016-4182, CVE-2016-4183,
CVE-2016-4184, CVE-2016-4185, CVE-2016-4186, CVE-2016-4187,
CVE-2016-4188, CVE-2016-4189, CVE-2016-4190, CVE-2016-4217,
CVE-2016-4218, CVE-2016-4219, CVE-2016-4220, CVE-2016-4221,
CVE-2016-4233, CVE-2016-4234, CVE-2016-4235, CVE-2016-4236,
CVE-2016-4237, CVE-2016-4238, CVE-2016-4239, CVE-2016-4240,
CVE-2016-4241, CVE-2016-4242, CVE-2016-4243, CVE-2016-4244,
CVE-2016-4245, CVE-2016-4246).</p>
<p>These updates resolve a memory leak vulnerability (CVE-2016-4232).
</p>
<p>These updates resolve stack corruption vulnerabilities that could
lead to code execution (CVE-2016-4176, CVE-2016-4177).</p>
<p>These updates resolve a security bypass vulnerability that could
lead to information disclosure (CVE-2016-4178).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-4172</cvename>
<cvename>CVE-2016-4173</cvename>
<cvename>CVE-2016-4174</cvename>
<cvename>CVE-2016-4175</cvename>
<cvename>CVE-2016-4176</cvename>
<cvename>CVE-2016-4177</cvename>
<cvename>CVE-2016-4178</cvename>
<cvename>CVE-2016-4179</cvename>
<cvename>CVE-2016-4180</cvename>
<cvename>CVE-2016-4181</cvename>
<cvename>CVE-2016-4182</cvename>
<cvename>CVE-2016-4183</cvename>
<cvename>CVE-2016-4184</cvename>
<cvename>CVE-2016-4185</cvename>
<cvename>CVE-2016-4186</cvename>
<cvename>CVE-2016-4187</cvename>
<cvename>CVE-2016-4188</cvename>
<cvename>CVE-2016-4189</cvename>
<cvename>CVE-2016-4190</cvename>
<cvename>CVE-2016-4217</cvename>
<cvename>CVE-2016-4218</cvename>
<cvename>CVE-2016-4219</cvename>
<cvename>CVE-2016-4220</cvename>
<cvename>CVE-2016-4221</cvename>
<cvename>CVE-2016-4222</cvename>
<cvename>CVE-2016-4223</cvename>
<cvename>CVE-2016-4224</cvename>
<cvename>CVE-2016-4225</cvename>
<cvename>CVE-2016-4226</cvename>
<cvename>CVE-2016-4227</cvename>
<cvename>CVE-2016-4228</cvename>
<cvename>CVE-2016-4229</cvename>
<cvename>CVE-2016-4230</cvename>
<cvename>CVE-2016-4231</cvename>
<cvename>CVE-2016-4232</cvename>
<cvename>CVE-2016-4233</cvename>
<cvename>CVE-2016-4234</cvename>
<cvename>CVE-2016-4235</cvename>
<cvename>CVE-2016-4236</cvename>
<cvename>CVE-2016-4237</cvename>
<cvename>CVE-2016-4238</cvename>
<cvename>CVE-2016-4239</cvename>
<cvename>CVE-2016-4240</cvename>
<cvename>CVE-2016-4241</cvename>
<cvename>CVE-2016-4242</cvename>
<cvename>CVE-2016-4243</cvename>
<cvename>CVE-2016-4244</cvename>
<cvename>CVE-2016-4245</cvename>
<cvename>CVE-2016-4246</cvename>
<cvename>CVE-2016-4247</cvename>
<cvename>CVE-2016-4248</cvename>
<cvename>CVE-2016-4249</cvename>
<url>https://helpx.adobe.com/security/products/flash-player/apsb16-25.html</url>
</references>
<dates>
<discovery>2016-07-12</discovery>
<entry>2016-07-16</entry>
</dates>
</vuln>
<vuln vid="61b8c359-4aab-11e6-a7bd-14dae9d210b8">
<cancelled superseded="cbceeb49-3bc7-11e6-8e82-002590263bf5"/>
</vuln>
<vuln vid="3159cd70-4aaa-11e6-a7bd-14dae9d210b8">
<topic>libreoffice -- use-after-free vulnerability</topic>
<affects>
<package>
<name>libreoffice</name>
<range><lt>5.1.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Talos reports:</p>
<blockquote cite="http://www.talosintelligence.com/reports/TALOS-2016-0126/">
<p>An exploitable Use After Free vulnerability exists in the
RTF parser LibreOffice. A specially crafted file can cause a use after
free resulting in a possible arbitrary code execution. To exploit the
vulnerability a malicious file needs to be opened by the user via
vulnerable application.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.talosintelligence.com/reports/TALOS-2016-0126/</url>
<url>http://www.libreoffice.org/about-us/security/advisories/cve-2016-4324/</url>
<cvename>CVE-2016-4324</cvename>
</references>
<dates>
<discovery>2016-06-27</discovery>
<entry>2016-07-15</entry>
</dates>
</vuln>
<vuln vid="c17fe91d-4aa6-11e6-a7bd-14dae9d210b8">
<cancelled/>
</vuln>
<vuln vid="0ab66088-4aa5-11e6-a7bd-14dae9d210b8">
<topic>tiff -- buffer overflow</topic>
<affects>
<package>
<name>tiff</name>
<range><lt>4.0.6_2</lt></range>
</package>
<package>
<name>linux-c6-tiff</name>
<range><lt>3.9.4_2</lt></range>
</package>
<package>
<name>linux-f10-tiff</name>
<range><ge>*</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mathias Svensson reports:</p>
<blockquote cite="https://github.com/vadz/libtiff/commit/391e77fcd217e78b2c51342ac3ddb7100ecacdd2">
<p>potential buffer write overrun in PixarLogDecode() on
corrupted/unexpected images</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/vadz/libtiff/commit/391e77fcd217e78b2c51342ac3ddb7100ecacdd2</url>
<cvename>CVE-2016-5314</cvename>
<cvename>CVE-2016-5320</cvename>
<cvename>CVE-2016-5875</cvename>
</references>
<dates>
<discovery>2016-06-28</discovery>
<entry>2016-07-15</entry>
<modified>2016-09-06</modified>
</dates>
</vuln>
<vuln vid="42ecf370-4aa4-11e6-a7bd-14dae9d210b8">
<cancelled/>
</vuln>
<vuln vid="d706a3a3-4a7c-11e6-97f7-5453ed2e2b49">
<topic>p7zip -- out-of-bounds read vulnerability</topic>
<affects>
<package>
<name>p7zip</name>
<range><lt>15.14_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Cisco Talos reports:</p>
<blockquote cite="http://www.talosintelligence.com/reports/TALOS-2016-0094/">
<p>An out-of-bounds read vulnerability exists in the way 7-Zip
handles Universal Disk Format (UDF) files.</p>
<p>Central to 7-Zip’s processing of UDF files is the
CInArchive::ReadFileItem method. Because volumes can have more than
one partition map, their objects are kept in an object vector. To
start looking for an item, this method tries to reference the proper
object using the partition map’s object vector and the "PartitionRef"
field from the Long Allocation Descriptor. Lack of checking whether
the "PartitionRef" field is bigger than the available amount of
partition map objects causes a read out-of-bounds and can lead, in
some circumstances, to arbitrary code execution.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2335</cvename>
<url>http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html</url>
</references>
<dates>
<discovery>2016-05-11</discovery>
<entry>2016-07-15</entry>
</dates>
</vuln>
<vuln vid="a9bcaf57-4a7b-11e6-97f7-5453ed2e2b49">
<topic>p7zip -- heap overflow vulnerability</topic>
<affects>
<package>
<name>p7zip</name>
<range><lt>15.14_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Cisco Talos reports:</p>
<blockquote cite="http://www.talosintelligence.com/reports/TALOS-2016-0093/">
<p>An exploitable heap overflow vulnerability exists in the
NArchive::NHfs::CHandler::ExtractZlibFile method functionality of
7zip that can lead to arbitrary code execution.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2334</cvename>
<url>http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html</url>
</references>
<dates>
<discovery>2016-05-11</discovery>
<entry>2016-07-15</entry>
</dates>
</vuln>
<vuln vid="4729c849-4897-11e6-b704-000c292e4fd8">
<topic>samba -- client side SMB2/3 required signing can be downgraded</topic>
<affects>
<package>
<name>samba4</name>
<range><ge>4.0.0</ge><le>4.0.26</le></range>
</package>
<package>
<name>samba41</name>
<range><ge>4.1.0</ge><le>4.1.23</le></range>
</package>
<package>
<name>samba42</name>
<range><ge>4.2.0</ge><lt>4.2.14</lt></range>
</package>
<package>
<name>samba43</name>
<range><ge>4.3.0</ge><lt>4.3.11</lt></range>
</package>
<package>
<name>samba44</name>
<range><ge>4.4.0</ge><lt>4.4.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Samba team reports:</p>
<blockquote cite="https://www.samba.org/samba/security/CVE-2016-2119.html">
<p>A man in the middle attack can disable client signing over
SMB2/3, even if enforced by configuration parameters.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2119</cvename>
<url>https://www.samba.org/samba/security/CVE-2016-2119.html</url>
</references>
<dates>
<discovery>2016-07-07</discovery>
<entry>2016-07-13</entry>
</dates>
</vuln>
<vuln vid="3fcd52b2-4510-11e6-a15f-00248c0c745d">
<topic>ruby-saml -- XML signature wrapping attack</topic>
<affects>
<package>
<name>rubygem-ruby-saml</name>
<range><lt>1.3.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>RubySec reports:</p>
<blockquote cite="http://rubysec.com/advisories/CVE-2016-5697/">
<p>ruby-saml prior to version 1.3.0 is vulnerable to an XML signature wrapping attack
in the specific scenario where there was a signature that referenced at the same
time 2 elements (but past the scheme validator process since 1 of the element was
inside the encrypted assertion).</p>
<p>ruby-saml users must update to 1.3.0, which implements 3 extra validations to
mitigate this kind of attack.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-5697</cvename>
<url>http://rubysec.com/advisories/CVE-2016-5697/</url>
<url>https://github.com/onelogin/ruby-saml/commit/a571f52171e6bfd87db59822d1d9e8c38fb3b995</url>
</references>
<dates>
<discovery>2016-06-24</discovery>
<entry>2016-07-08</entry>
</dates>
</vuln>
<vuln vid="7d64d00c-43e3-11e6-ab34-002590263bf5">
<topic>quassel -- remote denial of service</topic>
<affects>
<package>
<name>quassel</name>
<range><lt>0.12.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mitre reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4414">
<p>The onReadyRead function in core/coreauthhandler.cpp in Quassel
before 0.12.4 allows remote attackers to cause a denial of service
(NULL pointer dereference and crash) via invalid handshake data.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-4414</cvename>
<url>http://quassel-irc.org/node/129</url>
<url>https://github.com/quassel/quassel/commit/e678873</url>
<url>http://www.openwall.com/lists/oss-security/2016/04/30/2</url>
<url>http://www.openwall.com/lists/oss-security/2016/04/30/4</url>
</references>
<dates>
<discovery>2016-04-24</discovery>
<entry>2016-07-07</entry>
</dates>
</vuln>
<vuln vid="e9d1e040-42c9-11e6-9608-20cf30e32f6d">
<topic>apache24 -- X509 Client certificate based authentication can be bypassed when HTTP/2 is used</topic>
<affects>
<package>
<name>apache24</name>
<range><ge>2.4.18</ge><lt>2.4.23</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Apache Software Foundation reports:</p>
<blockquote cite="INSERT URL HERE">
<p>The Apache HTTPD web server (from 2.4.18-2.4.20) did not validate a X509
client certificate correctly when experimental module for the HTTP/2
protocol is used to access a resource.</p>
<p>The net result is that a resource that should require a valid client
certificate in order to get access can be accessed without that credential.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-4979</cvename>
<url>http://mail-archives.apache.org/mod_mbox/httpd-announce/201607.mbox/CVE-2016-4979-68283</url>
</references>
<dates>
<discovery>2016-07-01</discovery>
<entry>2016-07-05</entry>
</dates>
</vuln>
<vuln vid="e800cd4b-4212-11e6-942d-bc5ff45d0f28">
<topic>xen-tools -- Unrestricted qemu logging</topic>
<affects>
<package>
<name>xen-tools</name>
<range><lt>4.7.0_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-180.html">
<p>When the libxl toolstack launches qemu for HVM guests, it pipes the
output of stderr to a file in /var/log/xen. This output is not
rate-limited in any way. The guest can easily cause qemu to print
messages to stderr, causing this file to become arbitrarily large.
</p>
<p>The disk containing the logfile can be exhausted, possibly causing a
denial-of-service (DoS).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-3672</cvename>
<url>http://xenbits.xen.org/xsa/advisory-180.html</url>
</references>
<dates>
<discovery>2016-05-23</discovery>
<entry>2016-07-04</entry>
</dates>
</vuln>
<vuln vid="e6ce6f50-4212-11e6-942d-bc5ff45d0f28">
<topic>xen-tools -- QEMU: Banked access to VGA memory (VBE) uses inconsistent bounds checks</topic>
<affects>
<package>
<name>xen-tools</name>
<range><lt>4.7.0_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-179.html">
<p>Qemu VGA module allows banked access to video memory using the
window at 0xa00000 and it supports different access modes with
different address calculations.</p>
<p>Qemu VGA module allows guest to edit certain registers in 'vbe'
and 'vga' modes.</p>
<p>A privileged guest user could use CVE-2016-3710 to exceed the bank
address window and write beyond the said memory area, potentially
leading to arbitrary code execution with privileges of the Qemu
process. If the system is not using stubdomains, this will be in
domain 0.</p>
<p>A privileged guest user could use CVE-2016-3712 to cause potential
integer overflow or OOB read access issues in Qemu, resulting in a DoS
of the guest itself. More dangerous effect, such as data leakage or
code execution, are not known but cannot be ruled out.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-3710</cvename>
<cvename>CVE-2016-3712</cvename>
<url>http://xenbits.xen.org/xsa/advisory-179.html</url>
</references>
<dates>
<discovery>2016-05-09</discovery>
<entry>2016-07-04</entry>
</dates>
</vuln>
<vuln vid="e589ae90-4212-11e6-942d-bc5ff45d0f28">
<topic>xen-tools -- Unsanitised driver domain input in libxl device handling</topic>
<affects>
<package>
<name>xen-tools</name>
<range><lt>4.7.0_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-178.html">
<p>libxl's device-handling code freely uses and trusts information
from the backend directories in xenstore.</p>
<p>A malicious driver domain can deny service to management tools.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-4963</cvename>
<url>http://xenbits.xen.org/xsa/advisory-178.html</url>
</references>
<dates>
<discovery>2016-06-02</discovery>
<entry>2016-07-04</entry>
</dates>
</vuln>
<vuln vid="e43b210a-4212-11e6-942d-bc5ff45d0f28">
<topic>xen-kernel -- x86 software guest page walk PS bit handling flaw</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><lt>4.7.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-176.html">
<p>The Page Size (PS) page table entry bit exists at all page table
levels other than L1. Its meaning is reserved in L4, and
conditionally reserved in L3 and L2 (depending on hardware
capabilities). The software page table walker in the hypervisor,
however, so far ignored that bit in L4 and (on respective hardware)
L3 entries, resulting in pages to be treated as page tables which
the guest OS may not have designated as such. If the page in
question is writable by an unprivileged user, then that user will
be able to map arbitrary guest memory.</p>
<p>On vulnerable OSes, guest user mode code may be able to establish
mappings of arbitrary memory inside the guest, allowing it to
elevate its privileges inside the guest.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-4480</cvename>
<url>http://xenbits.xen.org/xsa/advisory-176.html</url>
</references>
<dates>
<discovery>2016-05-17</discovery>
<entry>2016-07-04</entry>
</dates>
</vuln>
<vuln vid="e2fca11b-4212-11e6-942d-bc5ff45d0f28">
<topic>xen-tools -- Unsanitised guest input in libxl device handling code</topic>
<affects>
<package>
<name>xen-tools</name>
<range><lt>4.7.0_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-175.html">
<p>Various parts of libxl device-handling code inappropriately use
information from (partially) guest controlled areas of xenstore.</p>
<p>A malicious guest administrator can cause denial of service by
resource exhaustion.</p>
<p>A malicious guest administrator can confuse and/or deny service to
management facilities.</p>
<p>A malicious guest administrator of a guest configured with channel
devices may be able to escalate their privilege to that of the
backend domain (i.e., normally, to that of the host).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-4962</cvename>
<url>http://xenbits.xen.org/xsa/advisory-175.html</url>
</references>
<dates>
<discovery>2016-06-02</discovery>
<entry>2016-07-04</entry>
</dates>
</vuln>
<vuln vid="d51ced72-4212-11e6-942d-bc5ff45d0f28">
<topic>xen-kernel -- x86 shadow pagetables: address width overflow</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><ge>3.4</ge><lt>4.7.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-173.html">
<p>In the x86 shadow pagetable code, the guest frame number of a
superpage mapping is stored in a 32-bit field. If a shadowed guest
can cause a superpage mapping of a guest-physical address at or
above 2^44 to be shadowed, the top bits of the address will be lost,
causing an assertion failure or NULL dereference later on, in code
that removes the shadow.</p>
<p>A HVM guest using shadow pagetables can cause the host to crash.
</p>
<p>A PV guest using shadow pagetables (i.e. being migrated) with PV
superpages enabled (which is not the default) can crash the host, or
corrupt hypervisor memory, and so a privilege escalation cannot be
ruled out.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-3960</cvename>
<url>http://xenbits.xen.org/xsa/advisory-173.html</url>
</references>
<dates>
<discovery>2016-04-18</discovery>
<entry>2016-07-04</entry>
</dates>
</vuln>
<vuln vid="313e9557-41e8-11e6-ab34-002590263bf5">
<topic>wireshark -- multiple vulnerabilities</topic>
<affects>
<package>
<name>wireshark</name>
<name>wireshark-lite</name>
<name>wireshark-qt5</name>
<name>tshark</name>
<name>tshark-lite</name>
<range><lt>2.0.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Wireshark development team reports:</p>
<blockquote cite="https://www.wireshark.org/docs/relnotes/wireshark-2.0.4.html">
<p>The following vulnerabilities have been fixed:</p>
<ul>
<li><p>wnpa-sec-2016-29</p>
<p>The SPOOLS dissector could go into an infinite loop. Discovered
by the CESG.</p></li>
<li><p>wnpa-sec-2016-30</p>
<p>The IEEE 802.11 dissector could crash. (Bug 11585)</p></li>
<li><p>wnpa-sec-2016-31</p>
<p>The IEEE 802.11 dissector could crash. Discovered by Mateusz
Jurczyk. (Bug 12175)</p></li>
<li><p>wnpa-sec-2016-32</p>
<p>The UMTS FP dissector could crash. (Bug 12191)</p></li>
<li><p>wnpa-sec-2016-33</p>
<p>Some USB dissectors could crash. Discovered by Mateusz
Jurczyk. (Bug 12356)</p></li>
<li><p>wnpa-sec-2016-34</p>
<p>The Toshiba file parser could crash. Discovered by iDefense
Labs. (Bug 12394)</p></li>
<li><p>wnpa-sec-2016-35</p>
<p>The CoSine file parser could crash. Discovered by iDefense
Labs. (Bug 12395)</p></li>
<li><p>wnpa-sec-2016-36</p>
<p>The NetScreen file parser could crash. Discovered by iDefense
Labs. (Bug 12396)</p></li>
<li><p>wnpa-sec-2016-37</p>
<p>The Ethernet dissector could crash. (Bug 12440)</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-5350</cvename>
<cvename>CVE-2016-5351</cvename>
<cvename>CVE-2016-5352</cvename>
<cvename>CVE-2016-5353</cvename>
<cvename>CVE-2016-5354</cvename>
<cvename>CVE-2016-5355</cvename>
<cvename>CVE-2016-5356</cvename>
<cvename>CVE-2016-5357</cvename>
<cvename>CVE-2016-5358</cvename>
<url>https://www.wireshark.org/docs/relnotes/wireshark-2.0.4.html</url>
<url>http://www.openwall.com/lists/oss-security/2016/06/09/4</url>
</references>
<dates>
<discovery>2016-06-07</discovery>
<entry>2016-07-04</entry>
</dates>
</vuln>
<vuln vid="8656cf5f-4170-11e6-8dfe-002590263bf5">
<topic>moodle -- multiple vulnerabilities</topic>
<affects>
<package>
<name>moodle28</name>
<range><lt>2.8.12</lt></range>
</package>
<package>
<name>moodle29</name>
<range><lt>2.9.6</lt></range>
</package>
<package>
<name>moodle30</name>
<range><lt>3.0.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Marina Glancy reports:</p>
<blockquote cite="https://moodle.org/security/">
<ul>
<li><p>MSA-16-0013: Users are able to change profile fields that
were locked by the administrator.</p></li>
<li><p>MSA-16-0015: Information disclosure of hidden forum names
and sub-names.</p></li>
<li><p>MSA-16-0016: User can view badges of other users without
proper permissions.</p></li>
<li><p>MSA-16-0017: Course idnumber not protected from teacher
restore.</p></li>
<li><p>MSA-16-0018: CSRF in script marking forum posts as read.</p>
</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-3729</cvename>
<cvename>CVE-2016-3731</cvename>
<cvename>CVE-2016-3732</cvename>
<cvename>CVE-2016-3733</cvename>
<cvename>CVE-2016-3734</cvename>
<url>https://moodle.org/security/</url>
</references>
<dates>
<discovery>2016-05-18</discovery>
<entry>2016-07-03</entry>
</dates>
</vuln>
<vuln vid="ad9b77f6-4163-11e6-b05b-14dae9d210b8">
<topic>icingaweb2 -- remote code execution</topic>
<affects>
<package>
<name>icingaweb2</name>
<range><lt>2.3.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Eric Lippmann reports:</p>
<blockquote cite="https://www.icinga.org/2016/06/23/icinga-web-2-v2-3-4-v2-2-2-and-v2-1-4-releases/">
<p>Possibility of remote code execution via the remote command
transport.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.icinga.org/2016/06/23/icinga-web-2-v2-3-4-v2-2-2-and-v2-1-4-releases/</url>
</references>
<dates>
<discovery>2016-06-23</discovery>
<entry>2016-07-03</entry>
</dates>
</vuln>
<vuln vid="a5c204b5-4153-11e6-8dfe-002590263bf5">
<topic>hive -- authorization logic vulnerability</topic>
<affects>
<package>
<name>hive</name>
<range><lt>2.0.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Sushanth Sowmyan reports:</p>
<blockquote cite="http://mail-archives.apache.org/mod_mbox/hive-user/201601.mbox/%3C20160128205008.2154F185EB%40minotaur.apache.org%3E">
<p>Some partition-level operations exist that do not explicitly also
authorize privileges of the parent table. This can lead to issues when
the parent table would have denied the operation, but no denial occurs
because the partition-level privilege is not checked by the
authorization framework, which defines authorization entities only
from the table level upwards.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7521</cvename>
<url>http://mail-archives.apache.org/mod_mbox/hive-user/201601.mbox/%3C20160128205008.2154F185EB%40minotaur.apache.org%3E</url>
</references>
<dates>
<discovery>2016-01-28</discovery>
<entry>2016-07-03</entry>
</dates>
</vuln>
<vuln vid="546deeea-3fc6-11e6-a671-60a44ce6887b">
<topic>SQLite3 -- Tempdir Selection Vulnerability</topic>
<affects>
<package>
<name>sqlite3</name>
<range><lt>3.13.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>KoreLogic security reports:</p>
<blockquote cite="https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt">
<p>Affected versions of SQLite reject potential tempdir locations if
they are not readable, falling back to '.'. Thus, SQLite will favor
e.g. using cwd for tempfiles on such a system, even if cwd is an
unsafe location. Notably, SQLite also checks the permissions of
'.', but ignores the results of that check.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-6153</cvename>
<freebsdpr>ports/209827</freebsdpr>
<url>https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt</url>
<url>http://openwall.com/lists/oss-security/2016/07/01/2</url>
<url>http://www.sqlite.org/cgi/src/info/67985761aa93fb61</url>
<url>http://www.sqlite.org/cgi/src/info/b38fe522cfc971b3</url>
<url>http://www.sqlite.org/cgi/src/info/614bb709d34e1148</url>
</references>
<dates>
<discovery>2016-07-01</discovery>
<entry>2016-07-03</entry>
</dates>
</vuln>
<vuln vid="8d5368ef-40fe-11e6-b2ec-b499baebfeaf">
<topic>Python -- smtplib StartTLS stripping vulnerability</topic>
<affects>
<package>
<name>python27</name>
<range><lt>2.7.12</lt></range>
</package>
<package>
<name>python33</name>
<range><gt>0</gt></range>
</package>
<package>
<name>python34</name>
<range><lt>3.4.5</lt></range>
</package>
<package>
<name>python35</name>
<range><lt>3.5.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Red Hat reports:</p>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0772">
<p>A vulnerability in smtplib allowing MITM attacker to perform a
startTLS stripping attack. smtplib does not seem to raise an exception
when the remote end (smtp server) is capable of negotiating starttls but
fails to respond with 220 (ok) to an explicit call of SMTP.starttls().
This may allow a malicious MITM to perform a startTLS stripping attack
if the client code does not explicitly check the response code for startTLS.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0772</url>
<cvename>CVE-2016-0772</cvename>
</references>
<dates>
<discovery>2016-06-14</discovery>
<entry>2016-07-03</entry>
</dates>
</vuln>
<vuln vid="e7028e1d-3f9b-11e6-81f9-6805ca0b3d42">
<topic>phpMyAdmin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>phpmyadmin</name>
<range><ge>4.6.0</ge><lt>4.6.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Please reference CVE/URL list for details</p>
</body>
</description>
<references>
<url>https://www.phpmyadmin.net/security/PMASA-2016-17/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-18/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-19/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-20/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-21/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-22/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-23/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-24/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-25/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-26/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-27/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-28/</url>
<cvename>CVE-2016-5701</cvename>
<cvename>CVE-2016-5702</cvename>
<cvename>CVE-2016-5703</cvename>
<cvename>CVE-2016-5704</cvename>
<cvename>CVE-2016-5705</cvename>
<cvename>CVE-2016-5706</cvename>
<cvename>CVE-2016-5730</cvename>
<cvename>CVE-2016-5731</cvename>
<cvename>CVE-2016-5732</cvename>
<cvename>CVE-2016-5733</cvename>
<cvename>CVE-2016-5734</cvename>
<cvename>CVE-2016-5739</cvename>
</references>
<dates>
<discovery>2016-06-23</discovery>
<entry>2016-07-01</entry>
</dates>
</vuln>
<vuln vid="f1c219ba-3f14-11e6-b3c8-14dae9d210b8">
<topic>haproxy -- denial of service</topic>
<affects>
<package>
<name>haproxy</name>
<range><ge>1.6.0</ge><lt>1.6.5_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>HAproxy reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2016/06/09/5">
<p>HAproxy 1.6.x before 1.6.6, when a deny comes from a
reqdeny rule, allows remote attackers to cause a denial of service
(uninitialized memory access and crash) or possibly have unspecified
other impact via unknown vectors.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openwall.com/lists/oss-security/2016/06/09/5</url>
<cvename>CVE-2016-5360</cvename>
</references>
<dates>
<discovery>2016-06-09</discovery>
<entry>2016-06-30</entry>
</dates>
</vuln>
<vuln vid="093584f2-3f14-11e6-b3c8-14dae9d210b8">
<topic>libtorrent-rasterbar -- denial of service</topic>
<affects>
<package>
<name>libtorrent-rasterbar</name>
<range><lt>1.1.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Brandon Perry reports:</p>
<blockquote cite="https://github.com/arvidn/libtorrent/issues/780">
<p>The parse_chunk_header function in libtorrent before 1.1.1
allows remote attackers to cause a denial of service (crash) via a
crafted (1) HTTP response or possibly a (2) UPnP broadcast.</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/arvidn/libtorrent/issues/780</url>
<cvename>CVE-2016-5301</cvename>
</references>
<dates>
<discovery>2016-06-03</discovery>
<entry>2016-06-30</entry>
</dates>
</vuln>
<vuln vid="ff76f0e0-3f11-11e6-b3c8-14dae9d210b8">
<topic>expat2 -- denial of service</topic>
<affects>
<package>
<name>expat</name>
<range><lt>2.1.1_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adam Maris reports:</p>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=1344251">
<p>It was found that original patch for issues CVE-2015-1283
and CVE-2015-2716 used overflow checks that could be optimized out by
some compilers applying certain optimization settings, which can cause
the vulnerability to remain even after applying the patch.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1344251</url>
<cvename>CVE-2016-4472</cvename>
</references>
<dates>
<discovery>2016-06-09</discovery>
<entry>2016-06-30</entry>
<modified>2016-11-30</modified>
</dates>
</vuln>
<vuln vid="875e4cf8-3f0e-11e6-b3c8-14dae9d210b8">
<topic>dnsmasq -- denial of service</topic>
<affects>
<package>
<name>dnsmasq</name>
<range><lt>2.76,1</lt></range>
</package>
<package>
<name>dnsmasq-devel</name>
<range><lt>2.76.0test1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p> reports:</p>
<blockquote cite="http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010479.html">
<p>Dnsmasq before 2.76 allows remote servers to cause a denial
of service (crash) via a reply with an empty DNS address that has an (1)
A or (2) AAAA record defined locally.</p>
</blockquote>
</body>
</description>
<references>
<url>http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010479.html</url>
<url>http://www.openwall.com/lists/oss-security/2016/06/03/7</url>
<cvename>CVE-2015-8899</cvename>
</references>
<dates>
<discovery>2016-04-18</discovery>
<entry>2016-06-30</entry>
<modified>2016-06-30</modified>
</dates>
</vuln>
<vuln vid="a61374fc-3a4d-11e6-a671-60a44ce6887b">
<topic>Python -- HTTP Header Injection in Python urllib</topic>
<affects>
<package>
<name>python27</name>
<range><lt>2.7.10</lt></range>
</package>
<package>
<name>python33</name>
<range><ge>0</ge></range>
</package>
<package>
<name>python34</name>
<range><lt>3.4.4</lt></range>
</package>
<package>
<name>python35</name>
<range><lt>3.5.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Guido Vranken reports:</p>
<blockquote cite="https://bugs.python.org/issue22928">
<p>HTTP header injection in urrlib2/urllib/httplib/http.client with
newlines in header values, where newlines have a semantic consequence of
denoting the start of an additional header line.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugs.python.org/issue22928</url>
<url>http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html</url>
<url>http://www.openwall.com/lists/oss-security/2016/06/14/7</url>
<cvename>CVE-2016-5699</cvename>
</references>
<dates>
<discovery>2014-11-24</discovery>
<entry>2016-06-30</entry>
<modified>2016-07-04</modified>
</dates>
</vuln>
<vuln vid="0ca24682-3f03-11e6-b3c8-14dae9d210b8">
<topic>openssl -- denial of service</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.0.2_14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mitre reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2177">
<p>OpenSSL through 1.0.2h incorrectly uses pointer arithmetic
for heap-buffer boundary checks, which might allow remote attackers to
cause a denial of service (integer overflow and application crash) or
possibly have unspecified other impact by leveraging unexpected malloc
behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.</p>
</blockquote>
</body>
</description>
<references>
<url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2177</url>
<url>ihttps://bugzilla.redhat.com/show_bug.cgi?id=1341705</url>
<url>https://www.openssl.org/blog/blog/2016/06/27/undefined-pointer-arithmetic/</url>
<cvename>CVE-2016-2177</cvename>
</references>
<dates>
<discovery>2016-06-01</discovery>
<entry>2016-06-30</entry>
</dates>
</vuln>
<vuln vid="cbceeb49-3bc7-11e6-8e82-002590263bf5">
<topic>Apache Commons FileUpload -- denial of service (DoS) vulnerability</topic>
<affects>
<package>
<name>tomcat7</name>
<range><lt>7.0.70</lt></range>
</package>
<package>
<name>tomcat8</name>
<range><lt>8.0.36</lt></range>
</package>
<package>
<name>apache-struts</name>
<range><lt>2.5.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mark Thomas reports:</p>
<blockquote cite="http://mail-archives.apache.org/mod_mbox/tomcat-announce/201606.mbox/%3C6223ece6-2b41-ef4f-22f9-d3481e492832%40apache.org%3E">
<p>CVE-2016-3092 is a denial of service vulnerability that has been
corrected in the Apache Commons FileUpload component. It occurred
when the length of the multipart boundary was just below the size of
the buffer (4096 bytes) used to read the uploaded file. This caused
the file upload process to take several orders of magnitude longer
than if the boundary length was the typical tens of bytes.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-3092</cvename>
<freebsdpr>ports/209669</freebsdpr>
<url>http://tomcat.apache.org/security-7.html</url>
<url>http://tomcat.apache.org/security-8.html</url>
<url>http://mail-archives.apache.org/mod_mbox/tomcat-announce/201606.mbox/%3C6223ece6-2b41-ef4f-22f9-d3481e492832%40apache.org%3E</url>
<url>http://jvn.jp/en/jp/JVN89379547/index.html</url>
</references>
<dates>
<discovery>2016-06-20</discovery>
<entry>2016-06-26</entry>
<modified>2017-08-10</modified>
</dates>
</vuln>
<vuln vid="bfcc23b6-3b27-11e6-8e82-002590263bf5">
<topic>wordpress -- multiple vulnerabilities</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>4.5.3,1</lt></range>
</package>
<package>
<name>de-wordpress</name>
<name>ja-wordpress</name>
<name>ru-wordpress</name>
<name>zh-wordpress-zh_CN</name>
<name>zh-wordpress-zh_TW</name>
<range><lt>4.5.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adam Silverstein reports:</p>
<blockquote cite="https://wordpress.org/news/2016/06/wordpress-4-5-3/">
<p>WordPress 4.5.3 is now available. This is a security release for
all previous versions and we strongly encourage you to update your
sites immediately.</p>
<p>WordPress versions 4.5.2 and earlier are affected by several
security issues: redirect bypass in the customizer, reported by
Yassine Aboukir; two different XSS problems via attachment names,
reported by Jouko Pynnönenand Divyesh Prajapati; revision history
information disclosure, reported independently by John Blackbourn
from the WordPress security team and by Dan Moen from the Wordfence
Research Team; oEmbed denial of service reported by Jennifer Dodd
from Automattic; unauthorized category removal from a post, reported
by David Herrera from Alley Interactive; password change via stolen
cookie, reported by Michael Adams from the WordPress security team;
and some less secure sanitize_file_name edge cases reported by Peter
Westwood of the WordPress security team.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-5832</cvename>
<cvename>CVE-2016-5833</cvename>
<cvename>CVE-2016-5834</cvename>
<cvename>CVE-2016-5835</cvename>
<cvename>CVE-2016-5836</cvename>
<cvename>CVE-2016-5837</cvename>
<cvename>CVE-2016-5838</cvename>
<cvename>CVE-2016-5839</cvename>
<freebsdpr>ports/210480</freebsdpr>
<freebsdpr>ports/210581</freebsdpr>
<url>https://wordpress.org/news/2016/06/wordpress-4-5-3/</url>
<url>http://www.openwall.com/lists/oss-security/2016/06/23/9</url>
</references>
<dates>
<discovery>2016-06-18</discovery>
<entry>2016-06-25</entry>
</dates>
</vuln>
<vuln vid="66d77c58-3b1d-11e6-8e82-002590263bf5">
<topic>php -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php55</name>
<name>php55-gd</name>
<name>php55-mbstring</name>
<name>php55-wddx</name>
<name>php55-zip</name>
<range><lt>5.5.37</lt></range>
</package>
<package>
<name>php56</name>
<name>php56-gd</name>
<name>php56-mbstring</name>
<name>php56-phar</name>
<name>php56-wddx</name>
<name>php56-zip</name>
<range><lt>5.6.23</lt></range>
</package>
<package>
<name>php70</name>
<name>php70-gd</name>
<name>php70-mbstring</name>
<name>php70-phar</name>
<name>php70-wddx</name>
<name>php70-zip</name>
<range><lt>7.0.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PHP Group reports:</p>
<blockquote cite="http://php.net/ChangeLog-5.php#5.5.37">
<p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8874</cvename>
<cvename>CVE-2016-5766</cvename>
<cvename>CVE-2016-5767</cvename>
<cvename>CVE-2016-5768</cvename>
<cvename>CVE-2016-5769</cvename>
<cvename>CVE-2016-5770</cvename>
<cvename>CVE-2016-5771</cvename>
<cvename>CVE-2016-5772</cvename>
<cvename>CVE-2016-5773</cvename>
<freebsdpr>ports/210491</freebsdpr>
<freebsdpr>ports/210502</freebsdpr>
<url>http://php.net/ChangeLog-5.php#5.5.37</url>
<url>http://php.net/ChangeLog-5.php#5.6.23</url>
<url>http://php.net/ChangeLog-7.php#7.0.8</url>
</references>
<dates>
<discovery>2016-06-23</discovery>
<entry>2016-06-25</entry>
</dates>
</vuln>
<vuln vid="4a0d9b53-395d-11e6-b3c8-14dae9d210b8">
<topic>libarchive -- multiple vulnerabilities</topic>
<affects>
<package>
<name>libarchive</name>
<range><lt>3.2.1,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Hanno Bock and Cisco Talos report:</p>
<blockquote cite="http://openwall.com/lists/oss-security/2016/06/23/6">
<ul>
<li><p>Out of bounds heap read in RAR parser</p></li>
<li><p>Signed integer overflow in ISO parser</p></li>
<li><p>TALOS-2016-0152 [CVE-2016-4300]: 7-Zip
read_SubStreamsInfo Integer Overflow</p></li>
<li><p>TALOS-2016-0153 [CVE-2016-4301]: mtree parse_device Stack
Based Buffer Overflow</p></li>
<li><p>TALOS-2016-0154 [CVE-2016-4302]: Libarchive Rar RestartModel
Heap Overflow</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://openwall.com/lists/oss-security/2016/06/23/6</url>
<url>https://github.com/libarchive/libarchive/issues/521</url>
<url>https://github.com/libarchive/libarchive/issues/717#event-697151157</url>
<url>http://blog.talosintel.com/2016/06/the-poisoned-archives.html</url>
<cvename>CVE-2015-8934</cvename>
<cvename>CVE-2016-4300</cvename>
<cvename>CVE-2016-4301</cvename>
<cvename>CVE-2016-4302</cvename>
</references>
<dates>
<discovery>2016-06-23</discovery>
<entry>2016-06-23</entry>
</dates>
</vuln>
<vuln vid="22775cdd-395a-11e6-b3c8-14dae9d210b8">
<topic>piwik -- XSS vulnerability</topic>
<affects>
<package>
<name>piwik</name>
<range><lt>2.16.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Piwik reports:</p>
<blockquote cite="http://piwik.org/changelog/piwik-2-16-1/">
<p>The Piwik Security team is grateful for the responsible
disclosures by our security researchers: Egidio Romano (granted a
critical security bounty), James Kettle and Paweł Bartunek (XSS) and
Emanuel Bronshtein (limited XSS).</p>
</blockquote>
</body>
</description>
<references>
<url>http://piwik.org/changelog/piwik-2-16-1/</url>
</references>
<dates>
<discovery>2016-04-11</discovery>
<entry>2016-06-23</entry>
</dates>
</vuln>
<vuln vid="6df56c60-3738-11e6-a671-60a44ce6887b">
<topic>wget -- HTTP to FTP redirection file name confusion vulnerability</topic>
<affects>
<package>
<name>wget</name>
<range><lt>1.18</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Giuseppe Scrivano reports:</p>
<blockquote cite="http://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html">
<p>On a server redirect from HTTP to a FTP resource, wget would trust the
HTTP server and uses the name in the redirected URL as the destination
filename.</p>
</blockquote>
</body>
</description>
<references>
<url>http://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html</url>
<cvename>CVE-2016-4971</cvename>
</references>
<dates>
<discovery>2016-06-09</discovery>
<entry>2016-06-21</entry>
</dates>
</vuln>
<vuln vid="1a2aa04f-3718-11e6-b3c8-14dae9d210b8">
<topic>libxslt -- Denial of Service</topic>
<affects>
<package>
<name>libxslt</name>
<range><lt>1.1.29</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google reports:</p>
<blockquote cite="http://seclists.org/bugtraq/2016/Jun/81">
<ul>
<li>[583156] Medium CVE-2016-1683: Out-of-bounds access in libxslt.
Credit to Nicolas Gregoire.</li>
<li>[583171] Medium CVE-2016-1684: Integer overflow in libxslt.
Credit to Nicolas Gregoire.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://googlechromereleases.blogspot.com/2016/05/stable-channel-update_25.html</url>
<cvename>CVE-2016-1683</cvename>
<cvename>CVE-2016-1684</cvename>
</references>
<dates>
<discovery>2016-05-25</discovery>
<entry>2016-06-20</entry>
</dates>
</vuln>
<vuln vid="0e3dfdde-35c4-11e6-8e82-002590263bf5">
<topic>flash -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-c6-flashplugin</name>
<name>linux-c6_64-flashplugin</name>
<name>linux-f10-flashplugin</name>
<range><lt>11.2r202.626</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-18.html">
<p>These updates resolve type confusion vulnerabilities that could
lead to code execution (CVE-2016-4144, CVE-2016-4149).</p>
<p>These updates resolve use-after-free vulnerabilities that could
lead to code execution (CVE-2016-4142, CVE-2016-4143, CVE-2016-4145,
CVE-2016-4146, CVE-2016-4147, CVE-2016-4148).</p>
<p>These updates resolve heap buffer overflow vulnerabilities that
could lead to code execution (CVE-2016-4135, CVE-2016-4136,
CVE-2016-4138).</p>
<p>These updates resolve memory corruption vulnerabilities that could
lead to code execution (CVE-2016-4122, CVE-2016-4123, CVE-2016-4124,
CVE-2016-4125, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129,
CVE-2016-4130, CVE-2016-4131, CVE-2016-4132, CVE-2016-4133,
CVE-2016-4134, CVE-2016-4137, CVE-2016-4141, CVE-2016-4150,
CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154,
CVE-2016-4155, CVE-2016-4156, CVE-2016-4166, CVE-2016-4171).</p>
<p>These updates resolve a vulnerability in the directory search path
used to find resources that could lead to code execution
(CVE-2016-4140).</p>
<p>These updates resolve a vulnerability that could be exploited to
bypass the same-origin-policy and lead to information disclosure
(CVE-2016-4139).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-4122</cvename>
<cvename>CVE-2016-4123</cvename>
<cvename>CVE-2016-4124</cvename>
<cvename>CVE-2016-4125</cvename>
<cvename>CVE-2016-4127</cvename>
<cvename>CVE-2016-4128</cvename>
<cvename>CVE-2016-4129</cvename>
<cvename>CVE-2016-4130</cvename>
<cvename>CVE-2016-4131</cvename>
<cvename>CVE-2016-4132</cvename>
<cvename>CVE-2016-4133</cvename>
<cvename>CVE-2016-4134</cvename>
<cvename>CVE-2016-4135</cvename>
<cvename>CVE-2016-4136</cvename>
<cvename>CVE-2016-4137</cvename>
<cvename>CVE-2016-4138</cvename>
<cvename>CVE-2016-4139</cvename>
<cvename>CVE-2016-4140</cvename>
<cvename>CVE-2016-4141</cvename>
<cvename>CVE-2016-4142</cvename>
<cvename>CVE-2016-4143</cvename>
<cvename>CVE-2016-4144</cvename>
<cvename>CVE-2016-4145</cvename>
<cvename>CVE-2016-4146</cvename>
<cvename>CVE-2016-4147</cvename>
<cvename>CVE-2016-4148</cvename>
<cvename>CVE-2016-4149</cvename>
<cvename>CVE-2016-4150</cvename>
<cvename>CVE-2016-4151</cvename>
<cvename>CVE-2016-4152</cvename>
<cvename>CVE-2016-4153</cvename>
<cvename>CVE-2016-4154</cvename>
<cvename>CVE-2016-4155</cvename>
<cvename>CVE-2016-4156</cvename>
<cvename>CVE-2016-4166</cvename>
<cvename>CVE-2016-4171</cvename>
<url>https://helpx.adobe.com/security/products/flash-player/apsb16-18.html</url>
</references>
<dates>
<discovery>2016-06-16</discovery>
<entry>2016-06-19</entry>
</dates>
</vuln>
<vuln vid="0c6b008d-35c4-11e6-8e82-002590263bf5">
<topic>flash -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-c6-flashplugin</name>
<name>linux-c6_64-flashplugin</name>
<name>linux-f10-flashplugin</name>
<range><lt>11.2r202.621</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-15.html">
<p>These updates resolve type confusion vulnerabilities that could
lead to code execution (CVE-2016-1105, CVE-2016-4117).</p>
<p>These updates resolve use-after-free vulnerabilities that could
lead to code execution (CVE-2016-1097, CVE-2016-1106, CVE-2016-1107,
CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108,
CVE-2016-4110, CVE-2016-4121).</p>
<p>These updates resolve a heap buffer overflow vulnerability that
could lead to code execution (CVE-2016-1101).</p>
<p>These updates resolve a buffer overflow vulnerability that could
lead to code execution (CVE-2016-1103).</p>
<p>These updates resolve memory corruption vulnerabilities that could
lead to code execution (CVE-2016-1096, CVE-2016-1098, CVE-2016-1099,
CVE-2016-1100, CVE-2016-1102, CVE-2016-1104, CVE-2016-4109,
CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114,
CVE-2016-4115, CVE-2016-4120, CVE-2016-4160, CVE-2016-4161,
CVE-2016-4162, CVE-2016-4163).</p>
<p>These updates resolve a vulnerability in the directory search path
used to find resources that could lead to code execution
(CVE-2016-4116).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1096</cvename>
<cvename>CVE-2016-1097</cvename>
<cvename>CVE-2016-1098</cvename>
<cvename>CVE-2016-1099</cvename>
<cvename>CVE-2016-1100</cvename>
<cvename>CVE-2016-1101</cvename>
<cvename>CVE-2016-1102</cvename>
<cvename>CVE-2016-1103</cvename>
<cvename>CVE-2016-1104</cvename>
<cvename>CVE-2016-1105</cvename>
<cvename>CVE-2016-1106</cvename>
<cvename>CVE-2016-1107</cvename>
<cvename>CVE-2016-1108</cvename>
<cvename>CVE-2016-1109</cvename>
<cvename>CVE-2016-1110</cvename>
<cvename>CVE-2016-4108</cvename>
<cvename>CVE-2016-4109</cvename>
<cvename>CVE-2016-4110</cvename>
<cvename>CVE-2016-4111</cvename>
<cvename>CVE-2016-4112</cvename>
<cvename>CVE-2016-4113</cvename>
<cvename>CVE-2016-4114</cvename>
<cvename>CVE-2016-4115</cvename>
<cvename>CVE-2016-4116</cvename>
<cvename>CVE-2016-4117</cvename>
<cvename>CVE-2016-4120</cvename>
<cvename>CVE-2016-4121</cvename>
<cvename>CVE-2016-4160</cvename>
<cvename>CVE-2016-4161</cvename>
<cvename>CVE-2016-4162</cvename>
<cvename>CVE-2016-4163</cvename>
<url>https://helpx.adobe.com/security/products/flash-player/apsb16-15.html</url>
</references>
<dates>
<discovery>2016-05-12</discovery>
<entry>2016-06-19</entry>
</dates>
</vuln>
<vuln vid="07888b49-35c4-11e6-8e82-002590263bf5">
<topic>flash -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-c6-flashplugin</name>
<name>linux-c6_64-flashplugin</name>
<name>linux-f10-flashplugin</name>
<range><lt>11.2r202.616</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-10.html">
<p>These updates harden a mitigation against JIT spraying attacks that
could be used to bypass memory layout randomization mitigations
(CVE-2016-1006).</p>
<p>These updates resolve type confusion vulnerabilities that could
lead to code execution (CVE-2016-1015, CVE-2016-1019).</p>
<p>These updates resolve use-after-free vulnerabilities that could
lead to code execution (CVE-2016-1011, CVE-2016-1013, CVE-2016-1016,
CVE-2016-1017, CVE-2016-1031).</p>
<p>These updates resolve memory corruption vulnerabilities that could
lead to code execution (CVE-2016-1012, CVE-2016-1020, CVE-2016-1021,
CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025,
CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029,
CVE-2016-1032, CVE-2016-1033).</p>
<p>These updates resolve a stack overflow vulnerability that could
lead to code execution (CVE-2016-1018).</p>
<p>These updates resolve a security bypass vulnerability
(CVE-2016-1030).</p>
<p>These updates resolve a vulnerability in the directory search path
used to find resources that could lead to code execution
(CVE-2016-1014).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1006</cvename>
<cvename>CVE-2016-1011</cvename>
<cvename>CVE-2016-1012</cvename>
<cvename>CVE-2016-1013</cvename>
<cvename>CVE-2016-1014</cvename>
<cvename>CVE-2016-1015</cvename>
<cvename>CVE-2016-1016</cvename>
<cvename>CVE-2016-1017</cvename>
<cvename>CVE-2016-1018</cvename>
<cvename>CVE-2016-1019</cvename>
<cvename>CVE-2016-1020</cvename>
<cvename>CVE-2016-1021</cvename>
<cvename>CVE-2016-1022</cvename>
<cvename>CVE-2016-1023</cvename>
<cvename>CVE-2016-1024</cvename>
<cvename>CVE-2016-1025</cvename>
<cvename>CVE-2016-1026</cvename>
<cvename>CVE-2016-1027</cvename>
<cvename>CVE-2016-1028</cvename>
<cvename>CVE-2016-1029</cvename>
<cvename>CVE-2016-1030</cvename>
<cvename>CVE-2016-1031</cvename>
<cvename>CVE-2016-1032</cvename>
<cvename>CVE-2016-1033</cvename>
<url>https://helpx.adobe.com/security/products/flash-player/apsb16-10.html</url>
</references>
<dates>
<discovery>2016-04-07</discovery>
<entry>2016-06-19</entry>
</dates>
</vuln>
<vuln vid="d59ebed4-34be-11e6-be25-3065ec8fd3ec">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>51.0.2704.103</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="https://googlechromereleases.blogspot.nl/2016/06/stable-channel-update_16.html">
<p>3 security fixes in this release, including:</p>
<ul>
<li>[620742] CVE-2016-1704: Various fixes from internal audits,
fuzzing and other initiatives.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1704</cvename>
<url>https://googlechromereleases.blogspot.nl/2016/06/stable-channel-update_16.html</url>
</references>
<dates>
<discovery>2016-06-16</discovery>
<entry>2016-06-17</entry>
</dates>
</vuln>
<vuln vid="1d0f6852-33d8-11e6-a671-60a44ce6887b">
<topic>Python -- Integer overflow in zipimport module</topic>
<affects>
<package>
<name>python35</name>
<range><lt>3.5.1_3</lt></range>
</package>
<package>
<name>python34</name>
<range><lt>3.4.4_3</lt></range>
</package>
<package>
<name>python33</name>
<range><lt>3.3.6_5</lt></range>
</package>
<package>
<name>python27</name>
<range><lt>2.7.11_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Python reports:</p>
<blockquote cite="http://bugs.python.org/issue26171">
<p>Possible integer overflow and heap corruption in
zipimporter.get_data()</p>
</blockquote>
</body>
</description>
<references>
<url>http://bugs.python.org/issue26171</url>
<cvename>CVE-2016-5636</cvename>
</references>
<dates>
<discovery>2016-01-21</discovery>
<entry>2016-06-17</entry>
</dates>
</vuln>
<vuln vid="7932548e-3427-11e6-8e82-002590263bf5">
<topic>drupal -- multiple vulnerabilities</topic>
<affects>
<package>
<name>drupal7</name>
<range><lt>7.44</lt></range>
</package>
<package>
<name>drupal8</name>
<range><lt>8.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal Security Team reports:</p>
<blockquote cite="https://www.drupal.org/SA-CORE-2016-002">
<ul>
<li><p>Saving user accounts can sometimes grant the user all roles
(User module - Drupal 7 - Moderately Critical)</p></li>
<li><p>Views can allow unauthorized users to see Statistics
information (Views module - Drupal 8 - Less Critical)</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-6211</cvename>
<cvename>CVE-2016-6212</cvename>
<url>https://www.drupal.org/SA-CORE-2016-002</url>
<url>http://www.openwall.com/lists/oss-security/2016/07/13/7</url>
</references>
<dates>
<discovery>2016-06-15</discovery>
<entry>2016-06-17</entry>
<modified>2016-07-16</modified>
</dates>
</vuln>
<vuln vid="ac0900df-31d0-11e6-8e82-002590263bf5">
<topic>botan -- multiple vulnerabilities</topic>
<affects>
<package>
<name>botan110</name>
<range><lt>1.10.13</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jack Lloyd reports:</p>
<blockquote cite="https://lists.randombit.net/pipermail/botan-devel/2016-April/002101.html">
<p>Botan 1.10.13 has been released backporting some side channel
protections for ECDSA signatures (CVE-2016-2849) and PKCS #1 RSA
decryption (CVE-2015-7827).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2849</cvename>
<cvename>CVE-2015-7827</cvename>
<url>https://lists.randombit.net/pipermail/botan-devel/2016-April/002101.html</url>
</references>
<dates>
<discovery>2016-04-28</discovery>
<entry>2016-06-14</entry>
</dates>
</vuln>
<vuln vid="f771880c-31cf-11e6-8e82-002590263bf5">
<topic>botan -- cryptographic vulnerability</topic>
<affects>
<package>
<name>botan110</name>
<range><lt>1.10.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9742">
<p>The Miller-Rabin primality check in Botan before 1.10.8 and 1.11.x
before 1.11.9 improperly uses a single random base, which makes it
easier for remote attackers to defeat cryptographic protection
mechanisms via a DH group.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-9742</cvename>
</references>
<dates>
<discovery>2014-04-11</discovery>
<entry>2016-06-14</entry>
</dates>
</vuln>
<vuln vid="6d402857-2fba-11e6-9f31-5404a68ad561">
<topic>VLC -- Possibly remote code execution via crafted file</topic>
<affects>
<package>
<name>vlc</name>
<range><lt>2.2.4,4</lt></range>
</package>
<package>
<name>vlc-qt4</name>
<range><lt>2.2.4,4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The VLC project reports:</p>
<blockquote cite="https://www.videolan.org/developers/vlc-branch/NEWS">
<p>Fix out-of-bound write in adpcm QT IMA codec (CVE-2016-5108)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-5108</cvename>
</references>
<dates>
<discovery>2016-05-25</discovery>
<entry>2016-06-11</entry>
</dates>
</vuln>
<vuln vid="97e86d10-2ea7-11e6-ae88-002590263bf5">
<topic>roundcube -- XSS vulnerability</topic>
<affects>
<package>
<name>roundcube</name>
<range><lt>1.1.5_1,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Roundcube reports:</p>
<blockquote cite="https://github.com/roundcube/roundcubemail/wiki/Changelog">
<p>Fix XSS issue in href attribute on area tag (#5240).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-5103</cvename>
<freebsdpr>ports/209841</freebsdpr>
<url>https://github.com/roundcube/roundcubemail/issues/5240</url>
<url>http://seclists.org/oss-sec/2016/q2/414</url>
</references>
<dates>
<discovery>2016-05-06</discovery>
<entry>2016-06-10</entry>
</dates>
</vuln>
<vuln vid="6f0529e2-2e82-11e6-b2ec-b499baebfeaf">
<topic>OpenSSL -- vulnerability in DSA signing</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.0.2_13</lt></range>
</package>
<package>
<name>libressl</name>
<range><lt>2.2.9</lt></range>
<range><ge>2.3.0</ge><lt>2.3.6</lt></range>
</package>
<package>
<name>libressl-devel</name>
<range><lt>2.4.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenSSL team reports:</p>
<blockquote cite="https://git.openssl.org/?p=openssl.git;a=commit;h=399944622df7bd81af62e67ea967c470534090e2">
<p>Operations in the DSA signing algorithm should run in constant time
in order to avoid side channel attacks. A flaw in the OpenSSL DSA
implementation means that a non-constant time codepath is followed for
certain operations. This has been demonstrated through a cache-timing
attack to be sufficient for an attacker to recover the private DSA key.
</p>
</blockquote>
</body>
</description>
<references>
<url>https://git.openssl.org/?p=openssl.git;a=commit;h=399944622df7bd81af62e67ea967c470534090e2</url>
<cvename>CVE-2016-2178</cvename>
</references>
<dates>
<discovery>2016-06-09</discovery>
<entry>2016-06-09</entry>
<modified>2016-12-20</modified>
</dates>
</vuln>
<vuln vid="c9c252f5-2def-11e6-ae88-002590263bf5">
<topic>expat -- multiple vulnerabilities</topic>
<affects>
<package>
<name>expat</name>
<range><lt>2.1.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Sebastian Pipping reports:</p>
<blockquote cite="https://sourceforge.net/p/expat/code_git/ci/07cc2fcacf81b32b2e06aa918df51756525240c0/">
<p>CVE-2012-6702 -- Resolve troublesome internal call to srand that
was introduced with Expat 2.1.0 when addressing CVE-2012-0876
(issue #496)</p>
<p>CVE-2016-5300 -- Use more entropy for hash initialization than the
original fix to CVE-2012-0876.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-6702</cvename>
<cvename>CVE-2016-5300</cvename>
<freebsdpr>ports/210155</freebsdpr>
<url>https://sourceforge.net/p/expat/code_git/ci/07cc2fcacf81b32b2e06aa918df51756525240c0/</url>
<url>http://www.openwall.com/lists/oss-security/2016/03/18/3</url>
</references>
<dates>
<discovery>2016-03-18</discovery>
<entry>2016-06-09</entry>
<modified>2016-11-06</modified>
</dates>
</vuln>
<vuln vid="d6bbf2d8-2cfc-11e6-800b-080027468580">
<topic>iperf3 -- buffer overflow</topic>
<affects>
<package>
<name>iperf3</name>
<range><ge>3.1</ge><lt>3.1.3</lt></range>
<range><ge>3.0</ge><lt>3.0.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ESnet reports:</p>
<blockquote cite="https://raw.githubusercontent.com/esnet/security/master/cve-2016-4303/esnet-secadv-2016-0001.txt.asc">
<p>A malicious process can connect to an iperf3 server and,
by sending a malformed message on the control channel,
corrupt the server process's heap area. This can lead to a
crash (and a denial of service), or theoretically a remote
code execution as the user running the iperf3 server. A
malicious iperf3 server could potentially mount a similar
attack on an iperf3 client.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-4303</cvename>
<url>https://raw.githubusercontent.com/esnet/security/master/cve-2016-4303/esnet-secadv-2016-0001.txt.asc</url>
</references>
<dates>
<discovery>2016-06-08</discovery>
<entry>2016-06-08</entry>
</dates>
</vuln>
<vuln vid="9c196cfd-2ccc-11e6-94b0-0011d823eebd">
<topic>gnutls -- file overwrite by setuid programs</topic>
<affects>
<package>
<name>gnutls</name>
<range><ge>3.4.12</ge><lt>3.4.13</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>gnutls.org reports:</p>
<blockquote cite="https://gnutls.org/security.html#GNUTLS-SA-2016-1">
<p>Setuid programs using GnuTLS 3.4.12 could potentially allow an
attacker to overwrite and corrupt arbitrary files in the
filesystem.</p>
</blockquote>
</body>
</description>
<references>
<url>https://gnutls.org/security.html#GNUTLS-SA-2016-1</url>
</references>
<dates>
<discovery>2016-06-06</discovery>
<entry>2016-06-07</entry>
</dates>
</vuln>
<vuln vid="32166082-53fa-41fa-b081-207e7a989a0a">
<topic>NSS -- multiple vulnerabilities</topic>
<affects>
<package>
<name>nss</name>
<range><lt>3.23</lt></range>
</package>
<package>
<name>linux-c6-nss</name>
<name>linux-c7-nss</name>
<range><lt>3.21.3</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.44</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-61/">
<p>Mozilla has updated the version of Network Security
Services (NSS) library used in Firefox to NSS 3.23. This
addresses four moderate rated networking security issues
reported by Mozilla engineers Tyson Smith and Jed Davis.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2834</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2016-61/</url>
<url>https://hg.mozilla.org/projects/nss/rev/1ba7cd83c672</url>
<url>https://hg.mozilla.org/projects/nss/rev/8d78a5ae260a</url>
<url>https://hg.mozilla.org/projects/nss/rev/5fde729fdbff</url>
<url>https://hg.mozilla.org/projects/nss/rev/329932eb1700</url>
</references>
<dates>
<discovery>2016-06-07</discovery>
<entry>2016-06-07</entry>
<modified>2016-11-23</modified>
</dates>
</vuln>
<vuln vid="8065d37b-8e7c-4707-a608-1b0a2b8509c3">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>47.0,1</lt></range>
</package>
<package>
<name>seamonkey</name>
<name>linux-seamonkey</name>
<range><lt>2.44</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><lt>45.2.0,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>45.2.0,2</lt></range>
</package>
<package>
<name>libxul</name>
<name>thunderbird</name>
<name>linux-thunderbird</name>
<range><lt>45.2.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox47">
<p>MFSA 2016-49 Miscellaneous memory safety hazards (rv:47.0 /
rv:45.2)</p>
<p>MFSA 2016-50 Buffer overflow parsing HTML5 fragments</p>
<p>MFSA 2016-51 Use-after-free deleting tables from a
contenteditable document</p>
<p>MFSA 2016-52 Addressbar spoofing though the SELECT element</p>
<p>MFSA 2016-54 Partial same-origin-policy through setting
location.host through data URI</p>
<p>MFSA 2016-56 Use-after-free when textures are used in WebGL
operations after recycle pool destruction</p>
<p>MFSA 2016-57 Incorrect icon displayed on permissions
notifications</p>
<p>MFSA 2016-58 Entering fullscreen and persistent pointerlock
without user permission</p>
<p>MFSA 2016-59 Information disclosure of disabled plugins
through CSS pseudo-classes</p>
<p>MFSA 2016-60 Java applets bypass CSP protections</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2815</cvename>
<cvename>CVE-2016-2818</cvename>
<cvename>CVE-2016-2819</cvename>
<cvename>CVE-2016-2821</cvename>
<cvename>CVE-2016-2822</cvename>
<cvename>CVE-2016-2825</cvename>
<cvename>CVE-2016-2828</cvename>
<cvename>CVE-2016-2829</cvename>
<cvename>CVE-2016-2831</cvename>
<cvename>CVE-2016-2832</cvename>
<cvename>CVE-2016-2833</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2016-49/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-50/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-51/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-52/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-54/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-56/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-57/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-58/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-59/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-60/</url>
</references>
<dates>
<discovery>2016-06-07</discovery>
<entry>2016-06-07</entry>
</dates>
</vuln>
<vuln vid="c039a761-2c29-11e6-8912-3065ec8fd3ec">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>51.0.2704.79</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/2016/06/stable-channel-update.html">
<p>15 security fixes in this release, including:</p>
<ul>
<li>601073] High CVE-2016-1696: Cross-origin bypass in Extension
bindings. Credit to anonymous.</li>
<li>[613266] High CVE-2016-1697: Cross-origin bypass in Blink.
Credit to Mariusz Mlynski.</li>
<li>[603725] Medium CVE-2016-1698: Information leak in Extension
bindings. Credit to Rob Wu.</li>
<li>[607939] Medium CVE-2016-1699: Parameter sanitization failure
in DevTools. Credit to Gregory Panakkal.</li>
<li>[608104] Medium CVE-2016-1700: Use-after-free in Extensions.
Credit to Rob Wu.</li>
<li>[608101] Medium CVE-2016-1701: Use-after-free in Autofill.
Credit to Rob Wu.</li>
<li>[609260] Medium CVE-2016-1702: Out-of-bounds read in Skia.
Credit to cloudfuzzer.</li>
<li>[616539] CVE-2016-1703: Various fixes from internal audits,
fuzzing and other initiatives.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1695</cvename>
<cvename>CVE-2016-1696</cvename>
<cvename>CVE-2016-1697</cvename>
<cvename>CVE-2016-1698</cvename>
<cvename>CVE-2016-1699</cvename>
<cvename>CVE-2016-1700</cvename>
<cvename>CVE-2016-1701</cvename>
<cvename>CVE-2016-1702</cvename>
<cvename>CVE-2016-1703</cvename>
<url>http://googlechromereleases.blogspot.nl/2016/06/stable-channel-update.html</url>
</references>
<dates>
<discovery>2016-06-01</discovery>
<entry>2016-06-06</entry>
</dates>
</vuln>
<vuln vid="bcbd3fe0-2b46-11e6-ae88-002590263bf5">
<topic>openafs -- multiple vulnerabilities</topic>
<affects>
<package>
<name>openafs</name>
<range><lt>1.6.17</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenAFS development team reports:</p>
<blockquote cite="http://www.openafs.org/pages/security/OPENAFS-SA-2016-001.txt">
<p>Foreign users can bypass access controls to create groups as
system:administrators, including in the user namespace and the
system: namespace.</p>
</blockquote>
<blockquote cite="http://www.openafs.org/pages/security/OPENAFS-SA-2016-002.txt">
<p>The contents of uninitialized memory are sent on the wire when
clients perform certain RPCs. Depending on the RPC, the information
leaked may come from kernel memory or userspace.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2860</cvename>
<cvename>CVE-2016-4536</cvename>
<freebsdpr>ports/209534</freebsdpr>
<url>http://www.openafs.org/pages/security/OPENAFS-SA-2016-001.txt</url>
<url>http://www.openafs.org/pages/security/OPENAFS-SA-2016-002.txt</url>
</references>
<dates>
<discovery>2016-03-16</discovery>
<entry>2016-06-05</entry>
</dates>
</vuln>
<vuln vid="2e8fe57e-2b46-11e6-ae88-002590263bf5">
<topic>openafs -- local DoS vulnerability</topic>
<affects>
<package>
<name>openafs</name>
<range><lt>1.6.16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenAFS development team reports:</p>
<blockquote cite="https://www.openafs.org/dl/1.6.16/RELNOTES-1.6.16">
<p>Avoid a potential denial of service issue, by fixing a bug in
pioctl logic that allowed a local user to overrun a kernel buffer
with a single NUL byte.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8312</cvename>
<url>https://www.openafs.org/dl/1.6.16/RELNOTES-1.6.16</url>
</references>
<dates>
<discovery>2016-03-16</discovery>
<entry>2016-06-05</entry>
</dates>
</vuln>
<vuln vid="0297b260-2b3b-11e6-ae88-002590263bf5">
<topic>ikiwiki -- XSS vulnerability</topic>
<affects>
<package>
<name>ikiwiki</name>
<range><lt>3.20160509</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mitre reports:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4561">
<p>Cross-site scripting (XSS) vulnerability in the cgierror function
in CGI.pm in ikiwiki before 3.20160506 might allow remote attackers
to inject arbitrary web script or HTML via unspecified vectors
involving an error message.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-4561</cvename>
<freebsdpr>ports/209593</freebsdpr>
</references>
<dates>
<discovery>2016-05-04</discovery>
<entry>2016-06-05</entry>
</dates>
</vuln>
<vuln vid="65bb1858-27de-11e6-b714-74d02b9a84d5">
<topic>h2o -- use after free on premature connection close</topic>
<affects>
<package>
<name>h2o</name>
<range><lt>1.7.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Tim Newsha reports:</p>
<blockquote cite="http://h2o.examp1e.net/vulnerabilities.html">
<p>When H2O tries to disconnect a premature HTTP/2 connection, it
calls free(3) to release memory allocated for the connection and
immediately after then touches the memory. No malloc-related
operation is performed by the same thread between the time it calls
free and the time the memory is touched. Fixed by Frederik
Deweerdt.</p>
</blockquote>
</body>
</description>
<references>
<url>https://h2o.examp1e.net/vulnerabilities.html</url>
</references>
<dates>
<discovery>2016-05-17</discovery>
<entry>2016-06-01</entry>
</dates>
</vuln>
<vuln vid="36cf7670-2774-11e6-af29-f0def16c5c1b">
<topic>nginx -- a specially crafted request might result in worker process crash</topic>
<affects>
<package>
<name>nginx</name>
<range><ge>1.4.0</ge><lt>1.8.1_3,2</lt></range>
<range><ge>1.10.0,2</ge><lt>1.10.1,2</lt></range>
</package>
<package>
<name>nginx-devel</name>
<range><ge>1.3.9</ge><lt>1.9.15_1</lt></range>
<range><ge>1.10.0</ge><lt>1.11.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Maxim Dounin reports:</p>
<blockquote cite="http://mailman.nginx.org/pipermail/nginx-announce/2016/000179.html">
<p>A problem was identified in nginx code responsible for saving
client request body to a temporary file. A specially crafted
request might result in worker process crash due to a NULL
pointer dereference while writing client request body to a
temporary file.</p>
</blockquote>
</body>
</description>
<references>
<url>http://mailman.nginx.org/pipermail/nginx-announce/2016/000179.html</url>
<cvename>CVE-2016-4450</cvename>
</references>
<dates>
<discovery>2016-05-31</discovery>
<entry>2016-05-31</entry>
<modified>2016-06-05</modified>
</dates>
</vuln>
<vuln vid="6167b341-250c-11e6-a6fb-003048f2e514">
<topic>cacti -- multiple vulnerabilities</topic>
<affects>
<package>
<name>cacti</name>
<range><lt>0.8.8h</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Cacti Group, Inc. reports:</p>
<blockquote cite="http://www.cacti.net/release_notes_0_8_8h.php">
<p>Changelog</p>
<ul>
<li>bug:0002667: Cacti SQL Injection Vulnerability</li>
<li>bug:0002673: CVE-2016-3659 - Cacti graph_view.php SQL Injection
Vulnerability</li>
<li>bug:0002656: Authentication using web authentication as a user
not in the cacti database allows complete access (regression)</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-3659</cvename>
<url>http://www.cacti.net/release_notes_0_8_8h.php</url>
<url>http://bugs.cacti.net/view.php?id=2673</url>
<url>http://seclists.org/fulldisclosure/2016/Apr/4</url>
<url>http://packetstormsecurity.com/files/136547/Cacti-0.8.8g-SQL-Injection.html</url>
</references>
<dates>
<discovery>2016-04-04</discovery>
<entry>2016-05-28</entry>
</dates>
</vuln>
<vuln vid="b53bbf58-257f-11e6-9f4d-20cf30e32f6d">
<topic>openvswitch -- MPLS buffer overflow</topic>
<affects>
<package>
<name>openvswitch</name>
<range><ge>2.2.0</ge><lt>2.3.3</lt></range>
<range><ge>2.4.0</ge><lt>2.4.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Open vSwitch reports:</p>
<blockquote cite="http://openvswitch.org/pipermail/announce/2016-March/000082.html">
<p>Multiple versions of Open vSwitch are vulnerable to remote buffer
overflow attacks, in which crafted MPLS packets could overflow the
buffer reserved for MPLS labels in an OVS internal data structure.
The MPLS packets that trigger the vulnerability and the potential for
exploitation vary depending on version:</p>
<p>Open vSwitch 2.1.x and earlier are not vulnerable.</p>
<p>In Open vSwitch 2.2.x and 2.3.x, the MPLS buffer overflow can be
exploited for arbitrary remote code execution.</p>
<p>In Open vSwitch 2.4.x, the MPLS buffer overflow does not obviously lead
to a remote code execution exploit, but testing shows that it can allow a
remote denial of service. See the mitigation section for details.</p>
<p>Open vSwitch 2.5.x is not vulnerable.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2074</cvename>
<url>http://openvswitch.org/pipermail/announce/2016-March/000082.html</url>
<url>http://openvswitch.org/pipermail/announce/2016-March/000083.html</url>
</references>
<dates>
<discovery>2016-03-28</discovery>
<entry>2016-05-29</entry>
<modified>2016-07-03</modified>
</dates>
</vuln>
<vuln vid="1a6bbb95-24b8-11e6-bd31-3065ec8fd3ec">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>51.0.2704.63</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update_25.html">
<p>42 security fixes in this release</p>
<p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1672</cvename>
<cvename>CVE-2016-1673</cvename>
<cvename>CVE-2016-1674</cvename>
<cvename>CVE-2016-1675</cvename>
<cvename>CVE-2016-1672</cvename>
<cvename>CVE-2016-1677</cvename>
<cvename>CVE-2016-1678</cvename>
<cvename>CVE-2016-1679</cvename>
<cvename>CVE-2016-1680</cvename>
<cvename>CVE-2016-1681</cvename>
<cvename>CVE-2016-1682</cvename>
<cvename>CVE-2016-1685</cvename>
<cvename>CVE-2016-1686</cvename>
<cvename>CVE-2016-1687</cvename>
<cvename>CVE-2016-1688</cvename>
<cvename>CVE-2016-1689</cvename>
<cvename>CVE-2016-1690</cvename>
<cvename>CVE-2016-1691</cvename>
<cvename>CVE-2016-1692</cvename>
<cvename>CVE-2016-1693</cvename>
<cvename>CVE-2016-1694</cvename>
<cvename>CVE-2016-1695</cvename>
<url>http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update_25.html</url>
</references>
<dates>
<discovery>2016-05-25</discovery>
<entry>2016-05-28</entry>
<modified>2016-06-20</modified>
</dates>
</vuln>
<vuln vid="4dfafa16-24ba-11e6-bd31-3065ec8fd3ec">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>50.0.2661.102</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update.html">
<p>5 security fixes in this release, including:</p>
<ul>
<li>[605766] High CVE-2016-1667: Same origin bypass in DOM. Credit
to Mariusz Mlynski.</li>
<li>[605910] High CVE-2016-1668: Same origin bypass in Blink V8
bindings. Credit to Mariusz Mlynski.</li>
<li>[606115] High CVE-2016-1669: Buffer overflow in V8. Credit to
Choongwoo Han.</li>
<li>[578882] Medium CVE-2016-1670: Race condition in loader. Credit
to anonymous.</li>
<li>[586657] Medium CVE-2016-1671: Directory traversal using the
file scheme on Android. Credit to Jann Horn.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1667</cvename>
<cvename>CVE-2016-1668</cvename>
<cvename>CVE-2016-1669</cvename>
<cvename>CVE-2016-1670</cvename>
<cvename>CVE-2016-1671</cvename>
<url>http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update.html</url>
</references>
<dates>
<discovery>2016-05-11</discovery>
<entry>2016-05-28</entry>
</dates>
</vuln>
<vuln vid="7da1da96-24bb-11e6-bd31-3065ec8fd3ec">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>50.0.2661.94</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/2016/04/stable-channel-update_28.html">
<p>9 security fixes in this release, including:</p>
<ul>
<li>[574802] High CVE-2016-1660: Out-of-bounds write in Blink.
Credit to Atte Kettunen of OUSPG.</li>
<li>[601629] High CVE-2016-1661: Memory corruption in cross-process
frames. Credit to Wadih Matar.</li>
<li>[603732] High CVE-2016-1662: Use-after-free in extensions.
Credit to Rob Wu.</li>
<li>[603987] High CVE-2016-1663: Use-after-free in Blink's V8
bindings. Credit to anonymous.</li>
<li>[597322] Medium CVE-2016-1664: Address bar spoofing. Credit to
Wadih Matar.</li>
<li>[606181] Medium CVE-2016-1665: Information leak in V8. Credit
to HyungSeok Han.</li>
<li>[607652] CVE-2016-1666: Various fixes from internal audits,
fuzzing and other initiatives.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1660</cvename>
<cvename>CVE-2016-1661</cvename>
<cvename>CVE-2016-1662</cvename>
<cvename>CVE-2016-1663</cvename>
<cvename>CVE-2016-1664</cvename>
<cvename>CVE-2016-1665</cvename>
<cvename>CVE-2016-1666</cvename>
<url>http://googlechromereleases.blogspot.nl/2016/04/stable-channel-update_28.html</url>
</references>
<dates>
<discovery>2016-04-28</discovery>
<entry>2016-05-28</entry>
</dates>
</vuln>
<vuln vid="6b110175-246d-11e6-8dd3-002590263bf5">
<topic>php -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php70-gd</name>
<name>php70-intl</name>
<range><lt>7.0.7</lt></range>
</package>
<package>
<name>php56</name>
<name>php56-gd</name>
<range><lt>5.6.22</lt></range>
</package>
<package>
<name>php55</name>
<name>php55-gd</name>
<name>php55-phar</name>
<range><lt>5.5.36</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PHP Group reports:</p>
<blockquote cite="http://php.net/ChangeLog-5.php#5.5.36">
<ul><li>Core:
<ul>
<li>Fixed bug #72114 (Integer underflow / arbitrary null write in
fread/gzread). (CVE-2016-5096) (PHP 5.5/5.6 only)</li>
<li>Fixed bug #72135 (Integer Overflow in php_html_entities).
(CVE-2016-5094) (PHP 5.5/5.6 only)</li>
</ul></li>
<li>GD:
<ul>
<li>Fixed bug #72227 (imagescale out-of-bounds read).
(CVE-2013-7456)</li>
</ul></li>
<li>Intl:
<ul>
<li>Fixed bug #72241 (get_icu_value_internal out-of-bounds read).
(CVE-2016-5093)</li>
</ul></li>
<li>Phar:
<ul>
<li>Fixed bug #71331 (Uninitialized pointer in
phar_make_dirstream()). (CVE-2016-4343) (PHP 5.5 only)</li>
</ul></li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-5096</cvename>
<cvename>CVE-2016-5094</cvename>
<cvename>CVE-2013-7456</cvename>
<cvename>CVE-2016-5093</cvename>
<cvename>CVE-2016-4343</cvename>
<freebsdpr>ports/209779</freebsdpr>
<url>http://php.net/ChangeLog-7.php#7.0.7</url>
<url>http://php.net/ChangeLog-5.php#5.6.22</url>
<url>http://php.net/ChangeLog-5.php#5.5.36</url>
</references>
<dates>
<discovery>2016-05-26</discovery>
<entry>2016-05-28</entry>
</dates>
</vuln>
<vuln vid="00ec1be1-22bb-11e6-9ead-6805ca0b3d42">
<topic>phpmyadmin -- XSS and sensitive data leakage</topic>
<affects>
<package>
<name>phpmyadmin</name>
<range><ge>4.6.0</ge><lt>4.6.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpmyadmin development team reports:</p>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-14/">
<h2>Description</h2>
<p>Because user SQL queries are part of the URL, sensitive
information made as part of a user query can be exposed by
clicking on external links to attackers monitoring user GET
query parameters or included in the webserver logs.</p>
<h2>Severity</h2>
<p>We consider this to be non-critical.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-16/">
<h2>Description</h2>
<p>A specially crafted attack could allow for special HTML
characters to be passed as URL encoded values and displayed
back as special characters in the page.</p>
<h2>Severity</h2>
<p>We consider this to be non-critical.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.phpmyadmin.net/security/PMASA-2016-14/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-16/</url>
<cvename>CVE-2016-5097</cvename>
<cvename>CVE-2016-5099</cvename>
</references>
<dates>
<discovery>2016-05-25</discovery>
<entry>2016-05-25</entry>
<modified>2016-05-26</modified>
</dates>
</vuln>
<vuln vid="b50f53ce-2151-11e6-8dd3-002590263bf5">
<topic>mediawiki -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mediawiki123</name>
<range><lt>1.23.14</lt></range>
</package>
<package>
<name>mediawiki124</name>
<range><le>1.24.6</le></range>
</package>
<package>
<name>mediawiki125</name>
<range><lt>1.25.6</lt></range>
</package>
<package>
<name>mediawiki126</name>
<range><lt>1.26.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mediawiki reports:</p>
<blockquote cite="https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-May/000188.html">
<p>Security fixes:</p>
<p>T122056: Old tokens are remaining valid within a new session</p>
<p>T127114: Login throttle can be tricked using non-canonicalized
usernames</p>
<p>T123653: Cross-domain policy regexp is too narrow</p>
<p>T123071: Incorrectly identifying http link in a's href
attributes, due to m modifier in regex</p>
<p>T129506: MediaWiki:Gadget-popups.js isn't renderable</p>
<p>T125283: Users occasionally logged in as different users after
SessionManager deployment</p>
<p>T103239: Patrol allows click catching and patrolling of any
page</p>
<p>T122807: [tracking] Check php crypto primatives</p>
<p>T98313: Graphs can leak tokens, leading to CSRF</p>
<p>T130947: Diff generation should use PoolCounter</p>
<p>T133507: Careless use of $wgExternalLinkTarget is insecure</p>
<p>T132874: API action=move is not rate limited</p>
</blockquote>
</body>
</description>
<references>
<url>https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-May/000188.html</url>
</references>
<dates>
<discovery>2016-05-20</discovery>
<entry>2016-05-24</entry>
</dates>
</vuln>
<vuln vid="967b852b-1e28-11e6-8dd3-002590263bf5">
<topic>hostapd and wpa_supplicant -- psk configuration parameter update allowing arbitrary data to be written</topic>
<affects>
<package>
<name>wpa_supplicant</name>
<range><lt>2.5_2</lt></range>
</package>
<package>
<name>hostapd</name>
<range><lt>2.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jouni Malinen reports:</p>
<blockquote cite="http://w1.fi/security/2016-1/psk-parameter-config-update.txt">
<p>psk configuration parameter update allowing arbitrary data to be
written (2016-1 - CVE-2016-4476/CVE-2016-4477).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-4476</cvename>
<cvename>CVE-2016-4477</cvename>
<freebsdpr>ports/209564</freebsdpr>
<url>http://w1.fi/security/2016-1/psk-parameter-config-update.txt</url>
</references>
<dates>
<discovery>2016-05-02</discovery>
<entry>2016-05-20</entry>
<modified>2017-03-22</modified>
</dates>
</vuln>
<vuln vid="57b3aba7-1e25-11e6-8dd3-002590263bf5">
<topic>expat -- denial of service vulnerability on malformed input</topic>
<affects>
<package>
<name>expat</name>
<range><lt>2.1.1</lt></range>
</package>
<package>
<name>linux-c6-expat</name>
<range><lt>2.0.1_3</lt></range>
</package>
<package>
<name>linux-c7-expat</name>
<range><lt>2.1.0_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gustavo Grieco reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2016/05/17/12">
<p>The Expat XML parser mishandles certain kinds of malformed input
documents, resulting in buffer overflows during processing and error
reporting. The overflows can manifest as a segmentation fault or as
memory corruption during a parse operation. The bugs allow for a
denial of service attack in many applications by an unauthenticated
attacker, and could conceivably result in remote code execution.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-0718</cvename>
<freebsdpr>ports/209360</freebsdpr>
<url>http://www.openwall.com/lists/oss-security/2016/05/17/12</url>
</references>
<dates>
<discovery>2016-05-17</discovery>
<entry>2016-05-20</entry>
<modified>2016-11-30</modified>
</dates>
</vuln>
<vuln vid="036d6c38-1c5b-11e6-b9e0-20cf30e32f6d">
<topic>Bugzilla security issues</topic>
<affects>
<package>
<name>bugzilla44</name>
<range><lt>4.4.12</lt></range>
</package>
<package>
<name>bugzilla50</name>
<range><lt>5.0.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Bugzilla Security Advisory</p>
<blockquote cite="https://www.bugzilla.org/security/4.4.11/">
<p>A specially crafted bug summary could trigger XSS in dependency graphs.
Due to an incorrect parsing of the image map generated by the dot script,
a specially crafted bug summary could trigger XSS in dependency graphs.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2803</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=1253263</url>
</references>
<dates>
<discovery>2016-03-03</discovery>
<entry>2016-05-17</entry>
</dates>
</vuln>
<vuln vid="0dc8be9e-19af-11e6-8de0-080027ef73ec">
<topic>OpenVPN -- Buffer overflow in PAM authentication and DoS through port sharing</topic>
<affects>
<package>
<name>openvpn</name>
<range><lt>2.3.11</lt></range>
</package>
<package>
<name>openvpn-polarssl</name>
<range><lt>2.3.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Samuli Seppänen reports:</p>
<blockquote cite="https://sourceforge.net/p/openvpn/mailman/message/35076507/">
<p>OpenVPN 2.3.11 [...] fixes two vulnerabilities: a port-share bug
with DoS potential and a buffer overflow by user supplied data when
using pam authentication.[...]</p>
</blockquote>
</body>
</description>
<references>
<url>https://sourceforge.net/p/openvpn/mailman/message/35076507/</url>
<url>https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.11</url>
</references>
<dates>
<discovery>2016-03-03</discovery>
<entry>2016-05-14</entry>
</dates>
</vuln>
<vuln vid="82b702e0-1907-11e6-857b-00221503d280">
<topic>imagemagick -- buffer overflow</topic>
<affects>
<package>
<name>ImageMagick</name>
<name>ImageMagick-nox11</name>
<range><lt>6.9.4.1,1</lt></range>
</package>
<package>
<name>ImageMagick7</name>
<name>ImageMagick7-nox11</name>
<range><ge>7.0.0.0.b20150715</ge><lt>7.0.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ImageMagick reports:</p>
<blockquote cite="http://legacy.imagemagick.org/script/changelog.php">
<p>Fix a buffer overflow in magick/drag.c/DrawStrokePolygon().</p>
</blockquote>
</body>
</description>
<references>
<url>http://legacy.imagemagick.org/script/changelog.php</url>
</references>
<dates>
<discovery>2016-05-09</discovery>
<entry>2016-05-13</entry>
</dates>
</vuln>
<vuln vid="e387834a-17ef-11e6-9947-7054d2909b71">
<topic>jenkins -- multiple vulnerabilities</topic>
<affects>
<package>
<name>jenkins</name>
<range><le>2.2</le></range>
</package>
<package>
<name>jenkins2</name>
<range><le>2.2</le></range>
</package>
<package>
<name>jenkins-lts</name>
<range><le>1.651.1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jenkins Security Advisory:</p>
<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11">
<h1>Description</h1>
<h5>SECURITY-170 / CVE-2016-3721</h5>
<p>Arbitrary build parameters are passed to build scripts as environment variables</p>
<h5>SECURITY-243 / CVE-2016-3722</h5>
<p>Malicious users with multiple user accounts can prevent other users from logging in</p>
<h5>SECURITY-250 / CVE-2016-3723</h5>
<p>Information on installed plugins exposed via API</p>
<h5>SECURITY-266 / CVE-2016-3724</h5>
<p>Encrypted secrets (e.g. passwords) were leaked to users with permission to read configuration</p>
<h5>SECURITY-273 / CVE-2016-3725</h5>
<p>Regular users can trigger download of update site metadata</p>
<h5>SECURITY-276 / CVE-2016-3726</h5>
<p>Open redirect to scheme-relative URLs</p>
<h5>SECURITY-281 / CVE-2016-3727</h5>
<p>Granting the permission to read node configurations allows access to overall system configuration</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-3721</cvename>
<cvename>CVE-2016-3722</cvename>
<cvename>CVE-2016-3723</cvename>
<cvename>CVE-2016-3724</cvename>
<cvename>CVE-2016-3725</cvename>
<cvename>CVE-2016-3726</cvename>
<cvename>CVE-2016-3727</cvename>
<url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11</url>
</references>
<dates>
<discovery>2016-05-11</discovery>
<entry>2016-05-12</entry>
</dates>
</vuln>
<vuln vid="d9f99491-1656-11e6-94fa-002590263bf5">
<topic>perl5 -- taint mechanism bypass vulnerability</topic>
<affects>
<package>
<name>perl5</name>
<range><lt>5.18.4_21</lt></range>
<range><ge>5.20.0</ge><lt>5.20.3_12</lt></range>
<range><ge>5.22.0</ge><lt>5.22.1_8</lt></range>
</package>
<package>
<name>perl5.18</name>
<range><ge>5.18.0</ge><lt>5.18.4_21</lt></range>
</package>
<package>
<name>perl5.20</name>
<range><ge>5.20.0</ge><lt>5.20.3_12</lt></range>
</package>
<package>
<name>perl5.22</name>
<range><ge>5.22.0</ge><lt>5.22.1_8</lt></range>
</package>
<package>
<name>perl</name>
<range><ge>0</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE reports:</p>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2381">
<p>Perl might allow context-dependent attackers to bypass the taint
protection mechanism in a child process via duplicate environment
variables in envp.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2381</cvename>
<freebsdpr>ports/208879</freebsdpr>
</references>
<dates>
<discovery>2016-04-08</discovery>
<entry>2016-05-10</entry>
<modified>2016-08-22</modified>
</dates>
</vuln>
<vuln vid="3686917b-164d-11e6-94fa-002590263bf5">
<topic>wordpress -- multiple vulnerabilities</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>4.5.2,1</lt></range>
</package>
<package>
<name>de-wordpress</name>
<name>ja-wordpress</name>
<name>ru-wordpress</name>
<name>zh-wordpress-zh_CN</name>
<name>zh-wordpress-zh_TW</name>
<range><lt>4.5.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Helen Hou-Sandi reports:</p>
<blockquote cite="https://wordpress.org/news/2016/05/wordpress-4-5-2/">
<p>WordPress 4.5.2 is now available. This is a security release for
all previous versions and we strongly encourage you to update your
sites immediately.</p>
<p>WordPress versions 4.5.1 and earlier are affected by a SOME
vulnerability through Plupload, the third-party library WordPress
uses for uploading files. WordPress versions 4.2 through 4.5.1 are
vulnerable to reflected XSS using specially crafted URIs through
MediaElement.js, the third-party library used for media players.
MediaElement.js and Plupload have also released updates fixing
these issues.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-4566</cvename>
<cvename>CVE-2016-4567</cvename>
<url>https://wordpress.org/news/2016/05/wordpress-4-5-2/</url>
<url>http://www.openwall.com/lists/oss-security/2016/05/07/7</url>
</references>
<dates>
<discovery>2016-05-06</discovery>
<entry>2016-05-10</entry>
</dates>
</vuln>
<vuln vid="2b4c8e1f-1609-11e6-b55e-b499baebfeaf">
<topic>libarchive -- RCE vulnerability</topic>
<affects>
<package>
<name>libarchive</name>
<range><lt>3.2.0,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The libarchive project reports:</p>
<blockquote cite="https://github.com/libarchive/libarchive/commit/d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7">
<p>Heap-based buffer overflow in the zip_read_mac_metadata function
in archive_read_support_format_zip.c in libarchive before 3.2.0
allows remote attackers to execute arbitrary code via crafted
entry-size values in a ZIP archive.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1541</cvename>
<url>https://github.com/libarchive/libarchive/commit/d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7</url>
</references>
<dates>
<discovery>2016-05-01</discovery>
<entry>2016-05-09</entry>
<modified>2016-05-10</modified>
</dates>
</vuln>
<vuln vid="25e5205b-1447-11e6-9ead-6805ca0b3d42">
<topic>squid -- multiple vulnerabilities</topic>
<affects>
<package>
<name>squid</name>
<range><ge>3.0.0</ge><lt>3.5.18</lt></range>
</package>
<package>
<name>squid-devel</name>
<range><ge>4.0.0</ge><lt>4.0.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The squid development team reports:</p>
<p>Please reference CVE/URL list for details</p>
</body>
</description>
<references>
<cvename>CVE-2016-4553</cvename>
<cvename>CVE-2016-4554</cvename>
<cvename>CVE-2016-4555</cvename>
<cvename>CVE-2016-4556</cvename>
<url>http://www.squid-cache.org/Advisories/SQUID-2016_7.txt</url>
<url>http://www.squid-cache.org/Advisories/SQUID-2016_8.txt</url>
<url>http://www.squid-cache.org/Advisories/SQUID-2016_9.txt</url>
</references>
<dates>
<discovery>2016-05-06</discovery>
<entry>2016-05-07</entry>
<modified>2016-05-09</modified>
</dates>
</vuln>
<vuln vid="0d724b05-687f-4527-9c03-af34d3b094ec">
<topic>ImageMagick -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ImageMagick</name>
<name>ImageMagick-nox11</name>
<range><lt>6.9.3.9_1,1</lt></range>
</package>
<package>
<name>ImageMagick7</name>
<name>ImageMagick7-nox11</name>
<range><ge>7.0.0.0.b20150715</ge><lt>7.0.1.0_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Openwall reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2016/05/03/18">
<p>Insufficient filtering for filename passed to delegate's command
allows remote code execution during conversion of several file
formats. Any service which uses ImageMagick to process user
supplied images and uses default delegates.xml / policy.xml,
may be vulnerable to this issue.</p>
<p>It is possible to make ImageMagick perform a HTTP GET or FTP
request</p>
<p>It is possible to delete files by using ImageMagick's 'ephemeral'
pseudo protocol which deletes files after reading.</p>
<p>It is possible to move image files to file with any extension
in any folder by using ImageMagick's 'msl' pseudo protocol.
msl.txt and image.gif should exist in known location - /tmp/
for PoC (in real life it may be web service written in PHP,
which allows to upload raw txt files and process images with
ImageMagick).</p>
<p>It is possible to get content of the files from the server
by using ImageMagick's 'label' pseudo protocol.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-3714</cvename>
<cvename>CVE-2016-3715</cvename>
<cvename>CVE-2016-3716</cvename>
<cvename>CVE-2016-3717</cvename>
<cvename>CVE-2016-3718</cvename>
<url>http://www.openwall.com/lists/oss-security/2016/05/03/18</url>
<url>https://imagetragick.com/</url>
</references>
<dates>
<discovery>2016-05-03</discovery>
<entry>2016-05-06</entry>
<modified>2016-05-07</modified>
</dates>
</vuln>
<vuln vid="a6cd01fa-11bd-11e6-bb3c-9cb654ea3e1c">
<topic>jansson -- local denial of service vulnerabilities</topic>
<affects>
<package>
<name>jansson</name>
<range><lt>2.7_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>QuickFuzz reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2016/05/01/5">
<p>A crash caused by stack exhaustion parsing a JSON was found.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openwall.com/lists/oss-security/2016/05/01/5</url>
<url>http://www.openwall.com/lists/oss-security/2016/05/02/1</url>
<cvename>CVE-2016-4425</cvename>
</references>
<dates>
<discovery>2016-05-01</discovery>
<entry>2016-05-04</entry>
</dates>
</vuln>
<vuln vid="01d729ca-1143-11e6-b55e-b499baebfeaf">
<topic>OpenSSL -- multiple vulnerabilities</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.0.2_11</lt></range>
</package>
<package>
<name>linux-c6-openssl</name>
<range><lt>1.0.1e_8</lt></range>
</package>
<package>
<name>libressl</name>
<range><ge>2.3.0</ge><lt>2.3.4</lt></range>
<range><lt>2.2.7</lt></range>
</package>
<package>
<name>libressl-devel</name>
<range><lt>2.3.4</lt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>10.3</ge><lt>10.3_2</lt></range>
<range><ge>10.2</ge><lt>10.2_16</lt></range>
<range><ge>10.1</ge><lt>10.1_33</lt></range>
<range><ge>9.3</ge><lt>9.3_41</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenSSL reports:</p>
<blockquote cite="https://www.openssl.org/news/secadv/20160503.txt">
<p>Memory corruption in the ASN.1 encoder</p>
<p>Padding oracle in AES-NI CBC MAC check</p>
<p>EVP_EncodeUpdate overflow</p>
<p>EVP_EncryptUpdate overflow</p>
<p>ASN.1 BIO excessive memory allocation</p>
<p>EBCDIC overread (OpenSSL only)</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.openssl.org/news/secadv/20160503.txt</url>
<url>https://marc.info/?l=openbsd-tech&m=146228598730414</url>
<cvename>CVE-2016-2105</cvename>
<cvename>CVE-2016-2106</cvename>
<cvename>CVE-2016-2107</cvename>
<cvename>CVE-2016-2108</cvename>
<cvename>CVE-2016-2109</cvename>
<cvename>CVE-2016-2176</cvename>
<freebsdsa>SA-16:17.openssl</freebsdsa>
</references>
<dates>
<discovery>2016-05-03</discovery>
<entry>2016-05-03</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="95564990-1138-11e6-b55e-b499baebfeaf">
<cancelled superseded="01d729ca-1143-11e6-b55e-b499baebfeaf"/>
</vuln>
<vuln vid="be72e773-1131-11e6-94fa-002590263bf5">
<topic>gitlab -- privilege escalation via "impersonate" feature</topic>
<affects>
<package>
<name>gitlab</name>
<range><ge>8.2.0</ge><lt>8.2.5</lt></range>
<range><ge>8.3.0</ge><lt>8.3.9</lt></range>
<range><ge>8.4.0</ge><lt>8.4.10</lt></range>
<range><ge>8.5.0</ge><lt>8.5.12</lt></range>
<range><ge>8.6.0</ge><lt>8.6.8</lt></range>
<range><ge>8.7.0</ge><lt>8.7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GitLab reports:</p>
<blockquote cite="https://about.gitlab.com/2016/05/02/cve-2016-4340-patches/">
<p>During an internal code review, we discovered a critical security
flaw in the "impersonate" feature of GitLab. Added in GitLab 8.2,
this feature was intended to allow an administrator to simulate
being logged in as any other user.</p>
<p>A part of this feature was not properly secured and it was possible
for any authenticated user, administrator or not, to "log in" as any
other user, including administrators. Please see the issue for more
details.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-4340</cvename>
<freebsdpr>ports/209225</freebsdpr>
<url>https://about.gitlab.com/2016/05/02/cve-2016-4340-patches/</url>
<url>https://gitlab.com/gitlab-org/gitlab-ce/issues/15548</url>
</references>
<dates>
<discovery>2016-05-02</discovery>
<entry>2016-05-03</entry>
</dates>
</vuln>
<vuln vid="5764c634-10d2-11e6-94fa-002590263bf5">
<topic>php -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php70</name>
<name>php70-bcmath</name>
<name>php70-exif</name>
<name>php70-gd</name>
<name>php70-xml</name>
<range><lt>7.0.6</lt></range>
</package>
<package>
<name>php56</name>
<name>php56-bcmath</name>
<name>php56-exif</name>
<name>php56-gd</name>
<name>php56-xml</name>
<range><lt>5.6.21</lt></range>
</package>
<package>
<name>php55</name>
<name>php55-bcmath</name>
<name>php55-exif</name>
<name>php55-gd</name>
<name>php55-xml</name>
<range><lt>5.5.35</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PHP Group reports:</p>
<blockquote cite="http://www.php.net/ChangeLog-5.php#5.5.35">
<ul><li>BCMath:
<ul>
<li>Fixed bug #72093 (bcpowmod accepts negative scale and corrupts
_one_ definition).</li>
</ul></li>
<li>Exif:
<ul>
<li>Fixed bug #72094 (Out of bounds heap read access in exif header
processing).</li>
</ul></li>
<li>GD:
<ul>
<li>Fixed bug #71912 (libgd: signedness vulnerability).
(CVE-2016-3074)</li>
</ul></li>
<li>Intl:
<ul>
<li>Fixed bug #72061 (Out-of-bounds reads in zif_grapheme_stripos
with negative offset).</li>
</ul></li>
<li>XML:
<ul>
<li>Fixed bug #72099 (xml_parse_into_struct segmentation fault).
</li>
</ul></li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-3074</cvename>
<freebsdpr>ports/209145</freebsdpr>
<url>http://www.php.net/ChangeLog-7.php#7.0.6</url>
<url>http://www.php.net/ChangeLog-5.php#5.6.21</url>
<url>http://www.php.net/ChangeLog-5.php#5.5.35</url>
</references>
<dates>
<discovery>2016-04-28</discovery>
<entry>2016-05-03</entry>
</dates>
</vuln>
<vuln vid="a1134048-10c6-11e6-94fa-002590263bf5">
<topic>libksba -- local denial of service vulnerabilities</topic>
<affects>
<package>
<name>libksba</name>
<range><lt>1.3.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Martin Prpic, Red Hat Product Security Team, reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2016/04/29/5">
<p>Denial of Service due to stack overflow in src/ber-decoder.c.</p>
<p>Integer overflow in the BER decoder src/ber-decoder.c.</p>
<p>Integer overflow in the DN decoder src/dn.c.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-4353</cvename>
<cvename>CVE-2016-4354</cvename>
<cvename>CVE-2016-4355</cvename>
<cvename>CVE-2016-4356</cvename>
<url>http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=07116a314f4dcd4d96990bbd74db95a03a9f650a</url>
<url>http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=aea7b6032865740478ca4b706850a5217f1c3887</url>
<url>http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=243d12fdec66a4360fbb3e307a046b39b5b4ffc3</url>
<url>https://security.gentoo.org/glsa/201604-04</url>
<mlist>http://www.openwall.com/lists/oss-security/2016/04/29/5</mlist>
</references>
<dates>
<discovery>2015-04-08</discovery>
<entry>2016-05-03</entry>
</dates>
</vuln>
<vuln vid="7e36c369-10c0-11e6-94fa-002590263bf5">
<topic>wireshark -- multiple vulnerabilities</topic>
<affects>
<package>
<name>wireshark</name>
<name>wireshark-lite</name>
<name>wireshark-qt5</name>
<name>tshark</name>
<name>tshark-lite</name>
<range><lt>2.0.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Wireshark development team reports:</p>
<blockquote cite="https://www.wireshark.org/docs/relnotes/wireshark-2.0.3.html">
<p>The following vulnerabilities have been fixed:</p>
<ul>
<li><p>wnpa-sec-2016-19</p>
<p>The NCP dissector could crash. (Bug 11591)</p></li>
<li><p>wnpa-sec-2016-20</p>
<p>TShark could crash due to a packet reassembly bug. (Bug 11799)
</p></li>
<li><p>wnpa-sec-2016-21</p>
<p>The IEEE 802.11 dissector could crash. (Bug 11824, Bug 12187)
</p></li>
<li><p>wnpa-sec-2016-22</p>
<p>The PKTC dissector could crash. (Bug 12206)</p></li>
<li><p>wnpa-sec-2016-23</p>
<p>The PKTC dissector could crash. (Bug 12242)</p></li>
<li><p>wnpa-sec-2016-24</p>
<p>The IAX2 dissector could go into an infinite loop. (Bug
12260)</p></li>
<li><p>wnpa-sec-2016-25</p>
<p>Wireshark and TShark could exhaust the stack. (Bug 12268)</p>
</li>
<li><p>wnpa-sec-2016-26</p>
<p>The GSM CBCH dissector could crash. (Bug 12278)</p></li>
<li><p>wnpa-sec-2016-27</p>
<p>MS-WSP dissector crash. (Bug 12341)</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-4076</cvename>
<cvename>CVE-2016-4077</cvename>
<cvename>CVE-2016-4078</cvename>
<cvename>CVE-2016-4079</cvename>
<cvename>CVE-2016-4080</cvename>
<cvename>CVE-2016-4081</cvename>
<cvename>CVE-2016-4006</cvename>
<cvename>CVE-2016-4082</cvename>
<cvename>CVE-2016-4083</cvename>
<cvename>CVE-2016-4084</cvename>
<url>https://www.wireshark.org/docs/relnotes/wireshark-2.0.3.html</url>
<url>http://www.openwall.com/lists/oss-security/2016/04/25/2</url>
</references>
<dates>
<discovery>2016-04-22</discovery>
<entry>2016-05-02</entry>
<modified>2016-07-04</modified>
</dates>
</vuln>
<vuln vid="78abc022-0fee-11e6-9a1c-0014a5a57822">
<topic>mercurial -- arbitrary code execution vulnerability</topic>
<affects>
<package>
<name>mercurial</name>
<range><lt>3.8.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mercurial reports:</p>
<blockquote cite="https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.8_.2F_3.8.1_.282016-5-1.29">
<p>CVE-2016-3105: Arbitrary code execution when converting
Git repos</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-3105</cvename>
<url>https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.8_.2F_3.8.1_.282016-5-1.29</url>
</references>
<dates>
<discovery>2016-05-01</discovery>
<entry>2016-05-01</entry>
</dates>
</vuln>
<vuln vid="8c2b2f11-0ebe-11e6-b55e-b499baebfeaf">
<topic>MySQL -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mariadb55-server</name>
<range><lt>5.5.49</lt></range>
</package>
<package>
<name>mariadb100-server</name>
<range><lt>10.0.25</lt></range>
</package>
<package>
<name>mariadb101-server</name>
<range><lt>10.1.12</lt></range>
</package>
<package>
<name>mysql55-server</name>
<range><lt>5.5.49</lt></range>
</package>
<package>
<name>mysql56-server</name>
<range><lt>5.6.30</lt></range>
</package>
<package>
<name>mysql57-server</name>
<range><lt>5.7.12</lt></range>
</package>
<package>
<name>percona55-server</name>
<range><lt>5.5.49</lt></range>
</package>
<package>
<name>percona-server</name>
<range><lt>5.6.30</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Oracle reports reports:</p>
<blockquote cite="http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html#AppendixMSQL">
<p>Critical Patch Update contains 31 new security fixes for Oracle MySQL
5.5.48, 5.6.29, 5.7.11 and earlier</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html#AppendixMSQL</url>
<url>https://mariadb.com/kb/en/mariadb/mariadb-5549-release-notes/</url>
<url>https://mariadb.com/kb/en/mariadb/mariadb-10025-release-notes/</url>
<url>https://mariadb.com/kb/en/mariadb/mariadb-10112-release-notes/</url>
<cvename>CVE-2016-0705</cvename>
<cvename>CVE-2016-0639</cvename>
<cvename>CVE-2015-3194</cvename>
<cvename>CVE-2016-0640</cvename>
<cvename>CVE-2016-0641</cvename>
<cvename>CVE-2016-3461</cvename>
<cvename>CVE-2016-2047</cvename>
<cvename>CVE-2016-0642</cvename>
<cvename>CVE-2016-0643</cvename>
<cvename>CVE-2016-0644</cvename>
<cvename>CVE-2016-0646</cvename>
<cvename>CVE-2016-0647</cvename>
<cvename>CVE-2016-0648</cvename>
<cvename>CVE-2016-0649</cvename>
<cvename>CVE-2016-0650</cvename>
<cvename>CVE-2016-0652</cvename>
<cvename>CVE-2016-0653</cvename>
<cvename>CVE-2016-0654</cvename>
<cvename>CVE-2016-0655</cvename>
<cvename>CVE-2016-0656</cvename>
<cvename>CVE-2016-0657</cvename>
<cvename>CVE-2016-0658</cvename>
<cvename>CVE-2016-0651</cvename>
<cvename>CVE-2016-0659</cvename>
<cvename>CVE-2016-0661</cvename>
<cvename>CVE-2016-0662</cvename>
<cvename>CVE-2016-0663</cvename>
<cvename>CVE-2016-0665</cvename>
<cvename>CVE-2016-0666</cvename>
<cvename>CVE-2016-0667</cvename>
<cvename>CVE-2016-0668</cvename>
</references>
<dates>
<discovery>2016-04-19</discovery>
<entry>2016-04-30</entry>
</dates>
</vuln>
<vuln vid="f2d4f879-0d7c-11e6-925f-6805ca0b3d42">
<topic>logstash -- password disclosure vulnerability</topic>
<affects>
<package>
<name>logstash</name>
<range><ge>2.1.0</ge><lt>2.3.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Logstash developers report:</p>
<blockquote cite="https://www.elastic.co/blog/logstash-2.3.1-and-2.2.4-released#Passwords_Printed_in_Log_Files_under_Some_Conditions_18">
<h2>Passwords Printed in Log Files under Some Conditions</h2>
<p>It was discovered that, in Logstash 2.1.0+, log messages
generated by a stalled pipeline during shutdown will print
plaintext contents of password fields. While investigating
this issue we also discovered that debug logging has
included this data for quite some time. Our latest releases
fix both leaks. You will want to scrub old log files if this
is of particular concern to you. This was fixed in issue
#4965</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.elastic.co/blog/logstash-2.3.1-and-2.2.4-released#Passwords_Printed_in_Log_Files_under_Some_Conditions_18</url>
<url>https://github.com/elastic/logstash/pull/4965</url>
</references>
<dates>
<discovery>2016-04-01</discovery>
<entry>2016-04-28</entry>
</dates>
</vuln>
<vuln vid="c8174b63-0d3a-11e6-b06e-d43d7eed0ce2">
<topic>subversion -- multiple vulnerabilities</topic>
<affects>
<package>
<name>subversion</name>
<range><ge>1.9.0</ge><lt>1.9.4</lt></range>
<range><ge>1.0.0</ge><lt>1.8.15</lt></range>
</package>
<package>
<name>subversion18</name>
<range><ge>1.0.0</ge><lt>1.8.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Subversion project reports:</p>
<blockquote cite="http://subversion.apache.org/security/CVE-2016-2167-advisory.txt">
<p>svnserve, the svn:// protocol server, can optionally use the Cyrus
SASL library for authentication, integrity protection, and encryption.
Due to a programming oversight, authentication against Cyrus SASL
would permit the remote user to specify a realm string which is
a prefix of the expected realm string.</p>
</blockquote>
<blockquote cite="http://subversion.apache.org/security/CVE-2016-2168-advisory.txt">
<p>Subversion's httpd servers are vulnerable to a remotely triggerable crash
in the mod_authz_svn module. The crash can occur during an authorization
check for a COPY or MOVE request with a specially crafted header value.</p>
<p>This allows remote attackers to cause a denial of service.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2167</cvename>
<url>http://subversion.apache.org/security/CVE-2016-2167-advisory.txt</url>
<cvename>CVE-2016-2168</cvename>
<url>http://subversion.apache.org/security/CVE-2016-2168-advisory.txt</url>
</references>
<dates>
<discovery>2016-04-21</discovery>
<entry>2016-04-28</entry>
</dates>
</vuln>
<vuln vid="b2487d9a-0c30-11e6-acd0-d050996490d0">
<topic>ntp -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ntp</name>
<range><lt>4.2.8p7</lt></range>
</package>
<package>
<name>ntp-devel</name>
<range><lt>4.3.92</lt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>10.3</ge><lt>10.3_1</lt></range>
<range><ge>10.2</ge><lt>10.2_15</lt></range>
<range><ge>10.1</ge><lt>10.1_32</lt></range>
<range><ge>9.3</ge><lt>9.3_40</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Network Time Foundation reports:</p>
<blockquote cite="http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security">
<p>NTF's NTP Project has been notified of the following low-
and medium-severity vulnerabilities that are fixed in
ntp-4.2.8p7, released on Tuesday, 26 April 2016:</p>
<ul>
<li>Bug 3020 / CVE-2016-1551: Refclock impersonation
vulnerability, AKA: refclock-peering. Reported by
Matt Street and others of Cisco ASIG</li>
<li>Bug 3012 / CVE-2016-1549: Sybil vulnerability:
ephemeral association attack, AKA: ntp-sybil -
MITIGATION ONLY. Reported by Matthew Van Gundy
of Cisco ASIG</li>
<li>Bug 3011 / CVE-2016-2516: Duplicate IPs on
unconfig directives will cause an assertion botch.
Reported by Yihan Lian of the Cloud Security Team,
Qihoo 360</li>
<li>Bug 3010 / CVE-2016-2517: Remote configuration
trustedkey/requestkey values are not properly
validated. Reported by Yihan Lian of the Cloud
Security Team, Qihoo 360</li>
<li>Bug 3009 / CVE-2016-2518: Crafted addpeer with
hmode > 7 causes array wraparound with MATCH_ASSOC.
Reported by Yihan Lian of the Cloud Security Team,
Qihoo 360</li>
<li>Bug 3008 / CVE-2016-2519: ctl_getitem() return
value not always checked. Reported by Yihan Lian
of the Cloud Security Team, Qihoo 360</li>
<li>Bug 3007 / CVE-2016-1547: Validate crypto-NAKs,
AKA: nak-dos. Reported by Stephen Gray and
Matthew Van Gundy of Cisco ASIG</li>
<li>Bug 2978 / CVE-2016-1548: Interleave-pivot -
MITIGATION ONLY. Reported by Miroslav Lichvar of
RedHat and separately by Jonathan Gardner of
Cisco ASIG.</li>
<li>Bug 2952 / CVE-2015-7704: KoD fix: peer
associations were broken by the fix for
NtpBug2901, AKA: Symmetric active/passive mode
is broken. Reported by Michael Tatarinov,
NTP Project Developer Volunteer</li>
<li>Bug 2945 / Bug 2901 / CVE-2015-8138: Zero
Origin Timestamp Bypass, AKA: Additional KoD Checks.
Reported by Jonathan Gardner of Cisco ASIG</li>
<li>Bug 2879 / CVE-2016-1550: Improve NTP security
against buffer comparison timing attacks,
authdecrypt-timing, AKA: authdecrypt-timing.
Reported independently by Loganaden Velvindron,
and Matthew Van Gundy and Stephen Gray of
Cisco ASIG.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-16:16.ntp</freebsdsa>
<cvename>CVE-2015-7704</cvename>
<cvename>CVE-2015-8138</cvename>
<cvename>CVE-2016-1547</cvename>
<cvename>CVE-2016-1548</cvename>
<cvename>CVE-2016-1549</cvename>
<cvename>CVE-2016-1550</cvename>
<cvename>CVE-2016-1551</cvename>
<cvename>CVE-2016-2516</cvename>
<cvename>CVE-2016-2517</cvename>
<cvename>CVE-2016-2518</cvename>
<cvename>CVE-2016-2519</cvename>
<url>http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security</url>
</references>
<dates>
<discovery>2016-04-26</discovery>
<entry>2016-04-27</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="92d44f83-a7bf-41cf-91ee-3d1b8ecf579f">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<name>linux-firefox</name>
<range><lt>46.0,1</lt></range>
</package>
<package>
<name>seamonkey</name>
<name>linux-seamonkey</name>
<range><lt>2.43</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><ge>39.0,1</ge><lt>45.1.0,1</lt></range>
<range><lt>38.8.0,1</lt></range>
</package>
<package>
<name>libxul</name>
<name>thunderbird</name>
<name>linux-thunderbird</name>
<range><ge>39.0</ge><lt>45.1.0</lt></range>
<range><lt>38.8.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox46">
<p>MFSA 2016-39 Miscellaneous memory safety hazards (rv:46.0 /
rv:45.1 / rv:38.8)</p>
<p>MFSA 2016-42 Use-after-free and buffer overflow
in Service Workers</p>
<p>MFSA 2016-44 Buffer overflow in libstagefright with
CENC offsets</p>
<p>MFSA 2016-45 CSP not applied to pages sent with
multipart/x-mixed-replace</p>
<p>MFSA 2016-46 Elevation of privilege with
chrome.tabs.update API in web extensions</p>
<p>MFSA 2016-47 Write to invalid HashMap entry through
JavaScript.watch()</p>
<p>MFSA 2016-48 Firefox Health Reports could accept events
from untrusted domains</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2804</cvename>
<cvename>CVE-2016-2805</cvename>
<cvename>CVE-2016-2806</cvename>
<cvename>CVE-2016-2807</cvename>
<cvename>CVE-2016-2808</cvename>
<cvename>CVE-2016-2811</cvename>
<cvename>CVE-2016-2812</cvename>
<cvename>CVE-2016-2814</cvename>
<cvename>CVE-2016-2816</cvename>
<cvename>CVE-2016-2817</cvename>
<cvename>CVE-2016-2820</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2016-39/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-42/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-44/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-45/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-46/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-47/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-48/</url>
</references>
<dates>
<discovery>2016-04-26</discovery>
<entry>2016-04-26</entry>
</dates>
</vuln>
<vuln vid="f87a9376-0943-11e6-8fc4-00a0986f28c4">
<topic>phpmyfaq -- cross-site request forgery vulnerability</topic>
<affects>
<package>
<name>phpmyfaq</name>
<range><lt>2.8.27</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyFAQ team reports:</p>
<blockquote cite="http://www.phpmyfaq.de/security/advisory-2016-04-11">
<p>The vulnerability exists due to application does not properly
verify origin of HTTP requests in "Interface Translation"
functionality.: A remote unauthenticated attacker can create
a specially crafted malicious web page with CSRF exploit, trick
a logged-in administrator to visit the page, spoof the HTTP
request, as if it was coming from the legitimate user, inject
and execute arbitrary PHP code on the target system with privileges
of the webserver.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.phpmyfaq.de/security/advisory-2016-04-11</url>
<url>https://www.htbridge.com/advisory/HTB23300</url>
</references>
<dates>
<discovery>2016-04-11</discovery>
<entry>2016-04-23</entry>
</dates>
</vuln>
<vuln vid="1b0d2938-0766-11e6-94fa-002590263bf5">
<topic>libtasn1 -- denial of service parsing malicious DER certificates</topic>
<affects>
<package>
<name>libtasn1</name>
<range><lt>4.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GNU Libtasn1 NEWS reports:</p>
<blockquote cite="http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=blob_plain;f=NEWS;hb=e9bcdc86b920d72c9cffc2570d14eea2f6365b37">
<p>Fixes to avoid an infinite recursion when decoding without the
ASN1_DECODE_FLAG_STRICT_DER flag. Reported by Pascal Cuoq.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-4008</cvename>
<url>http://www.openwall.com/lists/oss-security/2016/04/13/3</url>
<url>http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=blob_plain;f=NEWS;hb=e9bcdc86b920d72c9cffc2570d14eea2f6365b37</url>
</references>
<dates>
<discovery>2016-04-11</discovery>
<entry>2016-04-21</entry>
</dates>
</vuln>
<vuln vid="e05bfc92-0763-11e6-94fa-002590263bf5">
<topic>squid -- multiple vulnerabilities</topic>
<affects>
<package>
<name>squid</name>
<range><lt>3.5.17</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Squid security advisory 2016:5 reports:</p>
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_5.txt">
<p>Due to incorrect buffer management Squid cachemgr.cgi tool is
vulnerable to a buffer overflow when processing remotely supplied
inputs relayed to it from Squid.</p>
<p>This problem allows any client to seed the Squid manager reports
with data that will cause a buffer overflow when processed by the
cachemgr.cgi tool. However, this does require manual administrator
actions to take place. Which greatly reduces the impact and
possible uses.</p>
</blockquote>
<p>Squid security advisory 2016:6 reports:</p>
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_6.txt">
<p>Due to buffer overflow issues Squid is vulnerable to a denial of
service attack when processing ESI responses. Due to incorrect input
validation Squid is vulnerable to public information disclosure of
the server stack layout when processing ESI responses. Due to
incorrect input validation and buffer overflow Squid is vulnerable
to remote code execution when processing ESI responses.</p>
<p>These problems allow ESI components to be used to perform a denial
of service attack on the Squid service and all other services on the
same machine. Under certain build conditions these problems allow
remote clients to view large sections of the server memory. However,
the bugs are exploitable only if you have built and configured the
ESI features to be used by a reverse-proxy and if the ESI components
being processed by Squid can be controlled by an attacker.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-4051</cvename>
<cvename>CVE-2016-4052</cvename>
<cvename>CVE-2016-4053</cvename>
<cvename>CVE-2016-4054</cvename>
<freebsdpr>ports/208939</freebsdpr>
<url>http://www.squid-cache.org/Advisories/SQUID-2016_5.txt</url>
<url>http://www.squid-cache.org/Advisories/SQUID-2016_6.txt</url>
</references>
<dates>
<discovery>2016-04-20</discovery>
<entry>2016-04-21</entry>
</dates>
</vuln>
<vuln vid="253c6889-06f0-11e6-925f-6805ca0b3d42">
<topic>ansible -- use of predictable paths in lxc_container</topic>
<affects>
<package>
<name>ansible</name>
<range><ge>2.0.0.0</ge><lt>2.0.2.0</lt></range>
</package>
<package>
<name>ansible1</name>
<range><lt>1.9.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ansible developers report:</p>
<blockquote cite="https://github.com/ansible/ansible-modules-extras/pull/1941/commits/8c6fe646ee79f5e55361b885b7efed5bec72d4a4">
<p>CVE-2016-3096: do not use predictable paths in lxc_container</p>
<ul>
<li>do not use a predictable filename for the LXC attach
script</li>
<li>don't use predictable filenames for LXC attach script
logging</li>
<li>don't set a predictable archive_path</li>
</ul>
<p>this should prevent symlink attacks which could result
in</p>
<ul>
<li>data corruption</li>
<li>data leakage</li>
<li>privilege escalation</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-3096</cvename>
<url>https://github.com/ansible/ansible-modules-extras/pull/1941/commits/8c6fe646ee79f5e55361b885b7efed5bec72d4a4</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1322925</url>
</references>
<dates>
<discovery>2016-04-02</discovery>
<entry>2016-04-20</entry>
</dates>
</vuln>
<vuln vid="a733b5ca-06eb-11e6-817f-3085a9a4510d">
<topic>proftpd -- vulnerability in mod_tls</topic>
<affects>
<package>
<name>proftpd</name>
<range><lt>1.3.5b</lt></range>
<range><eq>1.3.6.r1</eq></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE reports:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3125">
<p>The mod_tls module in ProFTPD before 1.3.5b and 1.3.6 before
1.3.6rc2 does not properly handle the TLSDHParamFile directive, which
might cause a weaker than intended Diffie-Hellman (DH) key to be used
and consequently allow attackers to have unspecified impact via
unknown vectors.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-3125</cvename>
</references>
<dates>
<discovery>2016-03-08</discovery>
<entry>2016-04-20</entry>
</dates>
</vuln>
<vuln vid="6d8505f0-0614-11e6-b39c-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>50.0.2661.75</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/2016/04/stable-channel-update_13.html">
<p>20 security fixes in this release, including:</p>
<ul>
<li>[590275] High CVE-2016-1652: Universal XSS in extension
bindings. Credit to anonymous.</li>
<li>[589792] High CVE-2016-1653: Out-of-bounds write in V8. Credit
to Choongwoo Han.</li>
<li>[591785] Medium CVE-2016-1651: Out-of-bounds read in Pdfium
JPEG2000 decoding. Credit to kdot working with HP's Zero Day
Initiative.</li>
<li>[589512] Medium CVE-2016-1654: Uninitialized memory read in
media. Credit to Atte Kettunen of OUSPG.</li>
<li>[582008] Medium CVE-2016-1655: Use-after-free related to
extensions. Credit to Rob Wu.</li>
<li>[570750] Medium CVE-2016-1656: Android downloaded file path
restriction bypass. Credit to Dzmitry Lukyanenko.</li>
<li>[567445] Medium CVE-2016-1657: Address bar spoofing. Credit to
Luan Herrera.</li>
<li>[573317] Low CVE-2016-1658: Potential leak of sensitive
information to malicious extensions. Credit to Antonio Sanso
(@asanso) of Adobe.</li>
<li>[602697] CVE-2016-1659: Various fixes from internal audits,
fuzzing and other initiatives.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1651</cvename>
<cvename>CVE-2016-1652</cvename>
<cvename>CVE-2016-1653</cvename>
<cvename>CVE-2016-1654</cvename>
<cvename>CVE-2016-1655</cvename>
<cvename>CVE-2016-1656</cvename>
<cvename>CVE-2016-1657</cvename>
<cvename>CVE-2016-1658</cvename>
<cvename>CVE-2016-1659</cvename>
<url>http://googlechromereleases.blogspot.nl/2016/04/stable-channel-update_13.html</url>
</references>
<dates>
<discovery>2016-04-13</discovery>
<entry>2016-04-19</entry>
</dates>
</vuln>
<vuln vid="976567f6-05c5-11e6-94fa-002590263bf5">
<topic>hostapd and wpa_supplicant -- multiple vulnerabilities</topic>
<affects>
<package>
<name>wpa_supplicant</name>
<range><lt>2.5_1</lt></range>
</package>
<package>
<name>hostapd</name>
<range><lt>2.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jouni Malinen reports:</p>
<blockquote cite="http://w1.fi/security/2015-6/wpa_supplicant-unauthorized-wnm-sleep-mode-gtk-control.txt">
<p>wpa_supplicant unauthorized WNM Sleep Mode GTK control. (2015-6 -
CVE-2015-5310)</p>
</blockquote>
<blockquote cite="http://w1.fi/security/2015-7/eap-pwd-missing-last-fragment-length-validation.txt">
<p>EAP-pwd missing last fragment length validation. (2015-7 -
CVE-2015-5315)</p>
</blockquote>
<blockquote cite="http://w1.fi/security/2015-8/eap-pwd-unexpected-confirm.txt">
<p>EAP-pwd peer error path failure on unexpected Confirm message.
(2015-8 - CVE-2015-5316)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5310</cvename>
<cvename>CVE-2015-5315</cvename>
<cvename>CVE-2015-5316</cvename>
<freebsdpr>ports/208482</freebsdpr>
<url>http://w1.fi/security/2015-6/wpa_supplicant-unauthorized-wnm-sleep-mode-gtk-control.txt</url>
<url>http://w1.fi/security/2015-7/eap-pwd-missing-last-fragment-length-validation.txt</url>
<url>http://w1.fi/security/2015-8/eap-pwd-unexpected-confirm.txt</url>
</references>
<dates>
<discovery>2015-11-10</discovery>
<entry>2016-04-19</entry>
<modified>2017-03-22</modified>
</dates>
</vuln>
<vuln vid="092156c9-04d7-11e6-b1ce-002590263bf5">
<topic>dhcpcd -- remote code execution/denial of service</topic>
<affects>
<package>
<name>dhcpcd</name>
<range><lt>6.9.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE reports:</p>
<blockquote cite="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7912">
<p>The get_option function in dhcp.c in dhcpcd before 6.2.0, as used
in dhcpcd 5.x in Android before 5.1 and other products, does not
validate the relationship between length fields and the amount of
data, which allows remote DHCP servers to execute arbitrary code or
cause a denial of service (memory corruption) via a large length
value of an option in a DHCPACK message.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-7912</cvename>
<url>http://roy.marples.name/projects/dhcpcd/info/d71cfd8aa203bffe</url>
</references>
<dates>
<discovery>2015-06-19</discovery>
<entry>2016-04-17</entry>
</dates>
</vuln>
<vuln vid="6ec9f210-0404-11e6-9aee-bc5ff4fb5ea1">
<topic>dhcpcd -- remote code execution/denial of service</topic>
<affects>
<package>
<name>dhcpcd</name>
<range><lt>6.10.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE reports:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7913">
<p>The print_option function in dhcp-common.c in dhcpcd through 6.9.1,
as used in dhcp.c in dhcpcd 5.x in Android before 5.1 and other
products, misinterprets the return value of the snprintf function,
which allows remote DHCP servers to execute arbitrary code or cause
a denial of service (memory corruption) via a crafted message.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-7913</cvename>
<freebsdpr>ports/208702</freebsdpr>
<url>http://roy.marples.name/projects/dhcpcd/info/528541c4c619520e</url>
</references>
<dates>
<discovery>2016-01-22</discovery>
<entry>2016-04-17</entry>
</dates>
</vuln>
<vuln vid="e21474c6-031a-11e6-aa86-001999f8d30b">
<topic>PJSIP -- TCP denial of service in PJProject</topic>
<affects>
<package>
<name>pjsip</name>
<range><le>2.4.5</le></range>
</package>
<package>
<name>pjsip-extsrtp</name>
<range><le>2.4.5</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="http://www.asterisk.org/downloads/security-advisories">
<p>PJProject has a limit on the number of TCP connections
that it can accept. Furthermore, PJProject does not close
TCP connections it accepts. By default, this value is
approximately 60.</p>
<p>An attacker can deplete the number of allowed TCP
connections by opening TCP connections and sending no
data to Asterisk.</p>
<p>If PJProject has been compiled in debug mode, then
once the number of allowed TCP connections has been
depleted, the next attempted TCP connection to Asterisk
will crash due to an assertion in PJProject.</p>
<p>If PJProject has not been compiled in debug mode, then
any further TCP connection attempts will be rejected.
This makes Asterisk unable to process TCP SIP traffic.</p>
<p>Note that this only affects TCP/TLS, since UDP is
connectionless.</p>
</blockquote>
</body>
</description>
<references>
<url>http://downloads.asterisk.org/pub/security/AST-2016-005.html</url>
</references>
<dates>
<discovery>2016-02-15</discovery>
<entry>2016-04-15</entry>
</dates>
</vuln>
<vuln vid="ee50726e-0319-11e6-aa86-001999f8d30b">
<topic>asterisk -- Long Contact URIs in REGISTER requests can crash Asterisk</topic>
<affects>
<package>
<name>asterisk13</name>
<range><lt>13.8.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="http://www.asterisk.org/downloads/security-advisories">
<p>Asterisk may crash when processing an incoming REGISTER
request if that REGISTER contains a Contact header with
a lengthy URI.</p>
<p>This crash will only happen for requests that pass
authentication. Unauthenticated REGISTER requests will
not result in a crash occurring.</p>
<p>This vulnerability only affects Asterisk when using
PJSIP as its SIP stack. The chan_sip module does not have
this problem.</p>
</blockquote>
</body>
</description>
<references>
<url>http://downloads.asterisk.org/pub/security/AST-2016-004.html</url>
</references>
<dates>
<discovery>2016-01-19</discovery>
<entry>2016-04-15</entry>
</dates>
</vuln>
<vuln vid="f2217cdf-01e4-11e6-b1ce-002590263bf5">
<topic>go -- remote denial of service</topic>
<affects>
<package>
<name>go</name>
<range><lt>1.6.1,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jason Buberel reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2016/04/05/2">
<p>Go has an infinite loop in several big integer routines that makes
Go programs vulnerable to remote denial of service attacks. Programs
using HTTPS client authentication or the Go ssh server libraries are
both exposed to this vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-3959</cvename>
<url>http://www.openwall.com/lists/oss-security/2016/04/05/2</url>
<url>https://golang.org/cl/21533</url>
</references>
<dates>
<discovery>2016-04-05</discovery>
<entry>2016-04-14</entry>
</dates>
</vuln>
<vuln vid="a636fc26-00d9-11e6-b704-000c292e4fd8">
<topic>samba -- multiple vulnerabilities</topic>
<affects>
<package>
<name>samba36</name>
<range><ge>3.6.0</ge><le>3.6.25_3</le></range>
</package>
<package>
<name>samba4</name>
<range><ge>4.0.0</ge><le>4.0.26</le></range>
</package>
<package>
<name>samba41</name>
<range><ge>4.1.0</ge><le>4.1.23</le></range>
</package>
<package>
<name>samba42</name>
<range><ge>4.2.0</ge><lt>4.2.11</lt></range>
</package>
<package>
<name>samba43</name>
<range><ge>4.3.0</ge><lt>4.3.8</lt></range>
</package>
<package>
<name>samba44</name>
<range><ge>4.4.0</ge><lt>4.4.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Samba team reports:</p>
<blockquote cite="https://www.samba.org/samba/latest_news.html#4.4.2">
<p>[CVE-2015-5370] Errors in Samba DCE-RPC code can lead to denial of service
(crashes and high cpu consumption) and man in the middle attacks.</p>
<p>[CVE-2016-2110] The feature negotiation of NTLMSSP is not downgrade protected.
A man in the middle is able to clear even required flags, especially
NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL.</p>
<p>[CVE-2016-2111] When Samba is configured as Domain Controller it allows remote
attackers to spoof the computer name of a secure channel's endpoints, and obtain
sensitive session information, by running a crafted application and leveraging
the ability to sniff network traffic.</p>
<p>[CVE-2016-2112] A man in the middle is able to downgrade LDAP connections
to no integrity protection.</p>
<p>[CVE-2016-2113] Man in the middle attacks are possible for client triggered LDAP
connections (with ldaps://) and ncacn_http connections (with https://).</p>
<p>[CVE-2016-2114] Due to a bug Samba doesn't enforce required smb signing, even if explicitly configured.</p>
<p>[CVE-2016-2115] The protection of DCERPC communication over ncacn_np (which is
the default for most the file server related protocols) is inherited from the underlying SMB connection.</p>
<p>[CVE-2016-2118] a.k.a. BADLOCK. A man in the middle can intercept any DCERPC traffic
between a client and a server in order to impersonate the client and get the same privileges
as the authenticated user account. This is most problematic against active directory domain controllers.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5370</cvename>
<url>https://www.samba.org/samba/security/CVE-2015-5370.html</url>
<cvename>CVE-2016-2110</cvename>
<url>https://www.samba.org/samba/security/CVE-2016-2110.html</url>
<cvename>CVE-2016-2111</cvename>
<url>https://www.samba.org/samba/security/CVE-2016-2111.html</url>
<cvename>CVE-2016-2112</cvename>
<url>https://www.samba.org/samba/security/CVE-2016-2112.html</url>
<cvename>CVE-2016-2113</cvename>
<url>https://www.samba.org/samba/security/CVE-2016-2113.html</url>
<cvename>CVE-2016-2114</cvename>
<url>https://www.samba.org/samba/security/CVE-2016-2114.html</url>
<cvename>CVE-2016-2115</cvename>
<url>https://www.samba.org/samba/security/CVE-2016-2115.html</url>
<cvename>CVE-2016-2118</cvename>
<url>https://www.samba.org/samba/security/CVE-2016-2118.html</url>
</references>
<dates>
<discovery>2016-04-12</discovery>
<entry>2016-04-12</entry>
<modified>2016-04-12</modified>
</dates>
</vuln>
<vuln vid="482d40cb-f9a3-11e5-92ce-002590263bf5">
<topic>php -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php70</name>
<name>php70-fileinfo</name>
<name>php70-mbstring</name>
<name>php70-phar</name>
<name>php70-snmp</name>
<range><lt>7.0.5</lt></range>
</package>
<package>
<name>php56</name>
<name>php56-fileinfo</name>
<name>php56-mbstring</name>
<name>php56-phar</name>
<name>php56-snmp</name>
<range><lt>5.6.20</lt></range>
</package>
<package>
<name>php55</name>
<name>php55-fileinfo</name>
<name>php55-mbstring</name>
<name>php55-phar</name>
<name>php55-snmp</name>
<range><lt>5.5.34</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PHP Group reports:</p>
<blockquote cite="http://php.net/ChangeLog-7.php#7.0.5">
<ul><li>Fileinfo:
<ul>
<li>Fixed bug #71527 (Buffer over-write in finfo_open with
malformed magic file).</li>
</ul></li>
<li>mbstring:
<ul>
<li>Fixed bug #71906 (AddressSanitizer: negative-size-param (-1)
in mbfl_strcut).</li>
</ul></li>
<li>Phar:
<ul>
<li>Fixed bug #71860 (Invalid memory write in phar on filename with
\0 in name).</li>
</ul></li>
<li>SNMP:
<ul>
<li>Fixed bug #71704 (php_snmp_error() Format String Vulnerability).
</li>
</ul></li>
<li>Standard:
<ul>
<li>Fixed bug #71798 (Integer Overflow in php_raw_url_encode).</li>
</ul></li>
</ul>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/208465</freebsdpr>
<url>http://php.net/ChangeLog-7.php#7.0.5</url>
<url>http://php.net/ChangeLog-5.php#5.6.20</url>
<url>http://php.net/ChangeLog-5.php#5.5.34</url>
</references>
<dates>
<discovery>2016-03-31</discovery>
<entry>2016-04-03</entry>
</dates>
</vuln>
<vuln vid="497b82e0-f9a0-11e5-92ce-002590263bf5">
<topic>pcre -- heap overflow vulnerability</topic>
<affects>
<package>
<name>pcre</name>
<range><lt>8.38_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mitre reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1283">
<p>The pcre_compile2 function in pcre_compile.c in PCRE 8.38
mishandles the /((?:F?+(?:^(?(R)a+\"){99}-))(?J)(?'R'(?'R'<((?'RR'(?'R'\){97)?J)?J)(?'R'(?'R'\){99|(:(?|(?'R')(\k'R')|((?'R')))H'R'R)(H'R))))))/
pattern and related patterns with named subgroups, which allows
remote attackers to cause a denial of service (heap-based buffer
overflow) or possibly have unspecified other impact via a crafted
regular expression, as demonstrated by a JavaScript RegExp object
encountered by Konqueror.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1283</cvename>
<freebsdpr>ports/208260</freebsdpr>
<url>https://bugs.exim.org/show_bug.cgi?id=1767</url>
</references>
<dates>
<discovery>2016-02-27</discovery>
<entry>2016-04-03</entry>
</dates>
</vuln>
<vuln vid="df328fac-f942-11e5-92ce-002590263bf5">
<topic>py-djblets -- Self-XSS vulnerability</topic>
<affects>
<package>
<name>py27-djblets</name>
<name>py32-djblets</name>
<name>py33-djblets</name>
<name>py34-djblets</name>
<name>py35-djblets</name>
<range><lt>0.9.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Djblets Release Notes reports:</p>
<blockquote cite="https://www.reviewboard.org/docs/releasenotes/djblets/0.9.2/">
<p>A recently-discovered vulnerability in the datagrid templates allows an
attacker to generate a URL to any datagrid page containing malicious code
in a column sorting value. If the user visits that URL and then clicks
that column, the code will execute.</p>
<p>The cause of the vulnerability was due to a template not escaping
user-provided values.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.reviewboard.org/docs/releasenotes/djblets/0.9.2/</url>
</references>
<dates>
<discovery>2016-03-01</discovery>
<entry>2016-04-03</entry>
</dates>
</vuln>
<vuln vid="a430e15d-f93f-11e5-92ce-002590263bf5">
<topic>moodle -- multiple vulnerabilities</topic>
<affects>
<package>
<name>moodle28</name>
<range><lt>2.8.11</lt></range>
</package>
<package>
<name>moodle29</name>
<range><lt>2.9.5</lt></range>
</package>
<package>
<name>moodle30</name>
<range><lt>3.0.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Marina Glancy reports:</p>
<blockquote cite="https://moodle.org/security/">
<ul>
<li><p>MSA-16-0003: Incorrect capability check when displaying
users emails in Participants list</p></li>
<li><p>MSA-16-0004: XSS from profile fields from external db</p>
</li>
<li><p>MSA-16-0005: Reflected XSS in mod_data advanced search</p>
</li>
<li><p>MSA-16-0006: Hidden courses are shown to students in Event
Monitor</p></li>
<li><p>MSA-16-0007: Non-Editing Instructor role can edit exclude
checkbox in Single View</p></li>
<li><p>MSA-16-0008: External function get_calendar_events return
events that pertains to hidden activities</p></li>
<li><p>MSA-16-0009: CSRF in Assignment plugin management page</p>
</li>
<li><p>MSA-16-0010: Enumeration of category details possible without
authentication</p></li>
<li><p>MSA-16-0011: Add no referrer to links with _blank target
attribute</p></li>
<li><p>MSA-16-0012: External function mod_assign_save_submission
does not check due dates</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2151</cvename>
<cvename>CVE-2016-2152</cvename>
<cvename>CVE-2016-2153</cvename>
<cvename>CVE-2016-2154</cvename>
<cvename>CVE-2016-2155</cvename>
<cvename>CVE-2016-2156</cvename>
<cvename>CVE-2016-2157</cvename>
<cvename>CVE-2016-2158</cvename>
<cvename>CVE-2016-2190</cvename>
<cvename>CVE-2016-2159</cvename>
<url>https://moodle.org/security/</url>
</references>
<dates>
<discovery>2016-03-21</discovery>
<entry>2016-04-03</entry>
</dates>
</vuln>
<vuln vid="297117ba-f92d-11e5-92ce-002590263bf5">
<topic>squid -- multiple vulnerabilities</topic>
<affects>
<package>
<name>squid</name>
<range><lt>3.5.16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Squid security advisory 2016:3 reports:</p>
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_3.txt">
<p>Due to a buffer overrun Squid pinger binary is vulnerable to
denial of service or information leak attack when processing
ICMPv6 packets.</p>
<p>This bug also permits the server response to manipulate other
ICMP and ICMPv6 queries processing to cause information leak.</p>
<p>This bug allows any remote server to perform a denial of service
attack on the Squid service by crashing the pinger. This may
affect Squid HTTP routing decisions. In some configurations,
sub-optimal routing decisions may result in serious service
degradation or even transaction failures.</p>
<p>If the system does not contain buffer-overrun protection leading
to that crash this bug will instead allow attackers to leak
arbitrary amounts of information from the heap into Squid log
files. This is of higher importance than usual because the pinger
process operates with root priviliges.</p>
</blockquote>
<p>Squid security advisory 2016:4 reports:</p>
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_4.txt">
<p>Due to incorrect bounds checking Squid is vulnerable to a denial
of service attack when processing HTTP responses.</p>
<p>This problem allows a malicious client script and remote server
delivering certain unusual HTTP response syntax to trigger a
denial of service for all clients accessing the Squid service.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-3947</cvename>
<cvename>CVE-2016-3948</cvename>
<freebsdpr>ports/208463</freebsdpr>
<url>http://www.squid-cache.org/Advisories/SQUID-2016_3.txt</url>
<url>http://www.squid-cache.org/Advisories/SQUID-2016_4.txt</url>
</references>
<dates>
<discovery>2016-03-28</discovery>
<entry>2016-04-02</entry>
</dates>
</vuln>
<vuln vid="97a24d2e-f74c-11e5-8458-6cc21735f730">
<topic>PostgreSQL -- minor security problems.</topic>
<affects>
<package>
<name>postgresql95-server</name>
<name>postgresql95-contrib</name>
<range><ge>9.5.0</ge><lt>9.5.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PostgreSQL project reports:</p>
<blockquote cite="http://www.postgresql.org/about/news/1656/">
<p>Security Fixes for RLS, BRIN</p>
<p>
This release closes security hole CVE-2016-2193
(https://access.redhat.com/security/cve/CVE-2016-2193), where a query
plan might get reused for more than one ROLE in the same session.
This could cause the wrong set of Row Level Security (RLS) policies to
be used for the query.</p>
<p>
The update also fixes CVE-2016-3065
(https://access.redhat.com/security/cve/CVE-2016-3065), a server crash
bug triggered by using `pageinspect` with BRIN index pages. Since an
attacker might be able to expose a few bytes of server memory, this
crash is being treated as a security issue.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2193</cvename>
<cvename>CVE-2016-3065</cvename>
</references>
<dates>
<discovery>2016-03-01</discovery>
<entry>2016-03-31</entry>
</dates>
</vuln>
<vuln vid="f7b3d1eb-f738-11e5-a710-0011d823eebd">
<topic>flash -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-c6-flashplugin</name>
<name>linux-f10-flashplugin</name>
<name>linux-c6_64-flashplugin</name>
<range><lt>11.2r202.577</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-08.html">
<p>These updates resolve integer overflow vulnerabilities that
could lead to code execution (CVE-2016-0963, CVE-2016-0993,
CVE-2016-1010).</p>
<p>These updates resolve use-after-free vulnerabilities that could
lead to code execution (CVE-2016-0987, CVE-2016-0988,
CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995,
CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999,
CVE-2016-1000).</p>
<p>These updates resolve a heap overflow vulnerability that could
lead to code execution (CVE-2016-1001).</p>
<p>These updates resolve memory corruption vulnerabilities that
could lead to code execution (CVE-2016-0960, CVE-2016-0961,
CVE-2016-0962, CVE-2016-0986, CVE-2016-0989, CVE-2016-0992,
CVE-2016-1002, CVE-2016-1005).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-0960</cvename>
<cvename>CVE-2016-0961</cvename>
<cvename>CVE-2016-0962</cvename>
<cvename>CVE-2016-0963</cvename>
<cvename>CVE-2016-0986</cvename>
<cvename>CVE-2016-0987</cvename>
<cvename>CVE-2016-0988</cvename>
<cvename>CVE-2016-0989</cvename>
<cvename>CVE-2016-0990</cvename>
<cvename>CVE-2016-0991</cvename>
<cvename>CVE-2016-0992</cvename>
<cvename>CVE-2016-0993</cvename>
<cvename>CVE-2016-0994</cvename>
<cvename>CVE-2016-0995</cvename>
<cvename>CVE-2016-0996</cvename>
<cvename>CVE-2016-0997</cvename>
<cvename>CVE-2016-0998</cvename>
<cvename>CVE-2016-0999</cvename>
<cvename>CVE-2016-1000</cvename>
<cvename>CVE-2016-1001</cvename>
<cvename>CVE-2016-1002</cvename>
<cvename>CVE-2016-1005</cvename>
<cvename>CVE-2016-1010</cvename>
<url>https://helpx.adobe.com/security/products/flash-player/apsb16-08.html</url>
</references>
<dates>
<discovery>2016-03-10</discovery>
<entry>2016-03-31</entry>
</dates>
</vuln>
<vuln vid="4cd9b19f-f66d-11e5-b94c-001999f8d30b">
<topic>Multiple vulnerabilities in Botan</topic>
<affects>
<package>
<name>botan110</name>
<range><lt>1.10.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The botan developers reports:</p>
<blockquote cite="http://botan.randombit.net/security.html">
<p>Infinite loop in modular square root algorithm - The ressol function implements the Tonelli-Shanks algorithm for finding square roots could be sent into a nearly infinite loop due to a misplaced conditional check. This could occur if a composite modulus is provided, as this algorithm is only defined for primes. This function is exposed to attacker controlled input via the OS2ECP function during ECC point decompression.</p>
<p>Heap overflow on invalid ECC point - The PointGFp constructor did not check that the affine coordinate arguments were less than the prime, but then in curve multiplication assumed that both arguments if multiplied would fit into an integer twice the size of the prime.</p>
<p>The bigint_mul and bigint_sqr functions received the size of the output buffer, but only used it to dispatch to a faster algorithm in cases where there was sufficient output space to call an unrolled multiplication function.</p>
<p>The result is a heap overflow accessible via ECC point decoding, which accepted untrusted inputs. This is likely exploitable for remote code execution.</p>
<p>On systems which use the mlock pool allocator, it would allow an attacker to overwrite memory held in secure_vector objects. After this point the write will hit the guard page at the end of the mmapped region so it probably could not be used for code execution directly, but would allow overwriting adjacent key material.</p>
</blockquote>
</body>
</description>
<references>
<url>http://botan.randombit.net/security.html</url>
<cvename>CVE-2016-2194</cvename>
<cvename>CVE-2016-2195</cvename>
</references>
<dates>
<discovery>2016-02-01</discovery>
<entry>2016-03-31</entry>
</dates>
</vuln>
<vuln vid="2004616d-f66c-11e5-b94c-001999f8d30b">
<topic>Botan BER Decoder vulnerabilities</topic>
<affects>
<package>
<name>botan110</name>
<range><lt>1.10.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The botan developers reports:</p>
<blockquote cite="http://botan.randombit.net/">
<p>Excess memory allocation in BER decoder - The BER decoder would allocate a fairly arbitrary amount of memory in a length field, even if there was no chance the read request would succeed. This might cause the process to run out of memory or invoke the OOM killer.</p>
<p>Crash in BER decoder - The BER decoder would crash due to reading from offset 0 of an empty vector if it encountered a BIT STRING which did not contain any data at all. This can be used to easily crash applications reading untrusted ASN.1 data, but does not seem exploitable for code execution.</p>
</blockquote>
</body>
</description>
<references>
<url>http://botan.randombit.net/security.html</url>
<cvename>CVE-2015-5726</cvename>
<cvename>CVE-2015-5727</cvename>
</references>
<dates>
<discovery>2015-08-03</discovery>
<entry>2016-03-31</entry>
</dates>
</vuln>
<vuln vid="e1085b15-f609-11e5-a230-0014a5a57822">
<topic>mercurial -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mercurial</name>
<range><lt>2.7.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mercurial reports:</p>
<blockquote cite="https://www.mercurial-scm.org/pipermail/mercurial/2016-March/049452.html">
<p>CVE-2016-3630: Remote code execution in binary delta decoding</p>
<p>CVE-2016-3068: Arbitrary code execution with Git subrepos</p>
<p>CVE-2016-3069: Arbitrary code execution when converting
Git repos</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-3630</cvename>
<cvename>CVE-2016-3068</cvename>
<cvename>CVE-2016-3069</cvename>
<url>https://www.mercurial-scm.org/pipermail/mercurial/2016-March/049452.html</url>
</references>
<dates>
<discovery>2016-03-29</discovery>
<entry>2016-03-29</entry>
</dates>
</vuln>
<vuln vid="8be8ca39-ae70-4422-bf1a-d8fae6911c5e">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>49.0.2623.108</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.de/2016/03/stable-channel-update_24.html">
<p>[594574] High CVE-2016-1646: Out-of-bounds read in V8.</p>
<p>[590284] High CVE-2016-1647: Use-after-free in Navigation.</p>
<p>[590455] High CVE-2016-1648: Use-after-free in Extensions.</p>
<p>[597518] CVE-2016-1650: Various fixes from internal audits,
fuzzing and other initiatives.</p>
<p>Multiple vulnerabilities in V8 fixed at the tip of the
4.9 branch</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1646</cvename>
<cvename>CVE-2016-1647</cvename>
<cvename>CVE-2016-1648</cvename>
<cvename>CVE-2016-1649</cvename>
<cvename>CVE-2016-1650</cvename>
<url>http://googlechromereleases.blogspot.de/2016/03/stable-channel-update_24.html</url>
</references>
<dates>
<discovery>2016-03-24</discovery>
<entry>2016-03-29</entry>
</dates>
</vuln>
<vuln vid="5c288f68-c7ca-4c0d-b7dc-1ec6295200b3">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>49.0.2623.87</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.de/2016/03/stable-channel-update_8.html">
<p>[589838] High CVE-2016-1643: Type confusion in Blink.</p>
<p>[590620] High CVE-2016-1644: Use-after-free in Blink.</p>
<p>[587227] High CVE-2016-1645: Out-of-bounds write in PDFium.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1643</cvename>
<cvename>CVE-2016-1644</cvename>
<cvename>CVE-2016-1645</cvename>
<url>http://googlechromereleases.blogspot.de/2016/03/stable-channel-update_8.html</url>
</references>
<dates>
<discovery>2016-03-08</discovery>
<entry>2016-03-29</entry>
</dates>
</vuln>
<vuln vid="cd409df7-f483-11e5-92ce-002590263bf5">
<topic>bind -- denial of service vulnerability</topic>
<affects>
<package>
<name>bind910</name>
<range><ge>9.10.0</ge><lt>9.10.3P4</lt></range>
</package>
<package>
<name>bind9-devel</name>
<range><lt>9.11.0.a20160309</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://kb.isc.org/article/AA-01351">
<p>A response containing multiple DNS cookies causes servers with
cookie support enabled to exit with an assertion failure.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2088</cvename>
<url>https://kb.isc.org/article/AA-01351</url>
</references>
<dates>
<discovery>2016-03-09</discovery>
<entry>2016-03-28</entry>
</dates>
</vuln>
<vuln vid="cba246d2-f483-11e5-92ce-002590263bf5">
<topic>bind -- denial of service vulnerability</topic>
<affects>
<package>
<name>bind98</name>
<range><le>9.8.8</le></range>
</package>
<package>
<name>bind99</name>
<range><ge>9.9.0</ge><lt>9.9.8P4</lt></range>
</package>
<package>
<name>bind910</name>
<range><ge>9.10.0</ge><lt>9.10.3P4</lt></range>
</package>
<package>
<name>bind9-devel</name>
<range><lt>9.11.0.a20160309</lt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>9.3</ge><lt>9.3_38</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://kb.isc.org/article/AA-01353">
<p>A problem parsing resource record signatures for DNAME resource
records can lead to an assertion failure in resolver.c or db.c</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1286</cvename>
<freebsdsa>SA-16:13.bind</freebsdsa>
<url>https://kb.isc.org/article/AA-01353</url>
</references>
<dates>
<discovery>2016-03-09</discovery>
<entry>2016-03-28</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="c9075321-f483-11e5-92ce-002590263bf5">
<topic>bind -- denial of service vulnerability</topic>
<affects>
<package>
<name>bind98</name>
<range><le>9.8.8</le></range>
</package>
<package>
<name>bind99</name>
<range><ge>9.9.0</ge><lt>9.9.8P4</lt></range>
</package>
<package>
<name>bind910</name>
<range><ge>9.10.0</ge><lt>9.10.3P4</lt></range>
</package>
<package>
<name>bind9-devel</name>
<range><lt>9.11.0.a20160309</lt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>9.3</ge><lt>9.3_38</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://kb.isc.org/article/AA-01352">
<p>An error parsing input received by the rndc control channel can
cause an assertion failure in sexpr.c or alist.c.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1285</cvename>
<freebsdsa>SA-16:13.bind</freebsdsa>
<url>https://kb.isc.org/article/AA-01352</url>
</references>
<dates>
<discovery>2016-03-09</discovery>
<entry>2016-03-28</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="6d25c306-f3bb-11e5-92ce-002590263bf5">
<topic>salt -- Insecure configuration of PAM external authentication service</topic>
<affects>
<package>
<name>py27-salt</name>
<name>py32-salt</name>
<name>py33-salt</name>
<name>py34-salt</name>
<name>py35-salt</name>
<range><lt>2015.5.10</lt></range>
<range><ge>2015.8.0</ge><lt>2015.8.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SaltStack reports:</p>
<blockquote cite="https://docs.saltstack.com/en/latest/topics/releases/2015.8.8.html">
<p>This issue affects all Salt versions prior to 2015.8.8/2015.5.10
when PAM external authentication is enabled. This issue involves
passing an alternative PAM authentication service with a command
that is sent to LocalClient, enabling the attacker to bypass the
configured authentication service.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-3176</cvename>
<url>https://docs.saltstack.com/en/latest/topics/releases/2015.8.8.html</url>
</references>
<dates>
<discovery>2016-03-17</discovery>
<entry>2016-03-27</entry>
</dates>
</vuln>
<vuln vid="a258604d-f2aa-11e5-b4a9-ac220bdcec59">
<topic>activemq -- Unsafe deserialization</topic>
<affects>
<package>
<name>activemq</name>
<range><lt>5.13.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Alvaro Muatoz, Matthias Kaiser and Christian Schneider reports:</p>
<blockquote cite="http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt">
<p>JMS Object messages depends on Java Serialization for
marshaling/unmashaling of the message payload. There are a couple of places
inside the broker where deserialization can occur, like web console or stomp
object message transformation. As deserialization of untrusted data can lead to
security flaws as demonstrated in various reports, this leaves the broker
vulnerable to this attack vector. Additionally, applications that consume
ObjectMessage type of messages can be vulnerable as they deserialize objects on
ObjectMessage.getObject() calls.</p>
</blockquote>
</body>
</description>
<references>
<url>http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt</url>
<cvename>CVE-2015-5254</cvename>
</references>
<dates>
<discovery>2016-01-08</discovery>
<entry>2016-03-25</entry>
</dates>
</vuln>
<vuln vid="950b2d60-f2a9-11e5-b4a9-ac220bdcec59">
<topic>activemq -- Web Console Clickjacking</topic>
<affects>
<package>
<name>activemq</name>
<range><lt>5.13.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Michael Furman reports:</p>
<blockquote cite="http://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcement.txt">
<p>The web based administration console does not set the
X-Frame-Options header in HTTP responses. This allows the console to be embedded
in a frame or iframe which could then be used to cause a user to perform an
unintended action in the console.</p>
</blockquote>
</body>
</description>
<references>
<url>http://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcement.txt</url>
<cvename>CVE-2016-0734</cvename>
</references>
<dates>
<discovery>2016-03-10</discovery>
<entry>2016-03-25</entry>
</dates>
</vuln>
<vuln vid="a6cc5753-f29e-11e5-b4a9-ac220bdcec59">
<topic>activemq -- Web Console Cross-Site Scripting</topic>
<affects>
<package>
<name>activemq</name>
<range><lt>5.13.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Vladimir Ivanov (Positive Technologies) reports:</p>
<blockquote cite="http://activemq.apache.org/security-advisories.data/CVE-2016-0782-announcement.txt">
<p>Several instances of cross-site scripting vulnerabilities were
identified to be present in the web based administration console as well as the
ability to trigger a Java memory dump into an arbitrary folder. The root cause
of these issues are improper user data output validation and incorrect
permissions configured on Jolokia.</p>
</blockquote>
</body>
</description>
<references>
<url>http://activemq.apache.org/security-advisories.data/CVE-2016-0782-announcement.txt</url>
<cvename>CVE-2016-0782</cvename>
</references>
<dates>
<discovery>2016-03-10</discovery>
<entry>2016-03-25</entry>
</dates>
</vuln>
<vuln vid="7033b42d-ef09-11e5-b766-14dae9d210b8">
<topic>pcre -- stack buffer overflow</topic>
<affects>
<package>
<name>pcre</name>
<range><lt>8.38</lt></range>
</package>
<package>
<name>pcre2</name>
<range><lt>10.20_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Philip Hazel reports:</p>
<blockquote cite="https://bugs.exim.org/show_bug.cgi?id=1791">
<p>PCRE does not validate that handling the (*ACCEPT) verb
will occur within the bounds of the cworkspace stack buffer, leading to
a stack buffer overflow.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugs.exim.org/show_bug.cgi?id=1791</url>
<cvename>CVE-2016-3191</cvename>
</references>
<dates>
<discovery>2016-02-09</discovery>
<entry>2016-03-21</entry>
<modified>2016-03-21</modified>
</dates>
</vuln>
<vuln vid="c428de09-ed69-11e5-92ce-002590263bf5">
<topic>kamailio -- SEAS Module Heap overflow</topic>
<affects>
<package>
<name>kamailio</name>
<range><lt>4.3.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Stelios Tsampas reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2016/q1/338">
<p>A (remotely exploitable) heap overflow vulnerability was found in
Kamailio v4.3.4.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2385</cvename>
<url>https://github.com/kamailio/kamailio/commit/f50c9c853e7809810099c970780c30b0765b0643</url>
<url>https://census-labs.com/news/2016/03/30/kamailio-seas-heap-overflow/</url>
<url>http://seclists.org/oss-sec/2016/q1/338</url>
</references>
<dates>
<discovery>2016-02-15</discovery>
<entry>2016-03-19</entry>
<modified>2016-04-03</modified>
</dates>
</vuln>
<vuln vid="5dd39f26-ed68-11e5-92ce-002590263bf5">
<topic>hadoop2 -- unauthorized disclosure of data vulnerability</topic>
<affects>
<package>
<name>hadoop2</name>
<range><ge>2.6</ge><lt>2.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Arun Suresh reports:</p>
<blockquote cite="http://mail-archives.apache.org/mod_mbox/hadoop-general/201602.mbox/browser">
<p>RPC traffic from clients, potentially including authentication
credentials, may be intercepted by a malicious user with access to
run tasks or containers on a cluster.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-1776</cvename>
<url>http://mail-archives.apache.org/mod_mbox/hadoop-general/201602.mbox/browser</url>
</references>
<dates>
<discovery>2016-02-15</discovery>
<entry>2016-03-19</entry>
</dates>
</vuln>
<vuln vid="d2a84feb-ebe0-11e5-92ce-002590263bf5">
<topic>git -- integer overflow</topic>
<affects>
<package>
<name>git</name>
<range><lt>2.4.11</lt></range>
<range><ge>2.5.0</ge><lt>2.5.5</lt></range>
<range><ge>2.6.0</ge><lt>2.6.6</lt></range>
<range><ge>2.7.0</ge><lt>2.7.4</lt></range>
</package>
<package>
<name>git-gui</name>
<range><lt>2.4.11</lt></range>
<range><ge>2.5.0</ge><lt>2.5.5</lt></range>
<range><ge>2.6.0</ge><lt>2.6.6</lt></range>
<range><ge>2.7.0</ge><lt>2.7.4</lt></range>
</package>
<package>
<name>git-lite</name>
<range><lt>2.4.11</lt></range>
<range><ge>2.5.0</ge><lt>2.5.5</lt></range>
<range><ge>2.6.0</ge><lt>2.6.6</lt></range>
<range><ge>2.7.0</ge><lt>2.7.4</lt></range>
</package>
<package>
<name>git-subversion</name>
<range><lt>2.4.11</lt></range>
<range><ge>2.5.0</ge><lt>2.5.5</lt></range>
<range><ge>2.6.0</ge><lt>2.6.6</lt></range>
<range><ge>2.7.0</ge><lt>2.7.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Debian reports:</p>
<blockquote cite="https://security-tracker.debian.org/tracker/CVE-2016-2324">
<p>integer overflow due to a loop which adds more to "len".</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2324</cvename>
<url>https://security-tracker.debian.org/tracker/CVE-2016-2324</url>
<url>https://github.com/git/git/commit/9831e92bfa833ee9c0ce464bbc2f941ae6c2698d</url>
</references>
<dates>
<discovery>2016-02-24</discovery>
<entry>2016-03-18</entry>
</dates>
</vuln>
<vuln vid="93ee802e-ebde-11e5-92ce-002590263bf5">
<topic>git -- potential code execution</topic>
<affects>
<package>
<name>git</name>
<range><lt>2.7.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Debian reports:</p>
<blockquote cite="https://security-tracker.debian.org/tracker/CVE-2016-2315">
<p>"int" is the wrong data type for ... nlen assignment.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2315</cvename>
<url>http://www.openwall.com/lists/oss-security/2016/03/15/6</url>
<url>https://marc.info/?l=oss-security&m=145809217306686&w=2</url>
<url>https://github.com/git/git/commit/34fa79a6cde56d6d428ab0d3160cb094ebad3305</url>
<url>https://security-tracker.debian.org/tracker/CVE-2016-2315</url>
</references>
<dates>
<discovery>2015-09-24</discovery>
<entry>2016-03-17</entry>
</dates>
</vuln>
<vuln vid="6d33b3e5-ea03-11e5-85be-14dae9d210b8">
<topic>node -- multiple vulnerabilities</topic>
<affects>
<package>
<name>node</name>
<range><lt>5.7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jeremiah Senkpiel reports:</p>
<blockquote cite="https://github.com/nodejs/node/commit/805f054cc7791c447dbb960fbf3b179ea05294ac">
<ul>
<li><p>Fix a double-free defect in parsing malformed DSA keys
that may potentially be used for DoS or memory corruption attacks.</p></li>
<li><p>Fix a defect that can cause memory corruption in
certain very rare cases</p></li>
<li><p>Fix a defect that makes the CacheBleed Attack possible</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/nodejs/node/commit/805f054cc7791c447dbb960fbf3b179ea05294ac</url>
<cvename>CVE-2016-0702</cvename>
<cvename>CVE-2016-0705</cvename>
<cvename>CVE-2016-0797</cvename>
</references>
<dates>
<discovery>2016-03-02</discovery>
<entry>2016-03-14</entry>
</dates>
</vuln>
<vuln vid="8eb78cdc-e9ec-11e5-85be-14dae9d210b8">
<topic>dropbear -- authorized_keys command= bypass</topic>
<affects>
<package>
<name>dropbear</name>
<range><lt>2016.72</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Matt Johnson reports:</p>
<blockquote cite="https://matt.ucc.asn.au/dropbear/CHANGES">
<p>Validate X11 forwarding input. Could allow bypass of
authorized_keys command= restrictions</p>
</blockquote>
</body>
</description>
<references>
<url>https://matt.ucc.asn.au/dropbear/CHANGES</url>
<cvename>CVE-2016-3116</cvename>
</references>
<dates>
<discovery>2016-03-11</discovery>
<entry>2016-03-14</entry>
</dates>
</vuln>
<vuln vid="77b7ffb7-e937-11e5-8bed-5404a68ad561">
<topic>jpgraph2 -- XSS vulnerability</topic>
<affects>
<package>
<name>jpgraph2</name>
<range><lt>3.0.7_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Martin Barbella reports:</p>
<blockquote cite="http://www.securityfocus.com/archive/1/archive/1/508586/100/0/threaded">
<p>JpGraph is an object oriented library for PHP that can be used to create
various types of graphs which also contains support for client side
image maps.
The GetURLArguments function for the JpGraph's Graph class does not
properly sanitize the names of get and post variables, leading to a
cross site scripting vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.securityfocus.com/archive/1/archive/1/508586/100/0/threaded</url>
</references>
<dates>
<discovery>2009-12-22</discovery>
<entry>2016-03-13</entry>
</dates>
</vuln>
<vuln vid="5af511e5-e928-11e5-92ce-002590263bf5">
<topic>php7 -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php70</name>
<name>php70-soap</name>
<range><lt>7.0.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PHP Group reports:</p>
<blockquote cite="http://php.net/ChangeLog-7.php#7.0.4">
<ul><li>Core:
<ul>
<li>Fixed bug #71637 (Multiple Heap Overflow due to integer
overflows in xml/filter_url/addcslashes).</li>
</ul></li>
<li>SOAP:
<ul>
<li>Fixed bug #71610 (Type Confusion Vulnerability - SOAP /
make_http_soap_request()).</li>
</ul></li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://php.net/ChangeLog-7.php#7.0.4</url>
</references>
<dates>
<discovery>2016-03-03</discovery>
<entry>2016-03-13</entry>
</dates>
</vuln>
<vuln vid="e991ef79-e920-11e5-92ce-002590263bf5">
<topic>php5 -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php55-phar</name>
<name>php55-wddx</name>
<range><lt>5.5.33</lt></range>
</package>
<package>
<name>php56-phar</name>
<name>php56-wddx</name>
<range><lt>5.6.19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PHP Group reports:</p>
<blockquote cite="http://php.net/ChangeLog-5.php#5.6.19">
<ul><li>Phar:
<ul>
<li>Fixed bug #71498 (Out-of-Bound Read in phar_parse_zipfile()).
</li>
</ul></li>
<li>WDDX:
<ul>
<li>Fixed bug #71587 (Use-After-Free / Double-Free in WDDX
Deserialize).</li>
</ul></li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://php.net/ChangeLog-5.php#5.6.19</url>
<url>http://php.net/ChangeLog-5.php#5.5.33</url>
</references>
<dates>
<discovery>2016-03-03</discovery>
<entry>2016-03-13</entry>
</dates>
</vuln>
<vuln vid="e4644df8-e7da-11e5-829d-c80aa9043978">
<topic>openssh -- command injection when X11Forwarding is enabled</topic>
<affects>
<package>
<name>openssh-portable</name>
<range><lt>7.2.p2,1</lt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>10.2</ge><lt>10.2_14</lt></range>
<range><ge>10.1</ge><lt>10.1_31</lt></range>
<range><ge>9.3</ge><lt>9.3_39</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenSSH project reports:</p>
<blockquote cite="http://www.openssh.com/txt/x11fwd.adv">
<p>Missing sanitisation of untrusted input allows an
authenticated user who is able to request X11 forwarding
to inject commands to xauth(1).
</p>
<p>Injection of xauth commands grants the ability to read
arbitrary files under the authenticated user's privilege,
Other xauth commands allow limited information leakage,
file overwrite, port probing and generally expose xauth(1),
which was not written with a hostile user in mind, as an
attack surface.
</p>
<p>Mitigation:</p>
<p>Set X11Forwarding=no in sshd_config. This is the default.</p>
<p>For authorized_keys that specify a "command" restriction,
also set the "restrict" (available in OpenSSH >=7.2) or
"no-x11-forwarding" restrictions.
</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openssh.com/txt/x11fwd.adv</url>
<cvename>CVE-2016-3115</cvename>
<freebsdsa>SA-16:14.openssh</freebsdsa>
</references>
<dates>
<discovery>2016-03-11</discovery>
<entry>2016-03-11</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="70c44cd0-e717-11e5-85be-14dae9d210b8">
<topic>quagga -- stack based buffer overflow vulnerability</topic>
<affects>
<package>
<name>quagga</name>
<range><lt>1.0.20160309</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Donald Sharp reports:</p>
<blockquote cite="https://www.kb.cert.org/vuls/id/270232">
<p>A malicious BGP peer may execute arbitrary code in
particularly configured remote bgpd hosts.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.kb.cert.org/vuls/id/270232</url>
<url>http://savannah.nongnu.org/forum/forum.php?forum_id=8476</url>
<cvename>CVE-2016-2342</cvename>
</references>
<dates>
<discovery>2016-01-27</discovery>
<entry>2016-03-10</entry>
</dates>
</vuln>
<vuln vid="d71831ef-e6f8-11e5-85be-14dae9d210b8">
<topic>ricochet -- information disclosure</topic>
<affects>
<package>
<name>ricochet</name>
<range><lt>1.1.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>special reports:</p>
<blockquote cite="https://github.com/ricochet-im/ricochet/releases/tag/v1.1.2">
<p>By sending a nickname with some HTML tags in a contact
request, an attacker could cause Ricochet to make network requests
without Tor after the request is accepted, which would reveal the user's
IP address.</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/ricochet-im/ricochet/releases/tag/v1.1.2</url>
</references>
<dates>
<discovery>2016-02-15</discovery>
<entry>2016-03-10</entry>
</dates>
</vuln>
<vuln vid="77e0b631-e6cf-11e5-85be-14dae9d210b8">
<topic>pidgin-otr -- use after free</topic>
<affects>
<package>
<name>pidgin-otr</name>
<range><lt>4.0.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Hanno Bock reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2016/q1/572">
<p>The pidgin-otr plugin version 4.0.2 fixes a heap use after
free error.
The bug is triggered when a user tries to authenticate a buddy and
happens in the function create_smp_dialog.</p>
</blockquote>
</body>
</description>
<references>
<url>http://seclists.org/oss-sec/2016/q1/572</url>
<url>https://bugs.otr.im/issues/88</url>
<url>https://bugs.otr.im/issues/128</url>
<cvename>CVE-2015-8833</cvename>
</references>
<dates>
<discovery>2015-04-04</discovery>
<entry>2016-03-10</entry>
</dates>
</vuln>
<vuln vid="c2b1652c-e647-11e5-85be-14dae9d210b8">
<topic>libotr -- integer overflow</topic>
<affects>
<package>
<name>libotr</name>
<range><lt>4.1.1</lt></range>
</package>
<package>
<name>libotr3</name>
<range><ge>0</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>X41 D-Sec reports:</p>
<blockquote cite="https://www.x41-dsec.de/lab/advisories/x41-2016-001-libotr/">
<p>A remote attacker may crash or execute arbitrary code in
libotr by sending large OTR messages.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.x41-dsec.de/lab/advisories/x41-2016-001-libotr/</url>
<cvename>CVE-2016-2851</cvename>
</references>
<dates>
<discovery>2016-02-17</discovery>
<entry>2016-03-09</entry>
<modified>2016-03-09</modified>
</dates>
</vuln>
<vuln vid="1bcfd963-e483-41b8-ab8e-bad5c3ce49c9">
<topic>brotli -- buffer overflow</topic>
<affects>
<package>
<name>brotli</name>
<range><ge>0.3.0</ge><lt>0.3.0_1</lt></range>
<range><lt>0.2.0_2</lt></range>
</package>
<package>
<name>libbrotli</name>
<range><lt>0.3.0_3</lt></range>
</package>
<package>
<name>chromium</name>
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>48.0.2564.109</lt></range>
</package>
<package>
<name>firefox</name>
<name>linux-firefox</name>
<range><lt>45.0,1</lt></range>
</package>
<package>
<name>seamonkey</name>
<name>linux-seamonkey</name>
<range><lt>2.42</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><lt>38.7.0,1</lt></range>
</package>
<package>
<name>libxul</name>
<name>thunderbird</name>
<name>linux-thunderbird</name>
<range><lt>38.7.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/2016/02/stable-channel-update_9.html">
<p>[583607] High CVE-2016-1624: Buffer overflow in Brotli. Credit to lukezli.</p>
</blockquote>
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-30/">
<p>Security researcher Luke Li reported a pointer underflow
bug in the Brotli library's decompression that leads to a
buffer overflow. This results in a potentially exploitable
crash when triggered.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1624</cvename>
<cvename>CVE-2016-1968</cvename>
<url>https://github.com/google/brotli/commit/37a320dd81db8d546cd24a45b4c61d87b45dcade</url>
<url>https://chromium.googlesource.com/chromium/src/+/7716418a27d561ee295a99f11fd3865580748de2%5E!/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-30/</url>
<url>https://hg.mozilla.org/releases/mozilla-release/rev/4a5d8ade4e3e</url>
</references>
<dates>
<discovery>2016-02-08</discovery>
<entry>2016-03-08</entry>
<modified>2016-03-08</modified>
</dates>
</vuln>
<vuln vid="2225c5b4-1e5a-44fc-9920-b3201c384a15">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<name>linux-firefox</name>
<range><lt>45.0,1</lt></range>
</package>
<package>
<name>seamonkey</name>
<name>linux-seamonkey</name>
<range><lt>2.42</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><lt>38.7.0,1</lt></range>
</package>
<package>
<name>libxul</name>
<name>thunderbird</name>
<name>linux-thunderbird</name>
<range><lt>38.7.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox45">
<p>MFSA 2016-16 Miscellaneous memory safety hazards (rv:45.0
/ rv:38.7)</p>
<p>MFSA 2016-17 Local file overwriting and potential
privilege escalation through CSP reports</p>
<p>MFSA 2016-18 CSP reports fail to strip location
information for embedded iframe pages</p>
<p>MFSA 2016-19 Linux video memory DOS with Intel
drivers</p>
<p>MFSA 2016-20 Memory leak in libstagefright when deleting
an array during MP4 processing</p>
<p>MFSA 2016-21 Displayed page address can be overridden</p>
<p>MFSA 2016-22 Service Worker Manager out-of-bounds read in
Service Worker Manager</p>
<p>MFSA 2016-23 Use-after-free in HTML5 string parser</p>
<p>MFSA 2016-24 Use-after-free in SetBody</p>
<p>MFSA 2016-25 Use-after-free when using multiple WebRTC
data channels</p>
<p>MFSA 2016-26 Memory corruption when modifying a file
being read by FileReader</p>
<p>MFSA 2016-27 Use-after-free during XML
transformations</p>
<p>MFSA 2016-28 Addressbar spoofing though history
navigation and Location protocol property</p>
<p>MFSA 2016-29 Same-origin policy violation using
perfomance.getEntries and history navigation with session
restore</p>
<p>MFSA 2016-31 Memory corruption with malicious NPAPI
plugin</p>
<p>MFSA 2016-32 WebRTC and LibVPX vulnerabilities found
through code inspection</p>
<p>MFSA 2016-33 Use-after-free in GetStaticInstance in
WebRTC</p>
<p>MFSA 2016-34 Out-of-bounds read in HTML parser following
a failed allocation</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1952</cvename>
<cvename>CVE-2016-1953</cvename>
<cvename>CVE-2016-1954</cvename>
<cvename>CVE-2016-1955</cvename>
<cvename>CVE-2016-1956</cvename>
<cvename>CVE-2016-1957</cvename>
<cvename>CVE-2016-1958</cvename>
<cvename>CVE-2016-1959</cvename>
<cvename>CVE-2016-1960</cvename>
<cvename>CVE-2016-1961</cvename>
<cvename>CVE-2016-1962</cvename>
<cvename>CVE-2016-1963</cvename>
<cvename>CVE-2016-1964</cvename>
<cvename>CVE-2016-1965</cvename>
<cvename>CVE-2016-1966</cvename>
<cvename>CVE-2016-1967</cvename>
<cvename>CVE-2016-1970</cvename>
<cvename>CVE-2016-1971</cvename>
<cvename>CVE-2016-1972</cvename>
<cvename>CVE-2016-1973</cvename>
<cvename>CVE-2016-1974</cvename>
<cvename>CVE-2016-1975</cvename>
<cvename>CVE-2016-1976</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2016-16/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-17/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-18/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-19/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-20/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-21/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-22/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-23/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-24/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-25/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-26/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-27/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-28/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-29/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-31/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-32/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-33/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-34/</url>
</references>
<dates>
<discovery>2016-03-08</discovery>
<entry>2016-03-08</entry>
<modified>2016-03-08</modified>
</dates>
</vuln>
<vuln vid="adffe823-e692-4921-ae9c-0b825c218372">
<topic>graphite2 -- multiple vulnerabilities</topic>
<affects>
<package>
<name>graphite2</name>
<range><lt>1.3.6</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>45.0,1</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>38.7.0</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.42</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/">
<p>Security researcher Holger Fuhrmannek and Mozilla
security engineer Tyson Smith reported a number of security
vulnerabilities in the Graphite 2 library affecting version
1.3.5.
The issue reported by Holger Fuhrmannek is a mechanism to
induce stack corruption with a malicious graphite font. This
leads to a potentially exploitable crash when the font is
loaded.
Tyson Smith used the Address Sanitizer tool in concert with
a custom software fuzzer to find a series of uninitialized
memory, out-of-bounds read, and out-of-bounds write errors
when working with fuzzed graphite fonts.</p>
</blockquote>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-38/">
<p>Security researcher James Clawson used the Address
Sanitizer tool to discover an out-of-bounds write in the
Graphite 2 library when loading a crafted Graphite font
file. This results in a potentially exploitable crash.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.mozilla.org/security/advisories/mfsa2016-37/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-38/</url>
<cvename>CVE-2016-1969</cvename>
<cvename>CVE-2016-1977</cvename>
<cvename>CVE-2016-2790</cvename>
<cvename>CVE-2016-2791</cvename>
<cvename>CVE-2016-2792</cvename>
<cvename>CVE-2016-2793</cvename>
<cvename>CVE-2016-2794</cvename>
<cvename>CVE-2016-2795</cvename>
<cvename>CVE-2016-2796</cvename>
<cvename>CVE-2016-2797</cvename>
<cvename>CVE-2016-2798</cvename>
<cvename>CVE-2016-2799</cvename>
<cvename>CVE-2016-2800</cvename>
<cvename>CVE-2016-2801</cvename>
<cvename>CVE-2016-2802</cvename>
</references>
<dates>
<discovery>2016-03-08</discovery>
<entry>2016-03-08</entry>
<modified>2016-03-14</modified>
</dates>
</vuln>
<vuln vid="c4292768-5273-4f17-a267-c5fe35125ce4">
<topic>NSS -- multiple vulnerabilities</topic>
<affects>
<package>
<name>nss</name>
<range><ge>3.20</ge><lt>3.21.1</lt></range>
<range><lt>3.19.2.3</lt></range>
</package>
<package>
<name>linux-c6-nss</name>
<range><ge>3.20</ge><lt>3.21.0_1</lt></range>
<range><lt>3.19.2.3</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>45.0,1</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>38.7.0</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.42</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-35/">
<p>Security researcher Francis Gabriel reported a heap-based
buffer overflow in the way the Network Security Services
(NSS) libraries parsed certain ASN.1 structures. An attacker
could create a specially-crafted certificate which, when
parsed by NSS, would cause it to crash or execute arbitrary
code with the permissions of the user.</p>
</blockquote>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-36/">
<p>Mozilla developer Tim Taubert used the Address Sanitizer
tool and software fuzzing to discover a use-after-free
vulnerability while processing DER encoded keys in the
Network Security Services (NSS) libraries. The vulnerability
overwrites the freed memory with zeroes.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1950</cvename>
<cvename>CVE-2016-1979</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2016-35/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-36/</url>
<url>https://hg.mozilla.org/projects/nss/rev/b9a31471759d</url>
<url>https://hg.mozilla.org/projects/nss/rev/7033b1193c94</url>
</references>
<dates>
<discovery>2016-03-08</discovery>
<entry>2016-03-08</entry>
<modified>2016-09-05</modified>
</dates>
</vuln>
<vuln vid="75091516-6f4b-4059-9884-6727023dc366">
<topic>NSS -- multiple vulnerabilities</topic>
<affects>
<package>
<name>nss</name>
<name>linux-c6-nss</name>
<range><lt>3.21</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>44.0,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.41</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-07/">
<p>Security researcher Hanno Böck reported that calculations
with mp_div and mp_exptmod in Network Security Services
(NSS) can produce wrong results in some circumstances. These
functions are used within NSS for a variety of cryptographic
division functions, leading to potential cryptographic
weaknesses.</p>
</blockquote>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2016-15/">
<p>Mozilla developer Eric Rescorla reported that a failed
allocation during DHE and ECDHE handshakes would lead to a
use-after-free vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1938</cvename>
<cvename>CVE-2016-1978</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2016-07/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-15/</url>
<url>https://hg.mozilla.org/projects/nss/rev/a555bf0fc23a</url>
<url>https://hg.mozilla.org/projects/nss/rev/a245a4ccd354</url>
</references>
<dates>
<discovery>2016-01-26</discovery>
<entry>2016-03-08</entry>
</dates>
</vuln>
<vuln vid="f9e6c0d1-e4cc-11e5-b2bd-002590263bf5">
<topic>django -- multiple vulnerabilities</topic>
<affects>
<package>
<name>py27-django</name>
<name>py32-django</name>
<name>py33-django</name>
<name>py34-django</name>
<name>py35-django</name>
<range><lt>1.8.10</lt></range>
</package>
<package>
<name>py27-django18</name>
<name>py32-django18</name>
<name>py33-django18</name>
<name>py34-django18</name>
<name>py35-django18</name>
<range><lt>1.8.10</lt></range>
</package>
<package>
<name>py27-django19</name>
<name>py32-django19</name>
<name>py33-django19</name>
<name>py34-django19</name>
<name>py35-django19</name>
<range><lt>1.9.3</lt></range>
</package>
<package>
<name>py27-django-devel</name>
<name>py32-django-devel</name>
<name>py33-django-devel</name>
<name>py34-django-devel</name>
<name>py35-django-devel</name>
<range><le>20150709,1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Tim Graham reports:</p>
<blockquote cite="https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/">
<p>Malicious redirect and possible XSS attack via user-supplied
redirect URLs containing basic auth</p>
<p>User enumeration through timing difference on password hasher work
factor upgrade</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2512</cvename>
<cvename>CVE-2016-2513</cvename>
<url>https://www.djangoproject.com/weblog/2016/mar/01/security-releases/</url>
</references>
<dates>
<discovery>2016-03-01</discovery>
<entry>2016-03-08</entry>
</dates>
</vuln>
<vuln vid="fef03980-e4c6-11e5-b2bd-002590263bf5">
<topic>wordpress -- multiple vulnerabilities</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>4.4.2,1</lt></range>
</package>
<package>
<name>de-wordpress</name>
<name>ja-wordpress</name>
<name>ru-wordpress</name>
<name>zh-wordpress-zh_CN</name>
<name>zh-wordpress-zh_TW</name>
<range><lt>4.4.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Samuel Sidler reports:</p>
<blockquote cite="https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/">
<p>WordPress 4.4.2 is now available. This is a security release for
all previous versions and we strongly encourage you to update your
sites immediately.</p>
<p>WordPress versions 4.4.1 and earlier are affected by two security
issues: a possible SSRF for certain local URIs, reported by Ronni
Skansing; and an open redirection attack, reported by Shailesh
Suthar.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2221</cvename>
<cvename>CVE-2016-2222</cvename>
<url>http://www.openwall.com/lists/oss-security/2016/02/04/6</url>
<url>https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/</url>
</references>
<dates>
<discovery>2016-02-02</discovery>
<entry>2016-03-08</entry>
</dates>
</vuln>
<vuln vid="7f0fbb30-e462-11e5-a3f3-080027ef73ec">
<topic>PuTTY - old-style scp downloads may allow remote code execution</topic>
<affects>
<package>
<name>putty</name>
<range><lt>0.67</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Simon G. Tatham reports:</p>
<blockquote cite="http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html">
<p>Many versions of PSCP prior to 0.67 have a stack corruption
vulnerability in their treatment of the 'sink' direction (i.e.
downloading from server to client) of the old-style SCP protocol.
</p>
<p>In order for this vulnerability to be exploited, the user must
connect to a malicious server and attempt to download any file.[...]
you can work around it in a vulnerable PSCP by using the -sftp
option to force the use of the newer SFTP protocol, provided your
server supports that protocol.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html</url>
<cvename>CVE-2016-2563</cvename>
<url>https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-2563</url>
</references>
<dates>
<discovery>2016-02-26</discovery>
<entry>2016-03-07</entry>
</dates>
</vuln>
<vuln vid="12d1b5a6-e39d-11e5-9f77-5453ed2e2b49">
<topic>websvn -- reflected cross-site scripting</topic>
<affects>
<package>
<name>websvn</name>
<range><lt>2.3.3_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Sebastien Delafond reports:</p>
<blockquote cite="https://lists.debian.org/debian-security-announce/2016/msg00060.html">
<p>Jakub Palaczynski discovered that websvn, a web viewer for
Subversion repositories, does not correctly sanitize user-supplied
input, which allows a remote user to run reflected cross-site
scripting attacks.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2511</cvename>
<url>https://lists.debian.org/debian-security-announce/2016/msg00060.html</url>
<url>http://seclists.org/fulldisclosure/2016/Feb/99</url>
</references>
<dates>
<discovery>2016-02-22</discovery>
<entry>2016-03-06</entry>
</dates>
</vuln>
<vuln vid="f69e1f09-e39b-11e5-9f77-5453ed2e2b49">
<topic>websvn -- information disclosure</topic>
<affects>
<package>
<name>websvn</name>
<range><lt>2.3.3_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Thijs Kinkhorst reports:</p>
<blockquote cite="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682">
<p>James Clawson reported:</p>
<p>"Arbitrary files with a known path can be accessed in websvn by
committing a symlink to a repository and then downloading the file
(using the download link).</p>
<p>An attacker must have write access to the repo, and the download
option must have been enabled in the websvn config file."</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-6892</cvename>
<url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6892</url>
<url>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682</url>
</references>
<dates>
<discovery>2015-01-18</discovery>
<entry>2016-03-06</entry>
</dates>
</vuln>
<vuln vid="5a016dd0-8aa8-490e-a596-55f4cc17e4ef">
<topic>rails -- multiple vulnerabilities</topic>
<affects>
<package>
<name>rubygem-actionpack</name>
<range><lt>3.2.22.2</lt></range>
</package>
<package>
<name>rubygem-actionpack4</name>
<range><lt>4.2.5.2</lt></range>
</package>
<package>
<name>rubygem-actionview</name>
<range><lt>4.2.5.2</lt></range>
</package>
<package>
<name>rubygem-rails</name>
<range><lt>3.2.22.2</lt></range>
</package>
<package>
<name>rubygem-rails4</name>
<range><lt>4.2.5.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ruby on Rails blog:</p>
<blockquote cite="http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/">
<p>Rails 4.2.5.2, 4.1.14.2, and 3.2.22.2 have been released! These
contain the following important security fixes, and it is
recommended that users upgrade as soon as possible.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2097</cvename>
<cvename>CVE-2016-2098</cvename>
<url>https://groups.google.com/d/msg/rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ</url>
<url>https://groups.google.com/d/msg/rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ</url>
<url>http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/</url>
</references>
<dates>
<discovery>2016-02-29</discovery>
<entry>2016-03-06</entry>
</dates>
</vuln>
<vuln vid="f85fa236-e2a6-412e-b5c7-c42120892de5">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>49.0.2623.75</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.de/2016/03/stable-channel-update.html">
<p>[560011] High CVE-2016-1630: Same-origin bypass in Blink.</p>
<p>[569496] High CVE-2016-1631: Same-origin bypass in Pepper Plugin.</p>
<p>[549986] High CVE-2016-1632: Bad cast in Extensions.</p>
<p>[572537] High CVE-2016-1633: Use-after-free in Blink.</p>
<p>[559292] High CVE-2016-1634: Use-after-free in Blink.</p>
<p>[585268] High CVE-2016-1635: Use-after-free in Blink.</p>
<p>[584155] High CVE-2016-1636: SRI Validation Bypass.</p>
<p>[555544] Medium CVE-2016-1637: Information Leak in Skia.</p>
<p>[585282] Medium CVE-2016-1638: WebAPI Bypass.</p>
<p>[572224] Medium CVE-2016-1639: Use-after-free in WebRTC.</p>
<p>[550047] Medium CVE-2016-1640: Origin confusion in Extensions UI.</p>
<p>[583718] Medium CVE-2016-1641: Use-after-free in Favicon.</p>
<p>[591402] CVE-2016-1642: Various fixes from internal audits, fuzzing and other initiatives.</p>
<p>Multiple vulnerabilities in V8 fixed.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1630</cvename>
<cvename>CVE-2016-1631</cvename>
<cvename>CVE-2016-1632</cvename>
<cvename>CVE-2016-1633</cvename>
<cvename>CVE-2016-1634</cvename>
<cvename>CVE-2016-1635</cvename>
<cvename>CVE-2016-1636</cvename>
<cvename>CVE-2016-1637</cvename>
<cvename>CVE-2016-1638</cvename>
<cvename>CVE-2016-1639</cvename>
<cvename>CVE-2016-1640</cvename>
<cvename>CVE-2016-1641</cvename>
<cvename>CVE-2016-1642</cvename>
<url>http://googlechromereleases.blogspot.de/2016/03/stable-channel-update.html</url>
</references>
<dates>
<discovery>2016-03-02</discovery>
<entry>2016-03-05</entry>
</dates>
</vuln>
<vuln vid="6b3591ea-e2d2-11e5-a6be-5453ed2e2b49">
<topic>libssh -- weak Diffie-Hellman secret generation</topic>
<affects>
<package>
<name>libssh</name>
<range><lt>0.7.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Andreas Schneider reports:</p>
<blockquote cite="https://www.libssh.org/2016/02/23/libssh-0-7-3-security-and-bugfix-release/">
<p>libssh versions 0.1 and above have a bits/bytes confusion bug and
generate an abnormally short ephemeral secret for the
diffie-hellman-group1 and diffie-hellman-group14 key exchange
methods. The resulting secret is 128 bits long, instead of the
recommended sizes of 1024 and 2048 bits respectively. There are
practical algorithms (Baby steps/Giant steps, Pollard’s rho) that can
solve this problem in O(2^63) operations.</p>
<p>Both client and server are are vulnerable, pre-authentication.
This vulnerability could be exploited by an eavesdropper with enough
resources to decrypt or intercept SSH sessions. The bug was found
during an internal code review by Aris Adamantiadis of the libssh
team.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-0739</cvename>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0739</url>
<url>https://www.libssh.org/2016/02/23/libssh-0-7-3-security-and-bugfix-release/</url>
</references>
<dates>
<discovery>2016-02-23</discovery>
<entry>2016-03-05</entry>
</dates>
</vuln>
<vuln vid="7d09b9ee-e0ba-11e5-abc4-6fb07af136d2">
<topic>exim -- local privillege escalation</topic>
<affects>
<package>
<name>exim</name>
<range><lt>4.86.2</lt></range>
<range><lt>4.85.2</lt></range>
<range><lt>4.84.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Exim development team reports:</p>
<blockquote cite="https://lists.exim.org/lurker/message/20160302.191005.a72d8433.en.html">
<p>All installations having Exim set-uid root and using 'perl_startup' are
vulnerable to a local privilege escalation. Any user who can start an
instance of Exim (and this is normally <strong>any</strong> user) can gain root
privileges. If you do not use 'perl_startup' you <strong>should</strong> be safe.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1531</cvename>
<url>https://lists.exim.org/lurker/message/20160302.191005.a72d8433.en.html</url>
</references>
<dates>
<discovery>2016-02-26</discovery>
<entry>2016-03-02</entry>
</dates>
</vuln>
<vuln vid="db3301be-e01c-11e5-b2bd-002590263bf5">
<topic>cacti -- multiple vulnerabilities</topic>
<affects>
<package>
<name>cacti</name>
<range><lt>0.8.8g</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Cacti Group, Inc. reports:</p>
<blockquote cite="http://www.cacti.net/release_notes_0_8_8g.php">
<p>Changelog</p>
<ul>
<li>bug:0002652: CVE-2015-8604: SQL injection in graphs_new.php</li>
<li>bug:0002655: CVE-2015-8377: SQL injection vulnerability in the
host_new_graphs_save function in graphs_new.php</li>
<li>bug:0002656: Authentication using web authentication as a user
not in the cacti database allows complete access</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8377</cvename>
<cvename>CVE-2015-8604</cvename>
<cvename>CVE-2016-2313</cvename>
<url>http://www.cacti.net/release_notes_0_8_8g.php</url>
<url>http://bugs.cacti.net/view.php?id=2652</url>
<url>http://bugs.cacti.net/view.php?id=2655</url>
<url>http://bugs.cacti.net/view.php?id=2656</url>
<url>http://www.openwall.com/lists/oss-security/2016/02/09/3</url>
</references>
<dates>
<discovery>2016-02-21</discovery>
<entry>2016-03-02</entry>
</dates>
</vuln>
<vuln vid="f682a506-df7c-11e5-81e4-6805ca0b3d42">
<topic>phpmyadmin -- multiple XSS and a man-in-the-middle vulnerability</topic>
<affects>
<package>
<name>phpmyadmin</name>
<range><ge>4.5.0</ge><lt>4.5.5.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-10/">
<p>XSS vulnerability in SQL parser.</p>
<p>Using a crafted SQL query, it is possible to trigger an XSS
attack through the SQL query page.</p>
<p>We consider this vulnerability to be non-critical.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-11/">
<p>Multiple XSS vulnerabilities.</p>
<p>By sending a specially crafted URL as part of the HOST
header, it is possible to trigger an XSS attack.</p>
<p>A weakness was found that allows an XSS attack with Internet
Explorer versions older than 8 and Safari on Windows using a
specially crafted URL.</p>
<p>Using a crafted SQL query, it is possible to trigger an XSS
attack through the SQL query page.</p>
<p>Using a crafted parameter value, it is possible to trigger
an XSS attack in user accounts page.</p>
<p>Using a crafted parameter value, it is possible to trigger
an XSS attack in zoom search page.</p>
<p>We consider this vulnerability to be non-critical.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-12/">
<p>Multiple XSS vulnerabilities.</p>
<p>With a crafted table/column name it is possible to trigger
an XSS attack in the database normalization page.</p>
<p>With a crafted parameter it is possible to trigger an XSS
attack in the database structure page.</p>
<p>With a crafted parameter it is possible to trigger an XSS
attack in central columns page.</p>
<p>We consider this vulnerability to be non-critical.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-13/">
<p>Vulnerability allowing man-in-the-middle attack on API
call to GitHub.</p>
<p>A vulnerability in the API call to GitHub can be exploited
to perform a man-in-the-middle attack.</p>
<p>We consider this vulnerability to be serious.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.phpmyadmin.net/security/PMASA-2016-10/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-11/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-12/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-13/</url>
<cvename>CVE-2016-2559</cvename>
<cvename>CVE-2016-2560</cvename>
<cvename>CVE-2016-2561</cvename>
<cvename>CVE-2016-2562</cvename>
</references>
<dates>
<discovery>2016-02-29</discovery>
<entry>2016-03-01</entry>
</dates>
</vuln>
<vuln vid="45117749-df55-11e5-b2bd-002590263bf5">
<topic>wireshark -- multiple vulnerabilities</topic>
<affects>
<package>
<name>wireshark</name>
<name>wireshark-lite</name>
<name>wireshark-qt5</name>
<name>tshark</name>
<name>tshark-lite</name>
<range><lt>2.0.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Wireshark development team reports:</p>
<blockquote cite="https://www.wireshark.org/docs/relnotes/wireshark-2.0.2.html">
<p>The following vulnerabilities have been fixed:</p>
<ul>
<li><p>wnpa-sec-2016-02</p>
<p>ASN.1 BER dissector crash. (Bug 11828) CVE-2016-2522</p></li>
<li><p>wnpa-sec-2016-03</p>
<p>DNP dissector infinite loop. (Bug 11938) CVE-2016-2523</p></li>
<li><p>wnpa-sec-2016-04</p>
<p>X.509AF dissector crash. (Bug 12002) CVE-2016-2524</p></li>
<li><p>wnpa-sec-2016-05</p>
<p>HTTP/2 dissector crash. (Bug 12077) CVE-2016-2525</p></li>
<li><p>wnpa-sec-2016-06</p>
<p>HiQnet dissector crash. (Bug 11983) CVE-2016-2526</p></li>
<li><p>wnpa-sec-2016-07</p>
<p>3GPP TS 32.423 Trace file parser crash. (Bug 11982)
</p>CVE-2016-2527</li>
<li><p>wnpa-sec-2016-08</p>
<p>LBMC dissector crash. (Bug 11984) CVE-2016-2528</p></li>
<li><p>wnpa-sec-2016-09</p>
<p>iSeries file parser crash. (Bug 11985) CVE-2016-2529</p></li>
<li><p>wnpa-sec-2016-10</p>
<p>RSL dissector crash. (Bug 11829) CVE-2016-2530
CVE-2016-2531</p></li>
<li><p>wnpa-sec-2016-11</p>
<p>LLRP dissector crash. (Bug 12048) CVE-2016-2532</p></li>
<li><p>wnpa-sec-2016-12</p>
<p>Ixia IxVeriWave file parser crash. (Bug 11795)</p></li>
<li><p>wnpa-sec-2016-13</p>
<p>IEEE 802.11 dissector crash. (Bug 11818)</p></li>
<li><p>wnpa-sec-2016-14</p>
<p>GSM A-bis OML dissector crash. (Bug 11825)</p></li>
<li><p>wnpa-sec-2016-15</p>
<p>ASN.1 BER dissector crash. (Bug 12106)</p></li>
<li><p>wnpa-sec-2016-16</p>
<p>SPICE dissector large loop. (Bug 12151)</p></li>
<li><p>wnpa-sec-2016-17</p>
<p>NFS dissector crash.</p></li>
<li><p>wnpa-sec-2016-18</p>
<p>ASN.1 BER dissector crash. (Bug 11822)</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2522</cvename>
<cvename>CVE-2016-2523</cvename>
<cvename>CVE-2016-2524</cvename>
<cvename>CVE-2016-2525</cvename>
<cvename>CVE-2016-2526</cvename>
<cvename>CVE-2016-2527</cvename>
<cvename>CVE-2016-2528</cvename>
<cvename>CVE-2016-2529</cvename>
<cvename>CVE-2016-2530</cvename>
<cvename>CVE-2016-2531</cvename>
<cvename>CVE-2016-2532</cvename>
<cvename>CVE-2016-4415</cvename>
<cvename>CVE-2016-4416</cvename>
<cvename>CVE-2016-4417</cvename>
<cvename>CVE-2016-4418</cvename>
<cvename>CVE-2016-4419</cvename>
<cvename>CVE-2016-4420</cvename>
<cvename>CVE-2016-4421</cvename>
<url>https://www.wireshark.org/docs/relnotes/wireshark-2.0.2.html</url>
<url>http://www.openwall.com/lists/oss-security/2016/05/01/1</url>
</references>
<dates>
<discovery>2016-02-26</discovery>
<entry>2016-03-01</entry>
<modified>2016-07-04</modified>
</dates>
</vuln>
<vuln vid="42c2c422-df55-11e5-b2bd-002590263bf5">
<topic>wireshark -- multiple vulnerabilities</topic>
<affects>
<package>
<name>wireshark</name>
<name>wireshark-lite</name>
<name>wireshark-qt5</name>
<name>tshark</name>
<name>tshark-lite</name>
<range><lt>2.0.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Wireshark development team reports:</p>
<blockquote cite="https://www.wireshark.org/docs/relnotes/wireshark-2.0.1.html">
<p>The following vulnerabilities have been fixed:</p>
<ul>
<li><p>wnpa-sec-2015-31</p>
<p>NBAP dissector crashes. (Bug 11602, Bug 11835, Bug 11841)</p>
</li>
<li><p>wnpa-sec-2015-37</p>
<p>NLM dissector crash.</p></li>
<li><p>wnpa-sec-2015-39</p>
<p>BER dissector crash.</p></li>
<li><p>wnpa-sec-2015-40</p>
<p>Zlib decompression crash. (Bug 11548)</p></li>
<li><p>wnpa-sec-2015-41</p>
<p>SCTP dissector crash. (Bug 11767)</p></li>
<li><p>wnpa-sec-2015-42</p>
<p>802.11 decryption crash. (Bug 11790, Bug 11826)</p></li>
<li><p>wnpa-sec-2015-43</p>
<p>DIAMETER dissector crash. (Bug 11792)</p></li>
<li><p>wnpa-sec-2015-44</p>
<p>VeriWave file parser crashes. (Bug 11789, Bug 11791)</p></li>
<li><p>wnpa-sec-2015-45</p>
<p>RSVP dissector crash. (Bug 11793)</p></li>
<li><p>wnpa-sec-2015-46</p>
<p>ANSI A and GSM A dissector crashes. (Bug 11797)</p></li>
<li><p>wnpa-sec-2015-47</p>
<p>Ascend file parser crash. (Bug 11794)</p></li>
<li><p>wnpa-sec-2015-48</p>
<p>NBAP dissector crash. (Bug 11815)</p></li>
<li><p>wnpa-sec-2015-49</p>
<p>RSL dissector crash. (Bug 11829)</p></li>
<li><p>wnpa-sec-2015-50</p>
<p>ZigBee ZCL dissector crash. (Bug 11830)</p></li>
<li><p>wnpa-sec-2015-51</p>
<p>Sniffer file parser crash. (Bug 11827)</p></li>
<li><p>wnpa-sec-2015-52</p>
<p>NWP dissector crash. (Bug 11726)</p></li>
<li><p>wnpa-sec-2015-53</p>
<p>BT ATT dissector crash. (Bug 11817)</p></li>
<li><p>wnpa-sec-2015-54</p>
<p>MP2T file parser crash. (Bug 11820)</p></li>
<li><p>wnpa-sec-2015-55</p>
<p>MP2T file parser crash. (Bug 11821)</p></li>
<li><p>wnpa-sec-2015-56</p>
<p>S7COMM dissector crash. (Bug 11823)</p></li>
<li><p>wnpa-sec-2015-57</p>
<p>IPMI dissector crash. (Bug 11831)</p></li>
<li><p>wnpa-sec-2015-58</p>
<p>TDS dissector crash. (Bug 11846)</p></li>
<li><p>wnpa-sec-2015-59</p>
<p>PPI dissector crash. (Bug 11876)</p></li>
<li><p>wnpa-sec-2015-60</p>
<p>MS-WSP dissector crash. (Bug 11931)</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://www.wireshark.org/docs/relnotes/wireshark-2.0.1.html</url>
</references>
<dates>
<discovery>2015-12-29</discovery>
<entry>2016-03-01</entry>
</dates>
</vuln>
<vuln vid="7bbc3016-de63-11e5-8fa8-14dae9d210b8">
<topic>tomcat -- multiple vulnerabilities</topic>
<affects>
<package>
<name>tomcat7</name>
<range><lt>7.0.68</lt></range>
</package>
<package>
<name>tomcat8</name>
<range><lt>8.0.30</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mark Thomas reports:</p>
<blockquote cite="http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEF96.7070701@apache.org%3e">
<ul>
<li><p>CVE-2015-5346 Apache Tomcat Session fixation</p></li>
<li><p>CVE-2015-5351 Apache Tomcat CSRF token leak</p></li>
<li><p>CVE-2016-0763 Apache Tomcat Security Manager Bypass</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEF96.7070701@apache.org%3e</url>
<url>http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEF7B.1010901@apache.org%3e</url>
<url>http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEFB2.9030605@apache.org%3e</url>
<cvename>CVE-2015-5346</cvename>
<cvename>CVE-2015-5351</cvename>
<cvename>CVE-2016-0763</cvename>
</references>
<dates>
<discovery>2016-02-22</discovery>
<entry>2016-02-28</entry>
</dates>
</vuln>
<vuln vid="1f1124fe-de5c-11e5-8fa8-14dae9d210b8">
<topic>tomcat -- multiple vulnerabilities</topic>
<affects>
<package>
<name>tomcat</name>
<range><lt>6.0.45</lt></range>
</package>
<package>
<name>tomcat7</name>
<range><lt>7.0.68</lt></range>
</package>
<package>
<name>tomcat8</name>
<range><lt>8.0.30</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mark Thomas reports:</p>
<blockquote cite="http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEF96.7070701@apache.org%3e">
<ul>
<li><p>CVE-2015-5345 Apache Tomcat Directory disclosure</p></li>
<li><p>CVE-2016-0706 Apache Tomcat Security Manager bypass</p></li>
<li><p>CVE-2016-0714 Apache Tomcat Security Manager Bypass</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEF96.7070701@apache.org%3e</url>
<url>http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEF6A.70703@apache.org%3e</url>
<url>http://mail-archives.apache.org/mod_mbox/www-announce/201602.mbox/%3c56CAEF4F.5090003@apache.org%3e</url>
<cvename>CVE-2015-5345</cvename>
<cvename>CVE-2015-5346</cvename>
<cvename>CVE-2016-0706</cvename>
<cvename>CVE-2016-0714</cvename>
</references>
<dates>
<discovery>2016-02-22</discovery>
<entry>2016-02-28</entry>
<modified>2017-03-18</modified>
</dates>
</vuln>
<vuln vid="a7f2e9c6-de20-11e5-8458-6cc21735f730">
<topic>xerces-c3 -- Parser Crashes on Malformed Input</topic>
<affects>
<package>
<name>xerces-c3</name>
<range><lt>3.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache Software Foundation reports:</p>
<blockquote cite="http://xerces.apache.org/xerces-c/secadv/CVE-2016-0729.txt">
<p>The Xerces-C XML parser mishandles certain kinds of malformed input
documents, resulting in buffer overflows during processing and error
reporting. The overflows can manifest as a segmentation fault or as
memory corruption during a parse operation. The bugs allow for a
denial of service attack in many applications by an unauthenticated
attacker, and could conceivably result in remote code execution.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-0729</cvename>
<url>http://xerces.apache.org/xerces-c/secadv/CVE-2016-0729.txt</url>
</references>
<dates>
<discovery>2016-02-25</discovery>
<entry>2016-02-28</entry>
</dates>
</vuln>
<vuln vid="6b1d8a39-ddb3-11e5-8fa8-14dae9d210b8">
<topic>django -- regression in permissions model</topic>
<affects>
<package>
<name>py27-django19</name>
<name>py33-django19</name>
<name>py34-django19</name>
<name>py35-django19</name>
<range><lt>1.9.2</lt></range>
</package>
<package>
<name>py27-django-devel</name>
<name>py33-django-devel</name>
<name>py34-django-devel</name>
<name>py35-django-devel</name>
<range><le>20150709,1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Tim Graham reports:</p>
<blockquote cite="https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/">
<p>User with "change" but not "add" permission can create
objects for ModelAdmin’s with save_as=True</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/</url>
<cvename>CVE-2016-2048</cvename>
</references>
<dates>
<discovery>2016-02-01</discovery>
<entry>2016-02-28</entry>
</dates>
</vuln>
<vuln vid="81f9d6a4-ddaf-11e5-b2bd-002590263bf5">
<topic>xen-kernel -- VMX: guest user mode may crash guest with non-canonical RIP</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><lt>4.5.2_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-170.html">
<p>VMX refuses attempts to enter a guest with an instruction pointer
which doesn't satisfy certain requirements. In particular, the
instruction pointer needs to be canonical when entering a guest
currently in 64-bit mode. This is the case even if the VM entry
information specifies an exception to be injected immediately (in
which case the bad instruction pointer would possibly never get used
for other than pushing onto the exception handler's stack).
Provided the guest OS allows user mode to map the virtual memory
space immediately below the canonical/non-canonical address
boundary, a non-canonical instruction pointer can result even from
normal user mode execution. VM entry failure, however, is fatal to
the guest.</p>
<p>Malicious HVM guest user mode code may be able to crash the
guest.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2271</cvename>
<url>http://xenbits.xen.org/xsa/advisory-170.html</url>
</references>
<dates>
<discovery>2016-02-17</discovery>
<entry>2016-02-28</entry>
</dates>
</vuln>
<vuln vid="80adc394-ddaf-11e5-b2bd-002590263bf5">
<topic>xen-kernel -- VMX: intercept issue with INVLPG on non-canonical address</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><ge>3.3</ge><lt>4.5.2_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-168.html">
<p>While INVLPG does not cause a General Protection Fault when used on
a non-canonical address, INVVPID in its "individual address"
variant, which is used to back the intercepted INVLPG in certain
cases, fails in such cases. Failure of INVVPID results in a
hypervisor bug check.</p>
<p>A malicious guest can crash the host, leading to a Denial of
Service.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1571</cvename>
<url>http://xenbits.xen.org/xsa/advisory-168.html</url>
</references>
<dates>
<discovery>2016-01-20</discovery>
<entry>2016-02-28</entry>
</dates>
</vuln>
<vuln vid="7ed7c36f-ddaf-11e5-b2bd-002590263bf5">
<topic>xen-kernel -- PV superpage functionality missing sanity checks</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><eq>3.4.0</eq></range>
<range><eq>3.4.1</eq></range>
<range><ge>4.1</ge><lt>4.5.2_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-167.html">
<p>The PV superpage functionality lacks certain validity checks on
data being passed to the hypervisor by guests. This is the case
for the page identifier (MFN) passed to MMUEXT_MARK_SUPER and
MMUEXT_UNMARK_SUPER sub-ops of the HYPERVISOR_mmuext_op hypercall as
well as for various forms of page table updates.</p>
<p>Use of the feature, which is disabled by default, may have unknown
effects, ranging from information leaks through Denial of Service to
privilege escalation.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1570</cvename>
<url>http://xenbits.xen.org/xsa/advisory-167.html</url>
</references>
<dates>
<discovery>2016-01-20</discovery>
<entry>2016-02-28</entry>
</dates>
</vuln>
<vuln vid="2d299950-ddb0-11e5-8fa8-14dae9d210b8">
<topic>moodle -- multiple vulnerabilities</topic>
<affects>
<package>
<name>moodle28</name>
<range><lt>2.8.10</lt></range>
</package>
<package>
<name>moodle29</name>
<range><lt>2.9.4</lt></range>
</package>
<package>
<name>moodle30</name>
<range><lt>3.0.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Marina Glancy reports:</p>
<blockquote cite="https://moodle.org/security/">
<ul>
<li><p>MSA-16-0001: Two enrolment-related web services don't
check course visibility</p></li>
<li><p>MSA-16-0002: XSS Vulnerability in course management
search</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://moodle.org/security/</url>
<cvename>CVE-2016-0724</cvename>
<cvename>CVE-2016-0725</cvename>
</references>
<dates>
<discovery>2016-01-18</discovery>
<entry>2016-02-28</entry>
</dates>
</vuln>
<vuln vid="6540c8f0-dca3-11e5-8fa8-14dae9d210b8">
<topic>pitivi -- code execution</topic>
<affects>
<package>
<name>pitivi</name>
<range><lt>0.95</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Luke Farone reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/23/8">
<p>Double-clicking a file in the user's media library with a
specially-crafted path or filename allows for arbitrary code execution
with the permissions of the user running Pitivi.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openwall.com/lists/oss-security/2015/12/23/8</url>
<url>https://git.gnome.org/browse/pitivi/commit/?id=45a4c84edb3b4343f199bba1c65502e3f49f5bb2</url>
<cvename>CVE-2015-0855</cvename>
</references>
<dates>
<discovery>2015-09-13</discovery>
<entry>2016-02-26</entry>
</dates>
</vuln>
<vuln vid="90c8385a-dc9f-11e5-8fa8-14dae9d210b8">
<topic>giflib -- heap overflow</topic>
<affects>
<package>
<name>giflib</name>
<range><lt>5.1.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Hans Jerry Illikainen reports:</p>
<blockquote cite="http://seclists.org/bugtraq/2015/Dec/114">
<p>A heap overflow may occur in the giffix utility included in
giflib-5.1.1 when processing records of the type
`IMAGE_DESC_RECORD_TYPE' due to the allocated size of `LineBuffer'
equaling the value of the logical screen width, `GifFileIn->SWidth',
while subsequently having `GifFileIn->Image.Width' bytes of data written
to it.</p>
</blockquote>
</body>
</description>
<references>
<url>http://seclists.org/bugtraq/2015/Dec/114</url>
<cvename>CVE-2015-7555</cvename>
</references>
<dates>
<discovery>2015-12-21</discovery>
<entry>2016-02-26</entry>
</dates>
</vuln>
<vuln vid="59a0af97-dbd4-11e5-8fa8-14dae9d210b8">
<topic>drupal -- multiple vulnerabilities</topic>
<affects>
<package>
<name>drupal6</name>
<range><lt>6.38</lt></range>
</package>
<package>
<name>drupal7</name>
<range><lt>7.43</lt></range>
</package>
<package>
<name>drupal8</name>
<range><lt>8.0.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal Security Team reports:</p>
<blockquote cite="https://www.drupal.org/SA-CORE-2016-001">
<ul>
<li><p>File upload access bypass and denial of service (File
module - Drupal 7 and 8 - Moderately Critical)</p></li>
<li><p>Brute force amplification attacks via XML-RPC (XML-RPC
server - Drupal 6 and 7 - Moderately Critical)</p></li>
<li><p>Open redirect via path manipulation (Base system -
Drupal 6, 7 and 8 - Moderately Critical) </p></li>
<li><p>Form API ignores access restrictions on submit buttons
(Form API - Drupal 6 - Critical)</p></li>
<li><p>HTTP header injection using line breaks (Base system -
Drupal 6 - Moderately Critical)</p></li>
<li><p>Open redirect via double-encoded 'destination'
parameter (Base system - Drupal 6 - Moderately Critical)</p></li>
<li><p>Reflected file download vulnerability (System module -
Drupal 6 and 7 - Moderately Critical)</p></li>
<li><p>Saving user accounts can sometimes grant the user all
roles (User module - Drupal 6 and 7 - Less Critical)</p></li>
<li><p>Email address can be matched to an account (User module
- Drupal 7 and 8 - Less Critical)</p></li>
<li><p>Session data truncation can lead to unserialization of
user provided data (Base system - Drupal 6 - Less Critical)</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://www.drupal.org/SA-CORE-2016-001</url>
</references>
<dates>
<discovery>2016-02-24</discovery>
<entry>2016-02-25</entry>
</dates>
</vuln>
<vuln vid="7e01df39-db7e-11e5-b937-00e0814cab4e">
<topic>jenkins -- multiple vulnerabilities</topic>
<affects>
<package>
<name>jenkins</name>
<range><le>1.650</le></range>
</package>
<package>
<name>jenkins-lts</name>
<range><le>1.642.2</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jenkins Security Advisory:</p>
<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Security+Advisory+2016-02-24">
<h1>Description</h1>
<h5>SECURITY-232 / CVE-2016-0788(Remote code execution vulnerability in remoting module)</h5>
<p>A vulnerability in the Jenkins remoting module allowed
unauthenticated remote attackers to open a JRMP listener on the
server hosting the Jenkins master process, which allowed arbitrary
code execution.</p>
<h5>SECURITY-238 / CVE-2016-0789(HTTP response splitting vulnerability)</h5>
<p>An HTTP response splitting vulnerability in the CLI command
documentation allowed attackers to craft Jenkins URLs that serve
malicious content.</p>
<h5>SECURITY-241 / CVE-2016-0790(Non-constant time comparison of API token)</h5>
<p>The verification of user-provided API tokens with the expected
value did not use a constant-time comparison algorithm, potentially
allowing attackers to use statistical methods to determine valid
API tokens using brute-force methods.</p>
<h5>SECURITY-245 / CVE-2016-0791(Non-constant time comparison of CSRF crumbs)</h5>
<p>The verification of user-provided CSRF crumbs with the expected
value did not use a constant-time comparison algorithm, potentially
allowing attackers to use statistical methods to determine valid
CSRF crumbs using brute-force methods.</p>
<h5>SECURITY-247 / CVE-2016-0792(Remote code execution through remote API)</h5>
<p>Jenkins has several API endpoints that allow low-privilege users
to POST XML files that then get deserialized by Jenkins.
Maliciously crafted XML files sent to these API endpoints could
result in arbitrary code execution.</p>
</blockquote>
</body>
</description>
<references>
<url>https://wiki.jenkins-ci.org/display/SECURITY/Security+Advisory+2016-02-24</url>
</references>
<dates>
<discovery>2016-02-24</discovery>
<entry>2016-02-25</entry>
</dates>
</vuln>
<vuln vid="660ebbf5-daeb-11e5-b2bd-002590263bf5">
<topic>squid -- remote DoS in HTTP response processing</topic>
<affects>
<package>
<name>squid</name>
<range><lt>3.5.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Squid security advisory 2016:2 reports:</p>
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_2.txt">
<p>Due to incorrect bounds checking Squid is vulnerable to a denial
of service attack when processing HTTP responses.</p>
<p>These problems allow remote servers delivering certain unusual
HTTP response syntax to trigger a denial of service for all
clients accessing the Squid service.</p>
<p>HTTP responses containing malformed headers that trigger this
issue are becoming common. We are not certain at this time if
that is a sign of malware or just broken server scripting.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2569</cvename>
<cvename>CVE-2016-2570</cvename>
<cvename>CVE-2016-2571</cvename>
<freebsdpr>ports/207454</freebsdpr>
<url>http://www.squid-cache.org/Advisories/SQUID-2016_2.txt</url>
<url>http://www.openwall.com/lists/oss-security/2016/02/24/12</url>
</references>
<dates>
<discovery>2016-02-24</discovery>
<entry>2016-02-24</entry>
<modified>2016-02-28</modified>
</dates>
</vuln>
<vuln vid="9e5bbffc-d8ac-11e5-b2bd-002590263bf5">
<topic>bsh -- remote code execution vulnerability</topic>
<affects>
<package>
<name>bsh</name>
<range><lt>2.0.b6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Stian Soiland-Reyes reports:</p>
<blockquote cite="https://github.com/beanshell/beanshell/releases/tag/2.0b6">
<p>This release fixes a remote code execution vulnerability that was
identified in BeanShell by Alvaro Muñoz and Christian Schneider.
The BeanShell team would like to thank them for their help and
contributions to this fix!</p>
<p>An application that includes BeanShell on the classpath may be
vulnerable if another part of the application uses Java
serialization or XStream to deserialize data from an untrusted
source.</p>
<p>A vulnerable application could be exploited for remote code
execution, including executing arbitrary shell commands.</p>
<p>This update fixes the vulnerability in BeanShell, but it is worth
noting that applications doing such deserialization might still be
insecure through other libraries. It is recommended that application
developers take further measures such as using a restricted class
loader when deserializing. See notes on Java serialization security
XStream security and How to secure deserialization from untrusted
input without using encryption or sealing.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2510</cvename>
<freebsdpr>ports/207334</freebsdpr>
<url>https://github.com/beanshell/beanshell/releases/tag/2.0b6</url>
</references>
<dates>
<discovery>2016-02-18</discovery>
<entry>2016-02-21</entry>
</dates>
</vuln>
<vuln vid="6171eb07-d8a9-11e5-b2bd-002590263bf5">
<topic>libsrtp -- DoS via crafted RTP header vulnerability</topic>
<affects>
<package>
<name>libsrtp</name>
<range><lt>1.5.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>libsrtp reports:</p>
<blockquote cite="https://github.com/cisco/libsrtp/commit/704a31774db0dd941094fd2b47c21638b8dc3de2">
<p>Prevent potential DoS attack due to lack of bounds checking on RTP
header CSRC count and extension header length. Credit goes to
Randell Jesup and the Firefox team for reporting this issue.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-6360</cvename>
<freebsdpr>ports/207003</freebsdpr>
<url>https://github.com/cisco/libsrtp/releases/tag/v1.5.3</url>
<url>https://github.com/cisco/libsrtp/commit/704a31774db0dd941094fd2b47c21638b8dc3de2</url>
<url>https://github.com/cisco/libsrtp/commit/be95365fbb4788b688cab7af61c65b7989055fb4</url>
<url>https://github.com/cisco/libsrtp/commit/be06686c8e98cc7bd934e10abb6f5e971d03f8ee</url>
<url>https://github.com/cisco/libsrtp/commit/cdc69f2acde796a4152a250f869271298abc233f</url>
</references>
<dates>
<discovery>2015-11-02</discovery>
<entry>2016-02-21</entry>
</dates>
</vuln>
<vuln vid="006e3b7c-d7d7-11e5-b85f-0018fe623f2b">
<topic>jasper -- multiple vulnerabilities</topic>
<affects>
<package>
<name>jasper</name>
<range><lt>1.900.1_16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>oCERT reports:</p>
<blockquote cite="http://www.ocert.org/advisories/ocert-2014-012.html">
<p>The library is affected by a double-free vulnerability in function
jas_iccattrval_destroy()
as well as a heap-based buffer overflow in function jp2_decode().
A specially crafted jp2 file can be used to trigger the vulnerabilities.</p>
</blockquote>
<p>oCERT reports:</p>
<blockquote cite="http://www.ocert.org/advisories/ocert-2015-001.html">
<p>The library is affected by an off-by-one error in a buffer boundary check
in jpc_dec_process_sot(), leading to a heap based buffer overflow, as well
as multiple unrestricted stack memory use issues in jpc_qmfb.c, leading to
stack overflow.
A specially crafted jp2 file can be used to trigger the vulnerabilities.</p>
</blockquote>
<p>oCERT reports:</p>
<blockquote cite="http://www.ocert.org/advisories/ocert-2014-009.html">
<p>Multiple off-by-one flaws, leading to heap-based buffer overflows, were
found in the way JasPer decoded JPEG 2000 files. A specially crafted file
could cause an application using JasPer to crash or,
possibly, execute arbitrary code.</p>
</blockquote>
<p>limingxing reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2016/q1/233">
<p>A vulnerability was found in the way the JasPer's jas_matrix_clip()
function parses certain JPEG 2000 image files. A specially crafted file
could cause an application using JasPer to crash.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.ocert.org/advisories/ocert-2014-012.html</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1173157</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1173162</url>
<url>http://www.ocert.org/advisories/ocert-2015-001.html</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1179282</url>
<url>http://www.ocert.org/advisories/ocert-2014-009.html</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1167537</url>
<url>http://seclists.org/oss-sec/2016/q1/233</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1302636</url>
<cvename>CVE-2014-8137</cvename>
<cvename>CVE-2014-8138</cvename>
<cvename>CVE-2014-8157</cvename>
<cvename>CVE-2014-8158</cvename>
<cvename>CVE-2014-9029</cvename>
<cvename>CVE-2016-2089</cvename>
</references>
<dates>
<discovery>2014-12-10</discovery>
<entry>2016-02-20</entry>
<modified>2016-02-24</modified>
</dates>
</vuln>
<vuln vid="368993bb-d685-11e5-8858-00262d5ed8ee">
<topic>chromium -- same origin bypass</topic>
<affects>
<package>
<name>chromium</name>
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>48.0.2564.116</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/2016/02/stable-channel-update_18.html">
<p>[583431] Critical CVE-2016-1629: Same-origin bypass in Blink
and Sandbox escape in Chrome. Credit to anonymous.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1629</cvename>
<url>http://googlechromereleases.blogspot.nl/2016/02/stable-channel-update_18.html</url>
</references>
<dates>
<discovery>2016-02-18</discovery>
<entry>2016-02-18</entry>
</dates>
</vuln>
<vuln vid="2dd7e97e-d5e8-11e5-bcbd-bc5ff45d0f28">
<topic>glibc -- getaddrinfo stack-based buffer overflow</topic>
<affects>
<package>
<name>linux_base-c6</name>
<name>linux_base-c6_64</name>
<range><lt>6.7_1</lt></range>
</package>
<package>
<name>linux_base-f10</name>
<range><ge>0</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Fabio Olive Leite reports:</p>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7547">
<p>A stack-based buffer overflow was found in libresolv when invoked
from nss_dns, allowing specially crafted DNS responses to seize
control of EIP in the DNS client. The buffer overflow occurs in the
functions send_dg (send datagram) and send_vc (send TCP) for the
NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
family, or in some cases AF_INET6 family. The use of AF_UNSPEC (or
AF_INET6 in some cases) triggers the low-level resolver code to
send out two parallel queries for A and AAAA. A mismanagement of
the buffers used for those queries could result in the response of
a query writing beyond the alloca allocated buffer created by
__res_nquery.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7547</cvename>
<freebsdpr>ports/207272</freebsdpr>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7547</url>
<url>https://blog.des.no/2016/02/freebsd-and-cve-2015-7547/</url>
<url>https://googleonlinesecurity.blogspot.no/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html</url>
<url>https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html</url>
</references>
<dates>
<discovery>2016-02-16</discovery>
<entry>2016-02-18</entry>
</dates>
</vuln>
<vuln vid="56562efb-d5e4-11e5-b2bd-002590263bf5">
<topic>squid -- SSL/TLS processing remote DoS</topic>
<affects>
<package>
<name>squid</name>
<range><ge>3.5.13</ge><lt>3.5.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Squid security advisory 2016:1 reports:</p>
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2016_1.txt">
<p>Due to incorrectly handling server errors Squid is vulnerable to a
denial of service attack when connecting to TLS or SSL servers.</p>
<p>This problem allows any trusted client to perform a denial of
service attack on the Squid service regardless of whether TLS or
SSL is configured for use in the proxy.</p>
<p>Misconfigured client or server software may trigger this issue
to perform a denial of service unintentionally.</p>
<p>However, the bug is exploitable only if Squid is built using the
--with-openssl option.</p>
</blockquote>
<p>The FreeBSD port does not use SSL by default and is not vulnerable
in the default configuration.</p>
</body>
</description>
<references>
<cvename>CVE-2016-2390</cvename>
<freebsdpr>ports/207294</freebsdpr>
<url>http://www.squid-cache.org/Advisories/SQUID-2016_1.txt</url>
</references>
<dates>
<discovery>2016-02-16</discovery>
<entry>2016-02-18</entry>
</dates>
</vuln>
<vuln vid="dd563930-d59a-11e5-8fa8-14dae9d210b8">
<topic>adminer -- remote code execution</topic>
<affects>
<package>
<name>adminer</name>
<range><lt>4.2.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jakub Vrana reports:</p>
<blockquote cite="https://github.com/vrana/adminer/commit/e5352cc5acad21513bb02677e2021b80bf7e7b8b">
<p>Fix remote code execution in SQLite query</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/vrana/adminer/commit/e5352cc5acad21513bb02677e2021b80bf7e7b8b</url>
</references>
<dates>
<discovery>2016-02-06</discovery>
<entry>2016-02-17</entry>
</dates>
</vuln>
<vuln vid="18201a1c-d59a-11e5-8fa8-14dae9d210b8">
<topic>adminer -- XSS vulnerability</topic>
<affects>
<package>
<name>adminer</name>
<range><lt>4.2.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jakub Vrana reports:</p>
<blockquote cite="https://github.com/vrana/adminer/commit/4be0b6655e0bf415960659db2a6dd4e60eebbd66">
<p>Fix XSS in indexes (non-MySQL only)</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/vrana/adminer/commit/4be0b6655e0bf415960659db2a6dd4e60eebbd66</url>
</references>
<dates>
<discovery>2015-11-08</discovery>
<entry>2016-02-17</entry>
</dates>
</vuln>
<vuln vid="ad91ee9b-d599-11e5-8fa8-14dae9d210b8">
<topic>adminer -- XSS vulnerability</topic>
<affects>
<package>
<name>adminer</name>
<range><lt>4.2.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jakub Vrana reports:</p>
<blockquote cite="https://github.com/vrana/adminer/commit/596f8df373cd3efe5bcb6013858bd7a6bb5ecb2c">
<p>Fix XSS in alter table</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/vrana/adminer/commit/596f8df373cd3efe5bcb6013858bd7a6bb5ecb2c</url>
</references>
<dates>
<discovery>2015-08-05</discovery>
<entry>2016-02-17</entry>
</dates>
</vuln>
<vuln vid="8cf54d73-d591-11e5-8fa8-14dae9d210b8">
<topic>adminer -- XSS vulnerability</topic>
<affects>
<package>
<name>adminer</name>
<range><lt>4.2.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jakub Vrana reports:</p>
<blockquote cite="https://github.com/vrana/adminer/commit/c990de3b3ee1816afb130bd0e1570577bf54a8e5">
<p>Fix XSS in login form</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/vrana/adminer/commit/c990de3b3ee1816afb130bd0e1570577bf54a8e5</url>
<url>https://sourceforge.net/p/adminer/bugs-and-features/436/</url>
</references>
<dates>
<discovery>2015-01-30</discovery>
<entry>2016-02-17</entry>
</dates>
</vuln>
<vuln vid="95b92e3b-d451-11e5-9794-e8e0b747a45a">
<topic>libgcrypt -- side-channel attack on ECDH</topic>
<affects>
<package>
<name>libgcrypt</name>
<range><lt>1.6.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GnuPG reports:</p>
<blockquote cite="https://lists.gnupg.org/pipermail/gnupg-announce/2016q1/000384.html">
<p>Mitigate side-channel attack on ECDH with Weierstrass curves.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7511</cvename>
<url>https://lists.gnupg.org/pipermail/gnupg-announce/2016q1/000384.html</url>
</references>
<dates>
<discovery>2016-02-09</discovery>
<entry>2016-02-16</entry>
</dates>
</vuln>
<vuln vid="f1bf28c5-d447-11e5-b2bd-002590263bf5">
<topic>xdelta3 -- buffer overflow vulnerability</topic>
<affects>
<package>
<name>xdelta3</name>
<range><lt>3.0.9,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Stepan Golosunov reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2016/02/08/1">
<p>Buffer overflow was found and fixed in xdelta3 binary diff tool
that allows arbitrary code execution from input files at least on
some systems.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-9765</cvename>
<url>http://www.openwall.com/lists/oss-security/2016/02/08/1</url>
<url>https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2</url>
</references>
<dates>
<discovery>2014-10-08</discovery>
<entry>2016-02-16</entry>
</dates>
</vuln>
<vuln vid="172b22cb-d3f6-11e5-ac9e-485d605f4717">
<topic>firefox -- Same-origin-policy violation using Service Workers with plugins</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>44.0.2,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>44.0.2,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox44.0.2">
<p>MFSA 2016-13 Jason Pang of OneSignal reported that service workers intercept
responses to plugin network requests made through the browser. Plugins which
make security decisions based on the content of network requests can have these
decisions subverted if a service worker forges responses to those requests. For
example, a forged crossdomain.xml could allow a malicious site to violate the
same-origin policy using the Flash plugin.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1949</cvename>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2016-13/</url>
</references>
<dates>
<discovery>2016-02-11</discovery>
<entry>2016-02-15</entry>
</dates>
</vuln>
<vuln vid="07718e2b-d29d-11e5-a95f-b499baebfeaf">
<topic>nghttp2 -- Out of memory in nghttpd, nghttp, and libnghttp2_asio</topic>
<affects>
<package>
<name>nghttp2</name>
<range><lt>1.7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Nghttp2 reports:</p>
<blockquote cite="https://nghttp2.org/blog/2016/02/11/nghttp2-v1-7-1/">
<p>Out of memory in nghttpd, nghttp, and libnghttp2_asio applications
due to unlimited incoming HTTP header fields.</p>
<p>nghttpd, nghttp, and libnghttp2_asio applications do not limit the memory usage
for the incoming HTTP header field. If peer sends specially crafted HTTP/2
HEADERS frames and CONTINUATION frames, they will crash with out of memory
error.</p>
<p>Note that libnghttp2 itself is not affected by this vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<url>http://nghttp2.org/blog/2016/02/11/nghttp2-v1-7-1/</url>
<cvename>CVE-2016-1544</cvename>
</references>
<dates>
<discovery>2016-02-03</discovery>
<entry>2016-02-13</entry>
</dates>
</vuln>
<vuln vid="3aa8b781-d2c4-11e5-b2bd-002590263bf5">
<topic>horde -- XSS vulnerabilities</topic>
<affects>
<package>
<name>horde</name>
<range><lt>5.2.9</lt></range>
</package>
<package>
<name>pear-Horde_Core</name>
<range><lt>2.22.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Horde Team reports:</p>
<blockquote cite="http://lists.horde.org/archives/announce/2016/001149.html">
<p>Fixed XSS vulnerabilities in menu bar and form renderer.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8807</cvename>
<cvename>CVE-2016-2228</cvename>
<url>https://github.com/horde/horde/commit/11d74fa5a22fe626c5e5a010b703cd46a136f253</url>
<url>https://bugs.horde.org/ticket/14213</url>
<url>https://github.com/horde/horde/commit/f03301cf6edcca57121a15e80014c4d0f29d99a0</url>
<url>https://github.com/horde/horde/commit/ab07a1b447de34e13983b4d7ceb18b58c3a358d8</url>
<url>http://www.openwall.com/lists/oss-security/2016/02/06/4</url>
<url>http://lists.horde.org/archives/announce/2016/001149.html</url>
</references>
<dates>
<discovery>2016-02-02</discovery>
<entry>2016-02-14</entry>
</dates>
</vuln>
<vuln vid="e8b6605b-d29f-11e5-8458-6cc21735f730">
<topic>PostgreSQL -- Security Fixes for Regular Expressions, PL/Java.</topic>
<affects>
<package>
<name>postgresql91-server</name>
<range><ge>9.1.0</ge><lt>9.1.20</lt></range>
</package>
<package>
<name>postgresql92-server</name>
<range><ge>9.2.0</ge><lt>9.2.15</lt></range>
</package>
<package>
<name>postgresql93-server</name>
<range><ge>9.3.0</ge><lt>9.3.11</lt></range>
</package>
<package>
<name>postgresql94-server</name>
<range><ge>9.4.0</ge><lt>9.4.6</lt></range>
</package>
<package>
<name>postgresql95-server</name>
<range><ge>9.5.0</ge><lt>9.5.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PostgreSQL project reports:</p>
<blockquote cite="http://www.postgresql.org/about/news/1644/">
<p>
Security Fixes for Regular Expressions, PL/Java
</p>
<ul>
<li>CVE-2016-0773: This release closes security hole CVE-2016-0773,
an issue with regular expression (regex) parsing. Prior code allowed
users to pass in expressions which included out-of-range Unicode
characters, triggering a backend crash. This issue is critical for
PostgreSQL systems with untrusted users or which generate regexes
based on user input.
</li>
<li>CVE-2016-0766: The update also fixes CVE-2016-0766, a privilege
escalation issue for users of PL/Java. Certain custom configuration
settings (GUCS) for PL/Java will now be modifiable only by the
database superuser
</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-0773</cvename>
<cvename>CVE-2016-0766</cvename>
</references>
<dates>
<discovery>2016-02-08</discovery>
<entry>2016-02-12</entry>
</dates>
</vuln>
<vuln vid="5d8e56c3-9e67-4d5b-81c9-3a409dfd705f">
<topic>flash -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-c6-flashplugin</name>
<name>linux-f10-flashplugin</name>
<name>linux-c6_64-flashplugin</name>
<range><lt>11.2r202.569</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb16-04.html">
<p>These updates resolve a type confusion vulnerability that
could lead to code execution (CVE-2016-0985).</p>
<p>These updates resolve use-after-free vulnerabilities that
could lead to code execution (CVE-2016-0973, CVE-2016-0974,
CVE-2016-0975, CVE-2016-0982, CVE-2016-0983, CVE-2016-0984).</p>
<p>These updates resolve a heap buffer overflow vulnerability
that could lead to code execution (CVE-2016-0971).</p>
<p>These updates resolve memory corruption vulnerabilities
that could lead to code execution (CVE-2016-0964,
CVE-2016-0965, CVE-2016-0966, CVE-2016-0967, CVE-2016-0968,
CVE-2016-0969, CVE-2016-0970, CVE-2016-0972, CVE-2016-0976,
CVE-2016-0977, CVE-2016-0978, CVE-2016-0979, CVE-2016-0980,
CVE-2016-0981).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-0964</cvename>
<cvename>CVE-2016-0965</cvename>
<cvename>CVE-2016-0966</cvename>
<cvename>CVE-2016-0967</cvename>
<cvename>CVE-2016-0968</cvename>
<cvename>CVE-2016-0969</cvename>
<cvename>CVE-2016-0970</cvename>
<cvename>CVE-2016-0971</cvename>
<cvename>CVE-2016-0972</cvename>
<cvename>CVE-2016-0973</cvename>
<cvename>CVE-2016-0974</cvename>
<cvename>CVE-2016-0975</cvename>
<cvename>CVE-2016-0976</cvename>
<cvename>CVE-2016-0977</cvename>
<cvename>CVE-2016-0978</cvename>
<cvename>CVE-2016-0979</cvename>
<cvename>CVE-2016-0980</cvename>
<cvename>CVE-2016-0981</cvename>
<cvename>CVE-2016-0982</cvename>
<cvename>CVE-2016-0983</cvename>
<cvename>CVE-2016-0984</cvename>
<cvename>CVE-2016-0985</cvename>
<url>https://helpx.adobe.com/security/products/flash-player/apsb16-04.html</url>
</references>
<dates>
<discovery>2016-02-09</discovery>
<entry>2016-02-10</entry>
</dates>
</vuln>
<vuln vid="515b4327-cf8a-11e5-96d6-14dae9d210b8">
<topic>dnscrypt-proxy -- code execution</topic>
<affects>
<package>
<name>dnscrypt-proxy</name>
<range><ge>1.1.0</ge><lt>1.6.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Frank Denis reports:</p>
<blockquote cite="https://github.com/jedisct1/dnscrypt-proxy/blob/1d129f7d5f0d469308967cbe4eacb4a6919f1fa1/NEWS#L2-L8">
<p>Malformed packets could lead to denial of service or code
execution.</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/jedisct1/dnscrypt-proxy/blob/1d129f7d5f0d469308967cbe4eacb4a6919f1fa1/NEWS#L2-L8</url>
</references>
<dates>
<discovery>2016-02-02</discovery>
<entry>2016-02-10</entry>
<modified>2016-02-14</modified>
</dates>
</vuln>
<vuln vid="36034227-cf81-11e5-9c2b-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>48.0.2564.109</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/2016/02/stable-channel-update_9.html">
<p>6 security fixes in this release, including:</p>
<ul>
<li>[546677] High CVE-2016-1622: Same-origin bypass in Extensions.
Credit to anonymous.</li>
<li>[577105] High CVE-2016-1623: Same-origin bypass in DOM. Credit
to Mariusz Mlynski.</li>
<li>[509313] Medium CVE-2016-1625: Navigation bypass in Chrome
Instant. Credit to Jann Horn.</li>
<li>[571480] Medium CVE-2016-1626: Out-of-bounds read in PDFium.
Credit to anonymous, working with HP's Zero Day Initiative.</li>
<li>[585517] CVE-2016-1627: Various fixes from internal audits,
fuzzing and other initiatives.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1622</cvename>
<cvename>CVE-2016-1623</cvename>
<cvename>CVE-2016-1625</cvename>
<cvename>CVE-2016-1626</cvename>
<cvename>CVE-2016-1627</cvename>
<url>http://googlechromereleases.blogspot.nl/2016/02/stable-channel-update_9.html</url>
</references>
<dates>
<discovery>2016-02-08</discovery>
<entry>2016-02-09</entry>
<modified>2016-03-08</modified>
</dates>
</vuln>
<vuln vid="8f10fa04-cf6a-11e5-96d6-14dae9d210b8">
<topic>graphite2 -- code execution vulnerability</topic>
<affects>
<package>
<name>graphite2</name>
<range><lt>1.3.5</lt></range>
</package>
<package>
<name>silgraphite</name>
<range><lt>2.3.1_4</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>38.6.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Talos reports:</p>
<blockquote cite="http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html">
<ul>
<li><p>An exploitable denial of service vulnerability exists
in the font handling of Libgraphite. A specially crafted font can cause
an out-of-bounds read potentially resulting in an information leak or
denial of service.</p></li>
<li><p>A specially crafted font can cause a buffer overflow
resulting in potential code execution.</p></li>
<li><p>An exploitable NULL pointer dereference exists in the
bidirectional font handling functionality of Libgraphite. A specially
crafted font can cause a NULL pointer dereference resulting in a
crash.</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html</url>
<url>http://www.talosintel.com/reports/TALOS-2016-0061/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-14/</url>
<cvename>CVE-2016-1521</cvename>
<cvename>CVE-2016-1522</cvename>
<cvename>CVE-2016-1523</cvename>
<cvename>CVE-2016-1526</cvename>
</references>
<dates>
<discovery>2016-02-05</discovery>
<entry>2016-02-09</entry>
<modified>2016-03-08</modified>
</dates>
</vuln>
<vuln vid="1cecd5e0-c372-11e5-96d6-14dae9d210b8">
<topic>xymon-server -- multiple vulnerabilities</topic>
<affects>
<package>
<name>xymon-server</name>
<range><lt>4.3.25</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>J.C. Cleaver reports:</p>
<blockquote cite="http://lists.xymon.com/pipermail/xymon/2016-February/042986.html">
<ul>
<li><p>CVE-2016-2054: Buffer overflow in xymond handling of
"config" command</p></li>
<li><p> CVE-2016-2055: Access to possibly confidential files
in the Xymon configuration directory</p></li>
<li><p>CVE-2016-2056: Shell command injection in the
"useradm" and "chpasswd" web applications</p></li>
<li><p>CVE-2016-2057: Incorrect permissions on IPC queues
used by the xymond daemon can bypass IP access filtering</p></li>
<li><p>CVE-2016-2058: Javascript injection in "detailed status
webpage" of monitoring items; XSS vulnerability via malformed
acknowledgment messages</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://lists.xymon.com/pipermail/xymon/2016-February/042986.html</url>
<cvename>CVE-2016-2054</cvename>
<cvename>CVE-2016-2055</cvename>
<cvename>CVE-2016-2056</cvename>
<cvename>CVE-2016-2057</cvename>
<cvename>CVE-2016-2058</cvename>
</references>
<dates>
<discovery>2016-01-19</discovery>
<entry>2016-02-09</entry>
</dates>
</vuln>
<vuln vid="85eb4e46-cf16-11e5-840f-485d605f4717">
<topic>php -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php55</name>
<name>php55-phar</name>
<name>php55-wddx</name>
<range><lt>5.5.32</lt></range>
</package>
<package>
<name>php56</name>
<name>php56-phar</name>
<name>php56-wddx</name>
<range><lt>5.6.18</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PHP reports:</p>
<blockquote cite="http://php.net/ChangeLog-5.php#5.6.18">
<ul><li>Core:
<ul>
<li>Fixed bug #71039 (exec functions ignore length but look for NULL
termination).</li>
<li>Fixed bug #71323 (Output of stream_get_meta_data can be
falsified by its input).</li>
<li>Fixed bug #71459 (Integer overflow in iptcembed()).</li>
</ul></li>
<li>PCRE:
<ul>
<li>Upgraded bundled PCRE library to 8.38.(CVE-2015-8383,
CVE-2015-8386, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390,
CVE-2015-8391, CVE-2015-8393, CVE-2015-8394)</li>
</ul></li>
<li>Phar:
<ul>
<li>Fixed bug #71354 (Heap corruption in tar/zip/phar parser).</li>
<li>Fixed bug #71391 (NULL Pointer Dereference in
phar_tar_setupmetadata()).</li>
<li>Fixed bug #71488 (Stack overflow when decompressing tar
archives). (CVE-2016-2554)</li>
</ul></li>
<li>WDDX:
<ul>
<li>Fixed bug #71335 (Type Confusion in WDDX Packet
Deserialization).</li>
</ul></li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8383</cvename>
<cvename>CVE-2015-8386</cvename>
<cvename>CVE-2015-8387</cvename>
<cvename>CVE-2015-8389</cvename>
<cvename>CVE-2015-8390</cvename>
<cvename>CVE-2015-8391</cvename>
<cvename>CVE-2015-8393</cvename>
<cvename>CVE-2015-8394</cvename>
<cvename>CVE-2016-2554</cvename>
<url>http://php.net/ChangeLog-5.php#5.6.18</url>
<url>http://php.net/ChangeLog-5.php#5.5.32</url>
</references>
<dates>
<discovery>2016-02-04</discovery>
<entry>2016-02-09</entry>
<modified>2016-03-13</modified>
</dates>
</vuln>
<vuln vid="a8de962a-cf15-11e5-805c-5453ed2e2b49">
<topic>py-imaging, py-pillow -- Buffer overflow in PCD decoder</topic>
<affects>
<package>
<name>py27-pillow</name>
<name>py33-pillow</name>
<name>py34-pillow</name>
<name>py35-pillow</name>
<range><lt>2.9.0_1</lt></range>
</package>
<package>
<name>py27-imaging</name>
<range><lt>1.1.7_6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Pillow maintainers report:</p>
<blockquote cite="https://pillow.readthedocs.org/en/3.1.x/releasenotes/3.1.1.html">
<p>In all versions of Pillow, dating back at least to the last PIL
1.1.7 release, PcdDecode.c has a buffer overflow error.</p>
<p>The state.buffer for PcdDecode.c is allocated based on a 3 bytes
per pixel sizing, where PcdDecode.c wrote into the buffer assuming
4 bytes per pixel. This writes 768 bytes beyond the end of the
buffer into other Python object storage. In some cases, this causes
a segfault, in others an internal Python malloc error.</p>
</blockquote>
</body>
</description>
<references>
<mlist>http://openwall.com/lists/oss-security/2016/02/02/5</mlist>
<url>https://github.com/python-pillow/Pillow/commit/ae453aa18b66af54e7ff716f4ccb33adca60afd4</url>
<url>https://github.com/python-pillow/Pillow/issues/568</url>
</references>
<dates>
<discovery>2016-02-02</discovery>
<entry>2016-02-09</entry>
</dates>
</vuln>
<vuln vid="0519db18-cf15-11e5-805c-5453ed2e2b49">
<topic>py-pillow -- Integer overflow in Resample.c</topic>
<affects>
<package>
<name>py27-pillow</name>
<name>py33-pillow</name>
<name>py34-pillow</name>
<name>py35-pillow</name>
<range><lt>2.9.0_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Pillow maintainers report:</p>
<blockquote cite="https://pillow.readthedocs.org/en/3.1.x/releasenotes/3.1.1.html">
<p>If a large value was passed into the new size for an image, it is
possible to overflow an int32 value passed into malloc, leading the
malloc’d buffer to be undersized. These allocations are followed by
a loop that writes out of bounds. This can lead to corruption on
the heap of the Python process with attacker controlled float
data.</p>
<p>This issue was found by Ned Williamson.</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/python-pillow/Pillow/commit/41fae6d9e2da741d2c5464775c7f1a609ea03798</url>
<url>https://github.com/python-pillow/Pillow/issues/1710</url>
</references>
<dates>
<discovery>2016-02-05</discovery>
<entry>2016-02-09</entry>
</dates>
</vuln>
<vuln vid="6ea60e00-cf13-11e5-805c-5453ed2e2b49">
<topic>py-imaging, py-pillow -- Buffer overflow in FLI decoding code</topic>
<affects>
<package>
<name>py27-pillow</name>
<name>py33-pillow</name>
<name>py34-pillow</name>
<name>py35-pillow</name>
<range><lt>2.9.0_1</lt></range>
</package>
<package>
<name>py27-imaging</name>
<range><lt>1.1.7_6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Pillow maintainers report:</p>
<blockquote cite="https://pillow.readthedocs.org/en/3.1.x/releasenotes/3.1.1.html">
<p>In all versions of Pillow, dating back at least to the last PIL
1.1.7 release, FliDecode.c has a buffer overflow error.</p>
<p>There is a memcpy error where x is added to a target buffer
address. X is used in several internal temporary variable roles,
but can take a value up to the width of the image. Im->image[y]
is a set of row pointers to segments of memory that are the size of
the row. At the max y, this will write the contents of the line off
the end of the memory buffer, causing a segfault.</p>
<p>This issue was found by Alyssa Besseling at Atlassian.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-0775</cvename>
<url>https://github.com/python-pillow/Pillow/commit/bcaaf97f4ff25b3b5b9e8efeda364e17e80858ec</url>
</references>
<dates>
<discovery>2016-02-05</discovery>
<entry>2016-02-09</entry>
</dates>
</vuln>
<vuln vid="53252879-cf11-11e5-805c-5453ed2e2b49">
<topic>py-pillow -- Buffer overflow in TIFF decoding code</topic>
<affects>
<package>
<name>py27-pillow</name>
<name>py33-pillow</name>
<name>py34-pillow</name>
<name>py35-pillow</name>
<range><lt>2.9.0_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Pillow maintainers report:</p>
<blockquote cite="https://pillow.readthedocs.org/en/3.1.x/releasenotes/3.1.1.html">
<p>Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on
x64 may overflow a buffer when reading a specially crafted tiff
file.</p>
<p>Specifically, libtiff >= 4.0.0 changed the return type of
TIFFScanlineSize from int32 to machine dependent int32|64. If the
scanline is sized so that it overflows an int32, it may be
interpreted as a negative number, which will then pass the size check
in TiffDecode.c line 236. To do this, the logical scanline size has
to be > 2gb, and for the test file, the allocated buffer size is 64k
against a roughly 4gb scan line size. Any image data over 64k is
written over the heap, causing a segfault.</p>
<p>This issue was found by security researcher FourOne.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-0740</cvename>
<url>https://github.com/python-pillow/Pillow/commit/6dcbf5bd96b717c58d7b642949da8d323099928e</url>
</references>
<dates>
<discovery>2016-02-04</discovery>
<entry>2016-02-09</entry>
</dates>
</vuln>
<vuln vid="6ac79ed8-ccc2-11e5-932b-5404a68ad561">
<topic>ffmpeg -- remote denial of service in JPEG2000 decoder</topic>
<affects>
<package>
<name>ffmpeg</name>
<range><lt>2.8.6,1</lt></range>
</package>
<package>
<name>mplayer</name>
<name>mencoder</name>
<range>
<lt>1.2.r20151219_3</lt>
</range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>FFmpeg security reports:</p>
<blockquote cite="https://www.ffmpeg.org/security.html">
<p>FFmpeg 2.8.6 fixes the following vulnerabilities:
CVE-2016-2213</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-2213</cvename>
<url>https://www.ffmpeg.org/security.html</url>
</references>
<dates>
<discovery>2016-01-27</discovery>
<entry>2016-02-06</entry>
</dates>
</vuln>
<vuln vid="448047e9-030e-4ce4-910b-f21a3ad5d9a0">
<topic>shotwell -- not verifying certificates</topic>
<affects>
<package>
<name>shotwell</name>
<range><lt>0.22.0.99</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Michael Catanzaro reports:</p>
<blockquote cite="https://mail.gnome.org/archives/distributor-list/2016-January/msg00000.html">
<p>Shotwell has a serious security issue ("Shotwell does not
verify TLS certificates"). Upstream is no longer active and
I do not expect any further upstream releases unless someone
from the community steps up to maintain it.</p>
<p>What is the impact of the issue? If you ever used any of
the publish functionality (publish to Facebook, publish to
Flickr, etc.), your passwords may have been stolen; changing
them is not a bad idea.</p>
<p>What is the risk of the update? Regressions. The easiest
way to validate TLS certificates was to upgrade WebKit; it
seems to work but I don't have accounts with the online
services it supports, so I don't know if photo publishing
still works properly on all the services.</p>
</blockquote>
</body>
</description>
<references>
<url>https://mail.gnome.org/archives/distributor-list/2016-January/msg00000.html</url>
</references>
<dates>
<discovery>2016-01-06</discovery>
<entry>2016-02-05</entry>
</dates>
</vuln>
<vuln vid="1091d2d1-cb2e-11e5-b14b-bcaec565249c">
<topic>webkit -- UI spoof</topic>
<affects>
<package>
<name>webkit-gtk2</name>
<name>webkit-gtk3</name>
<range><lt>2.4.9_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>webkit reports:</p>
<blockquote cite="http://webkitgtk.org/security/WSA-2015-0002.html">
<p>The ScrollView::paint function in platform/scroll/ScrollView.cpp
in Blink, as used in Google Chrome before 35.0.1916.114, allows
remote attackers to spoof the UI by extending scrollbar painting
into the parent frame.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2014-1748</cvename>
<url>http://webkitgtk.org/security/WSA-2015-0002.html</url>
</references>
<dates>
<discovery>2015-12-28</discovery>
<entry>2016-02-04</entry>
</dates>
</vuln>
<vuln vid="e78bfc9d-cb1e-11e5-b251-0050562a4d7b">
<topic>py-rsa -- Bleichenbacher'06 signature forgery vulnerability</topic>
<affects>
<package>
<name>py27-rsa</name>
<name>py32-rsa</name>
<name>py33-rsa</name>
<name>py34-rsa</name>
<name>py35-rsa</name>
<range><lt>3.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Filippo Valsorda reports:</p>
<blockquote cite="https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/">
<p>
python-rsa is vulnerable to a straightforward variant of the
Bleichenbacher'06 attack against RSA signature verification
with low public exponent.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1494</cvename>
<url>https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/</url>
<url>https://bitbucket.org/sybren/python-rsa/pull-requests/14/security-fix-bb06-attack-in-verify-by</url>
<url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1494</url>
<url>http://www.openwall.com/lists/oss-security/2016/01/05/3</url>
<url>http://www.openwall.com/lists/oss-security/2016/01/05/1</url>
</references>
<dates>
<discovery>2016-01-05</discovery>
<entry>2016-02-04</entry>
</dates>
</vuln>
<vuln vid="559f3d1b-cb1d-11e5-80a4-001999f8d30b">
<topic>asterisk -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>asterisk</name>
<range><lt>1.8.32.3_5</lt></range>
</package>
<package>
<name>asterisk11</name>
<range><lt>11.21.1</lt></range>
</package>
<package>
<name>asterisk13</name>
<range><lt>13.7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="http://www.asterisk.org/downloads/security-advisories">
<p>AST-2016-001 - BEAST vulnerability in HTTP server</p>
<p>AST-2016-002 - File descriptor exhaustion in chan_sip</p>
<p>AST-2016-003 - Remote crash vulnerability when receiving UDPTL FAX data</p>
</blockquote>
</body>
</description>
<references>
<url>http://downloads.asterisk.org/pub/security/AST-2016-001.html</url>
<cvename>CVE-2011-3389</cvename>
<url>http://downloads.asterisk.org/pub/security/AST-2016-002.html</url>
<cvename>CVE-2016-2316</cvename>
<url>http://downloads.asterisk.org/pub/security/AST-2016-003.html</url>
<cvename>CVE-2016-2232</cvename>
</references>
<dates>
<discovery>2016-02-03</discovery>
<entry>2016-02-04</entry>
<modified>2016-03-07</modified>
</dates>
</vuln>
<vuln vid="0652005e-ca96-11e5-96d6-14dae9d210b8">
<topic>salt -- code execution</topic>
<affects>
<package>
<name>py27-salt</name>
<name>py32-salt</name>
<name>py33-salt</name>
<name>py34-salt</name>
<name>py35-salt</name>
<range><ge>2015.8.0</ge><lt>2015.8.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SaltStack reports:</p>
<blockquote cite="https://docs.saltstack.com/en/latest/topics/releases/2015.8.4.html">
<p>Improper handling of clear messages on the minion, which
could result in executing commands not sent by the master.</p>
</blockquote>
</body>
</description>
<references>
<url>https://docs.saltstack.com/en/latest/topics/releases/2015.8.4.html</url>
<url>https://github.com/saltstack/salt/pull/30613/files</url>
<cvename>CVE-2016-1866</cvename>
</references>
<dates>
<discovery>2016-01-25</discovery>
<entry>2016-02-03</entry>
</dates>
</vuln>
<vuln vid="bb0ef21d-0e1b-461b-bc3d-9cba39948888">
<topic>rails -- multiple vulnerabilities</topic>
<affects>
<package>
<name>rubygem-actionpack</name>
<range><lt>3.2.22.1</lt></range>
</package>
<package>
<name>rubygem-actionpack4</name>
<range><lt>4.2.5.1</lt></range>
</package>
<package>
<name>rubygem-actionview</name>
<range><lt>4.2.5.1</lt></range>
</package>
<package>
<name>rubygem-activemodel4</name>
<range><lt>4.2.5.1</lt></range>
</package>
<package>
<name>rubygem-activerecord</name>
<range><lt>3.2.22.1</lt></range>
</package>
<package>
<name>rubygem-activerecord4</name>
<range><lt>4.2.5.1</lt></range>
</package>
<package>
<name>rubygem-rails</name>
<range><lt>3.2.22.1</lt></range>
</package>
<package>
<name>rubygem-rails-html-sanitizer</name>
<range><lt>1.0.3</lt></range>
</package>
<package>
<name>rubygem-rails4</name>
<range><lt>4.2.5.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ruby on Rails blog:</p>
<blockquote cite="http://weblog.rubyonrails.org/2016/1/25/Rails-5-0-0-beta1-1-4-2-5-1-4-1-14-1-3-2-22-1-and-rails-html-sanitizer-1-0-3-have-been-released/">
<p>Rails 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, and 3.2.22.1 have been
released! These contain important security fixes, and it is
recommended that users upgrade as soon as possible.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7576</cvename>
<cvename>CVE-2015-7577</cvename>
<cvename>CVE-2015-7581</cvename>
<cvename>CVE-2016-0751</cvename>
<cvename>CVE-2016-0752</cvename>
<cvename>CVE-2016-0753</cvename>
<url>https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ</url>
<url>https://groups.google.com/d/msg/rubyonrails-security/cawsWcQ6c8g/tegZtYdbFQAJ</url>
<url>https://groups.google.com/d/msg/rubyonrails-security/dthJ5wL69JE/YzPnFelbFQAJ</url>
<url>https://groups.google.com/d/msg/rubyonrails-security/9oLY_FCzvoc/w9oI9XxbFQAJ</url>
<url>https://groups.google.com/d/msg/rubyonrails-security/335P1DcLG00/OfB9_LhbFQAJ</url>
<url>https://groups.google.com/d/msg/rubyonrails-security/6jQVC1geukQ/8oYETcxbFQAJ</url>
<url>http://weblog.rubyonrails.org/2016/1/25/Rails-5-0-0-beta1-1-4-2-5-1-4-1-14-1-3-2-22-1-and-rails-html-sanitizer-1-0-3-have-been-released/</url>
</references>
<dates>
<discovery>2016-01-25</discovery>
<entry>2016-02-02</entry>
</dates>
</vuln>
<vuln vid="a52a7172-c92e-11e5-96d6-14dae9d210b8">
<topic>socat -- diffie hellman parameter was not prime</topic>
<affects>
<package>
<name>socat</name>
<range><ge>1.7.2.5</ge><lt>1.7.3.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>socat reports:</p>
<blockquote cite="http://www.dest-unreach.org/socat/contrib/socat-secadv7.html">
<p>In the OpenSSL address implementation the hard coded 1024
bit DH p parameter was not prime. The effective cryptographic strength
of a key exchange using these parameters was weaker than the one one
could get by using a prime p. Moreover, since there is no indication of
how these parameters were chosen, the existence of a trapdoor that makes
possible for an eavesdropper to recover the shared secret from a key
exchange that uses them cannot be ruled out.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.dest-unreach.org/socat/contrib/socat-secadv7.html</url>
</references>
<dates>
<discovery>2016-02-01</discovery>
<entry>2016-02-01</entry>
</dates>
</vuln>
<vuln vid="4f00dac0-1e18-4481-95af-7aaad63fd303">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<name>linux-firefox</name>
<range><lt>44.0,1</lt></range>
</package>
<package>
<name>seamonkey</name>
<name>linux-seamonkey</name>
<range><lt>2.41</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><lt>38.6.0,1</lt></range>
</package>
<package>
<name>libxul</name>
<name>thunderbird</name>
<name>linux-thunderbird</name>
<range><lt>38.6.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox44">
<p>MFSA 2016-01 Miscellaneous memory safety hazards (rv:44.0
/ rv:38.6)</p>
<p>MFSA 2016-02 Out of Memory crash when parsing GIF format
images</p>
<p>MFSA 2016-03 Buffer overflow in WebGL after out of memory
allocation</p>
<p>MFSA 2016-04 Firefox allows for control characters to be
set in cookie names</p>
<p>MFSA 2016-06 Missing delay following user click events in
protocol handler dialog</p>
<p>MFSA 2016-09 Addressbar spoofing attacks</p>
<p>MFSA 2016-10 Unsafe memory manipulation found through
code inspection</p>
<p>MFSA 2016-11 Application Reputation service disabled in
Firefox 43</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7208</cvename>
<cvename>CVE-2016-1930</cvename>
<cvename>CVE-2016-1931</cvename>
<cvename>CVE-2016-1933</cvename>
<cvename>CVE-2016-1935</cvename>
<cvename>CVE-2016-1937</cvename>
<cvename>CVE-2016-1939</cvename>
<cvename>CVE-2016-1942</cvename>
<cvename>CVE-2016-1943</cvename>
<cvename>CVE-2016-1944</cvename>
<cvename>CVE-2016-1945</cvename>
<cvename>CVE-2016-1946</cvename>
<cvename>CVE-2016-1947</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2016-01/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-02/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-03/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-04/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-06/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-09/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-10/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2016-11/</url>
</references>
<dates>
<discovery>2016-01-26</discovery>
<entry>2016-02-01</entry>
<modified>2016-03-08</modified>
</dates>
</vuln>
<vuln vid="e00d8b94-c88a-11e5-b5fe-002590263bf5">
<topic>gdcm -- multiple vulnerabilities</topic>
<affects>
<package>
<name>gdcm</name>
<range><lt>2.6.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CENSUS S.A. reports:</p>
<blockquote cite="http://census-labs.com/news/2016/01/11/gdcm-buffer-overflow-imageregionreaderreadintobuffer/">
<p>GDCM versions 2.6.0 and 2.6.1 (and possibly previous versions) are
prone to an integer overflow vulnerability which leads to a buffer
overflow and potentially to remote code execution.</p>
</blockquote>
<blockquote cite="http://census-labs.com/news/2016/01/11/gdcm-out-bounds-read-jpeglscodec-decodeextent/">
<p>GDCM versions 2.6.0 and 2.6.1 (and possibly previous versions) are
prone to an out-of-bounds read vulnerability due to missing checks.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8396</cvename>
<cvename>CVE-2015-8397</cvename>
<url>http://census-labs.com/news/2016/01/11/gdcm-buffer-overflow-imageregionreaderreadintobuffer/</url>
<url>http://census-labs.com/news/2016/01/11/gdcm-out-bounds-read-jpeglscodec-decodeextent/</url>
</references>
<dates>
<discovery>2015-12-23</discovery>
<entry>2016-02-01</entry>
</dates>
</vuln>
<vuln vid="c1c18ee1-c711-11e5-96d6-14dae9d210b8">
<topic>nginx -- multiple vulnerabilities</topic>
<affects>
<package>
<name>nginx</name>
<range><lt>1.8.1,2</lt></range>
</package>
<package>
<name>nginx-devel</name>
<range><lt>1.9.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Maxim Dounin reports:</p>
<blockquote cite="http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html">
<p>Several problems in nginx resolver were identified, which
might allow an attacker to cause worker process crash, or might have
potential other impact if the "resolver" directive
is used in a configuration file.</p>
</blockquote>
</body>
</description>
<references>
<url>http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html</url>
<cvename>CVE-2016-0742</cvename>
<cvename>CVE-2016-0746</cvename>
<cvename>CVE-2016-0747</cvename>
</references>
<dates>
<discovery>2016-01-26</discovery>
<entry>2016-01-30</entry>
</dates>
</vuln>
<vuln vid="a0d77bc8-c6a7-11e5-96d6-14dae9d210b8">
<topic>typo3 -- multiple vulnerabilities</topic>
<affects>
<package>
<name>typo3</name>
<range><lt>7.6.1</lt></range>
</package>
<package>
<name>typo3-lts</name>
<range><lt>6.2.16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>TYPO3 Security Team reports:</p>
<blockquote cite="http://lists.typo3.org/pipermail/typo3-announce/2015/000351.html">
<p>It has been discovered that TYPO3 CMS is susceptible to
Cross-Site Scripting and Cross-Site Flashing.</p>
</blockquote>
</body>
</description>
<references>
<url>http://lists.typo3.org/pipermail/typo3-announce/2015/000351.html</url>
<url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-010/</url>
<url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-011/</url>
<url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-012/</url>
<url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-013/</url>
<url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-014/</url>
<url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-015/</url>
</references>
<dates>
<discovery>2015-12-15</discovery>
<entry>2016-01-29</entry>
</dates>
</vuln>
<vuln vid="93eadedb-c6a6-11e5-96d6-14dae9d210b8">
<topic>nghttp2 -- use after free</topic>
<affects>
<package>
<name>nghttp2</name>
<range><lt>1.6.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>nghttp2 reports:</p>
<blockquote cite="https://nghttp2.org/blog/2015/12/23/nghttp2-v1-6-0/">
<p>This release fixes heap-use-after-free bug in idle stream
handling code. We strongly recommend to upgrade the older installation
to this latest version as soon as possible.</p>
</blockquote>
</body>
</description>
<references>
<url>https://nghttp2.org/blog/2015/12/23/nghttp2-v1-6-0/</url>
<cvename>CVE-2015-8659</cvename>
</references>
<dates>
<discovery>2015-12-23</discovery>
<entry>2016-01-29</entry>
</dates>
</vuln>
<vuln vid="3166222b-c6a4-11e5-96d6-14dae9d210b8">
<topic>owncloud -- multiple vulnerabilities</topic>
<affects>
<package>
<name>owncloud</name>
<range><lt>8.2.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Owncloud reports:</p>
<blockquote cite="https://owncloud.org/blog/owncloud-8-2-2-8-1-5-8-0-10-and-7-0-12-here-with-sharing-ldap-fixes/">
<ul>
<li><p>Reflected XSS in OCS provider discovery
(oC-SA-2016-001)</p></li>
<li><p>Information Exposure Through Directory Listing in the
file scanner (oC-SA-2016-002)</p></li>
<li><p>Disclosure of files that begin with ".v" due to
unchecked return value (oC-SA-2016-003)</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://owncloud.org/blog/owncloud-8-2-2-8-1-5-8-0-10-and-7-0-12-here-with-sharing-ldap-fixes/</url>
<url>https://owncloud.org/security/advisory/?id=oc-sa-2016-001</url>
<url>https://owncloud.org/security/advisory/?id=oc-sa-2016-002</url>
<url>https://owncloud.org/security/advisory/?id=oc-sa-2016-003</url>
<cvename>CVE-2016-1498</cvename>
<cvename>CVE-2016-1499</cvename>
<cvename>CVE-2016-1500</cvename>
</references>
<dates>
<discovery>2015-12-23</discovery>
<entry>2016-01-29</entry>
</dates>
</vuln>
<vuln vid="ff824eea-c69c-11e5-96d6-14dae9d210b8">
<topic>radicale -- multiple vulnerabilities</topic>
<affects>
<package>
<name>py27-radicale</name>
<name>py32-radicale</name>
<name>py33-radicale</name>
<name>py34-radicale</name>
<range><lt>1.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Radicale reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2016/01/06/4">
<p>The multifilesystem backend allows access to arbitrary
files on all platforms.</p>
<p>Prevent regex injection in rights management.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openwall.com/lists/oss-security/2016/01/06/4</url>
<cvename>CVE-2015-8747</cvename>
<cvename>CVE-2015-8748</cvename>
</references>
<dates>
<discovery>2015-12-24</discovery>
<entry>2016-01-29</entry>
</dates>
</vuln>
<vuln vid="7a59e283-c60b-11e5-bf36-6805ca0b3d42">
<topic>phpmyadmin -- XSS vulnerability in SQL editor</topic>
<affects>
<package>
<name>phpmyadmin</name>
<range><ge>4.5.0</ge><lt>4.5.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-9/">
<p>With a crafted SQL query, it is possible to trigger an
XSS attack in the SQL editor.</p>
<p>We consider this vulnerability to be non-critical.</p>
<p>This vulnerability can be triggered only by someone who is
logged in to phpMyAdmin, as the usual token protection
prevents non-logged-in users from accessing the required
pages.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.phpmyadmin.net/security/PMASA-2016-9/</url>
<cvename>CVE-2016-2045</cvename>
</references>
<dates>
<discovery>2016-01-28</discovery>
<entry>2016-01-28</entry>
</dates>
</vuln>
<vuln vid="78b4ebfb-c60b-11e5-bf36-6805ca0b3d42">
<topic>phpmyadmin -- Full path disclosure vulnerability in SQL parser</topic>
<affects>
<package>
<name>phpmyadmin</name>
<range><ge>4.5.0</ge><lt>4.5.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-8/">
<p>By calling a particular script that is part of phpMyAdmin
in an unexpected way, it is possible to trigger phpMyAdmin
to display a PHP error message which contains the full path
of the directory where phpMyAdmin is installed.</p>
<p>We consider this vulnerability to be non-critical.</p>
<p>This path disclosure is possible on servers where the
recommended setting of the PHP configuration directive
display_errors is set to on, which is against the
recommendations given in the PHP manual for a production
server.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.phpmyadmin.net/security/PMASA-2016-8/</url>
<cvename>CVE-2016-2044</cvename>
</references>
<dates>
<discovery>2016-01-28</discovery>
<entry>2016-01-28</entry>
</dates>
</vuln>
<vuln vid="7694927f-c60b-11e5-bf36-6805ca0b3d42">
<topic>phpmyadmin -- XSS vulnerability in normalization page</topic>
<affects>
<package>
<name>phpmyadmin</name>
<range><ge>4.5.0</ge><lt>4.5.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-7/">
<p>With a crafted table name it is possible to trigger an
XSS attack in the database normalization page.</p>
<p>We consider this vulnerability to be non-critical.</p>
<p>This vulnerability can be triggered only by someone who is
logged in to phpMyAdmin, as the usual token protection
prevents non-logged-in users from accessing the required page.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.phpmyadmin.net/security/PMASA-2016-7/</url>
<cvename>CVE-2016-2043</cvename>
</references>
<dates>
<discovery>2016-01-28</discovery>
<entry>2016-01-28</entry>
</dates>
</vuln>
<vuln vid="740badcb-c60b-11e5-bf36-6805ca0b3d42">
<topic>phpmyadmin -- Multiple full path disclosure vulnerabilities</topic>
<affects>
<package>
<name>phpmyadmin</name>
<range><ge>4.5.0</ge><lt>4.5.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-6/">
<p>By calling some scripts that are part of phpMyAdmin in an
unexpected way, it is possible to trigger phpMyAdmin to
display a PHP error message which contains the full path of
the directory where phpMyAdmin is installed.</p>
<p>We consider these vulnerabilities to be non-critical.</p>
<p>This path disclosure is possible on servers where the
recommended setting of the PHP configuration directive
display_errors is set to on, which is against the
recommendations given in the PHP manual for a production
server.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.phpmyadmin.net/security/PMASA-2016-6/</url>
<cvename>CVE-2016-2042</cvename>
</references>
<dates>
<discovery>2016-01-28</discovery>
<entry>2016-01-28</entry>
</dates>
</vuln>
<vuln vid="71b24d99-c60b-11e5-bf36-6805ca0b3d42">
<topic>phpmyadmin -- Unsafe comparison of XSRF/CSRF token</topic>
<affects>
<package>
<name>phpmyadmin</name>
<range><ge>4.5.0</ge><lt>4.5.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-5/">
<p>The comparison of the XSRF/CSRF token parameter with the
value saved in the session is vulnerable to timing
attacks. Moreover, the comparison could be bypassed if the
XSRF/CSRF token matches a particular pattern.</p>
<p>We consider this vulnerability to be serious.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.phpmyadmin.net/security/PMASA-2016-5/</url>
<cvename>CVE-2016-2041</cvename>
</references>
<dates>
<discovery>2016-01-28</discovery>
<entry>2016-01-28</entry>
</dates>
</vuln>
<vuln vid="6f0c2d1b-c60b-11e5-bf36-6805ca0b3d42">
<topic>phpmyadmin -- Insecure password generation in JavaScript</topic>
<affects>
<package>
<name>phpmyadmin</name>
<range><ge>4.5.0</ge><lt>4.5.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-4/">
<p>Password suggestion functionality uses Math.random()
which does not provide cryptographically secure random
numbers.</p>
<p>We consider this vulnerability to be non-critical.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.phpmyadmin.net/security/PMASA-2016-4/</url>
<cvename>CVE-2016-1927</cvename>
</references>
<dates>
<discovery>2016-01-28</discovery>
<entry>2016-01-28</entry>
</dates>
</vuln>
<vuln vid="6cc06eec-c60b-11e5-bf36-6805ca0b3d42">
<topic>phpmyadmin -- Multiple XSS vulnerabilities</topic>
<affects>
<package>
<name>phpmyadmin</name>
<range><ge>4.5.0</ge><lt>4.5.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-3/">
<ul>
<li>With a crafted table name it is possible to trigger
an XSS attack in the database search page.</li>
<li>With a crafted SET value or a crafted search query, it
is possible to trigger an XSS attacks in the zoom search
page.</li>
<li>With a crafted hostname header, it is possible to
trigger an XSS attacks in the home page.</li>
</ul>
<p>We consider these vulnerabilities to be non-critical.</p>
<p>These vulnerabilities can be triggered only by someone
who is logged in to phpMyAdmin, as the usual token
protection prevents non-logged-in users from accessing the
required pages.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.phpmyadmin.net/security/PMASA-2016-3/</url>
<cvename>CVE-2016-2040</cvename>
</references>
<dates>
<discovery>2016-01-28</discovery>
<entry>2016-01-28</entry>
</dates>
</vuln>
<vuln vid="60ab0e93-c60b-11e5-bf36-6805ca0b3d42">
<topic>phpmyadmin -- Unsafe generation of XSRF/CSRF token</topic>
<affects>
<package>
<name>phpmyadmin</name>
<range><ge>4.5.0</ge><lt>4.5.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-2/">
<p>The XSRF/CSRF token is generated with a weak algorithm
using functions that do not return cryptographically secure
values.</p>
<p>We consider this vulnerability to be non-critical.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.phpmyadmin.net/security/PMASA-2016-2/</url>
<cvename>CVE-2016-2039</cvename>
</references>
<dates>
<discovery>2016-01-28</discovery>
<entry>2016-01-28</entry>
</dates>
</vuln>
<vuln vid="5d6a204f-c60b-11e5-bf36-6805ca0b3d42">
<topic>phpmyadmin -- Multiple full path disclosure vulnerabilities</topic>
<affects>
<package>
<name>phpmyadmin</name>
<range><ge>4.5.0</ge><lt>4.5.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-1/">
<p>By calling some scripts that are part of phpMyAdmin in an
unexpected way, it is possible to trigger phpMyAdmin to
display a PHP error message which contains the full path of
the directory where phpMyAdmin is installed.</p>
<p>We consider these vulnerabilities to be non-critical.</p>
<p>This path disclosure is possible on servers where the
recommended setting of the PHP configuration directive
display_errors is set to on, which is against the
recommendations given in the PHP manual for a production
server.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.phpmyadmin.net/security/PMASA-2016-1/</url>
<cvename>CVE-2016-2038</cvename>
</references>
<dates>
<discovery>2016-01-28</discovery>
<entry>2016-01-28</entry>
</dates>
</vuln>
<vuln vid="50394bc9-c5fa-11e5-96a5-d93b343d1ff7">
<topic>prosody -- user impersonation vulnerability</topic>
<affects>
<package>
<name>prosody</name>
<range><lt>0.9.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Prosody team reports:</p>
<blockquote cite="https://prosody.im/security/advisory_20160127/">
<p>Adopt key generation algorithm from XEP-0185, to
prevent impersonation attacks (CVE-2016-0756)</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/206707</freebsdpr>
<cvename>CVE-2016-0756</cvename>
<url>https://prosody.im/security/advisory_20160127/</url>
</references>
<dates>
<discovery>2016-01-27</discovery>
<entry>2016-01-28</entry>
</dates>
</vuln>
<vuln vid="3679fd10-c5d1-11e5-b85f-0018fe623f2b">
<topic>openssl -- multiple vulnerabilities</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.0.2_7</lt></range>
</package>
<package>
<name>mingw32-openssl</name>
<range><ge>1.0.1</ge><lt>1.0.2f</lt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>10.2</ge><lt>10.2_12</lt></range>
<range><ge>10.1</ge><lt>10.1_29</lt></range>
<range><ge>9.3</ge><lt>9.3_36</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenSSL project reports:</p>
<blockquote cite="https://www.openssl.org/news/secadv/20160128.txt">
<ol>
<li>Historically OpenSSL only ever generated DH parameters based on "safe"
primes. More recently (in version 1.0.2) support was provided for
generating X9.42 style parameter files such as those required for RFC 5114
support. The primes used in such files may not be "safe". Where an
application is using DH configured with parameters based on primes that are
not "safe" then an attacker could use this fact to find a peer's private
DH exponent. This attack requires that the attacker complete multiple
handshakes in which the peer uses the same private DH exponent. For example
this could be used to discover a TLS server's private DH exponent if it's
reusing the private DH exponent or it's using a static DH ciphersuite.
OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in
TLS. It is not on by default. If the option is not set then the server
reuses the same private DH exponent for the life of the server process and
would be vulnerable to this attack. It is believed that many popular
applications do set this option and would therefore not be at risk.
(CVE-2016-0701)</li>
<li>A malicious client can negotiate SSLv2 ciphers that have been disabled on
the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
been disabled, provided that the SSLv2 protocol was not also disabled via
SSL_OP_NO_SSLv2.
(CVE-2015-3197)</li>
</ol>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-16:11.openssl</freebsdsa>
<cvename>CVE-2016-0701</cvename>
<cvename>CVE-2015-3197</cvename>
<url>https://www.openssl.org/news/secadv/20160128.txt</url>
</references>
<dates>
<discovery>2016-01-22</discovery>
<entry>2016-01-28</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="8b27f1bc-c509-11e5-a95f-b499baebfeaf">
<topic>curl -- Credentials not checked</topic>
<affects>
<package>
<name>curl</name>
<range><ge>7.10.0</ge><lt>7.47.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The cURL project reports:</p>
<blockquote cite="http://curl.haxx.se/docs/adv_20160127A.html">
<p>libcurl will reuse NTLM-authenticated proxy connections
without properly making sure that the connection was
authenticated with the same credentials as set for this
transfer.</p>
</blockquote>
</body>
</description>
<references>
<url>http://curl.haxx.se/docs/adv_20160127A.html</url>
<cvename>CVE-2016-0755</cvename>
</references>
<dates>
<discovery>2016-01-27</discovery>
<entry>2016-01-27</entry>
<modified>2017-02-06</modified>
</dates>
</vuln>
<vuln vid="fb754341-c3e2-11e5-b5fe-002590263bf5">
<topic>wordpress -- XSS vulnerability</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>4.4.1,1</lt></range>
</package>
<package>
<name>de-wordpress</name>
<name>ja-wordpress</name>
<name>ru-wordpress</name>
<name>zh-wordpress-zh_CN</name>
<name>zh-wordpress-zh_TW</name>
<range><lt>4.4.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Aaron Jorbin reports:</p>
<blockquote cite="https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/">
<p>WordPress 4.4.1 is now available. This is a security release for
all previous versions and we strongly encourage you to update your
sites immediately.</p>
<p>WordPress versions 4.4 and earlier are affected by a cross-site
scripting vulnerability that could allow a site to be compromised.
This was reported by Crtc4L.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1564</cvename>
<url>http://www.openwall.com/lists/oss-security/2016/01/08/3</url>
<url>https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/</url>
</references>
<dates>
<discovery>2016-01-06</discovery>
<entry>2016-01-26</entry>
<modified>2016-03-08</modified>
</dates>
</vuln>
<vuln vid="a763a0e7-c3d9-11e5-b5fe-002590263bf5">
<topic>privoxy -- multiple vulnerabilities</topic>
<affects>
<package>
<name>privoxy</name>
<range><lt>3.0.24</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Privoxy Developers reports:</p>
<blockquote cite="http://www.privoxy.org/3.0.24/user-manual/whatsnew.html">
<p>Prevent invalid reads in case of corrupt chunk-encoded content.
CVE-2016-1982. Bug discovered with afl-fuzz and AddressSanitizer.
</p>
<p>Remove empty Host headers in client requests. Previously they
would result in invalid reads. CVE-2016-1983. Bug discovered with
afl-fuzz and AddressSanitizer.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1982</cvename>
<cvename>CVE-2016-1983</cvename>
<freebsdpr>ports/206504</freebsdpr>
<url>http://www.privoxy.org/3.0.24/user-manual/whatsnew.html</url>
<url>http://www.openwall.com/lists/oss-security/2016/01/21/4</url>
</references>
<dates>
<discovery>2016-01-22</discovery>
<entry>2016-01-26</entry>
</dates>
</vuln>
<vuln vid="d9e1b569-c3d8-11e5-b5fe-002590263bf5">
<topic>privoxy -- multiple vulnerabilities</topic>
<affects>
<package>
<name>privoxy</name>
<range><lt>3.0.23</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Privoxy Developers reports:</p>
<blockquote cite="http://www.privoxy.org/3.0.23/user-manual/whatsnew.html">
<p>Fixed a DoS issue in case of client requests with incorrect
chunk-encoded body. When compiled with assertions enabled (the
default) they could previously cause Privoxy to abort(). Reported
by Matthew Daley. CVE-2015-1380.</p>
<p>Fixed multiple segmentation faults and memory leaks in the pcrs
code. This fix also increases the chances that an invalid pcrs
command is rejected as such. Previously some invalid commands would
be loaded without error. Note that Privoxy's pcrs sources (action
and filter files) are considered trustworthy input and should not be
writable by untrusted third-parties. CVE-2015-1381.</p>
<p>Fixed an 'invalid read' bug which could at least theoretically
cause Privoxy to crash. So far, no crashes have been observed.
CVE-2015-1382.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-1380</cvename>
<cvename>CVE-2015-1381</cvename>
<cvename>CVE-2015-1382</cvename>
<freebsdpr>ports/197089</freebsdpr>
<url>http://www.privoxy.org/3.0.23/user-manual/whatsnew.html</url>
<url>http://www.openwall.com/lists/oss-security/2015/01/26/4</url>
</references>
<dates>
<discovery>2015-01-26</discovery>
<entry>2016-01-26</entry>
</dates>
</vuln>
<vuln vid="89d4ed09-c3d7-11e5-b5fe-002590263bf5">
<topic>privoxy -- multiple vulnerabilities</topic>
<affects>
<package>
<name>privoxy</name>
<range><lt>3.0.22</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Privoxy Developers reports:</p>
<blockquote cite="http://www.privoxy.org/3.0.22/user-manual/whatsnew.html">
<p>Fixed a memory leak when rejecting client connections due to the
socket limit being reached (CID 66382). This affected Privoxy 3.0.21
when compiled with IPv6 support (on most platforms this is the
default).</p>
<p>Fixed an immediate-use-after-free bug (CID 66394) and two
additional unconfirmed use-after-free complaints made by Coverity
scan (CID 66391, CID 66376).</p>
</blockquote>
<p>MITRE reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1201">
<p>Privoxy before 3.0.22 allows remote attackers to cause a denial
of service (file descriptor consumption) via unspecified vectors.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-1030</cvename>
<cvename>CVE-2015-1031</cvename>
<cvename>CVE-2015-1201</cvename>
<freebsdpr>ports/195468</freebsdpr>
<url>http://www.privoxy.org/3.0.22/user-manual/whatsnew.html</url>
<url>http://www.openwall.com/lists/oss-security/2015/01/11/1</url>
</references>
<dates>
<discovery>2015-01-10</discovery>
<entry>2016-01-26</entry>
</dates>
</vuln>
<vuln vid="ad82b0e9-c3d6-11e5-b5fe-002590263bf5">
<topic>privoxy -- malicious server spoofing as proxy vulnerability</topic>
<affects>
<package>
<name>privoxy</name>
<range><lt>3.0.21</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Privoxy Developers reports:</p>
<blockquote cite="http://www.privoxy.org/3.0.21/user-manual/whatsnew.html">
<p>Proxy authentication headers are removed unless the new directive
enable-proxy-authentication-forwarding is used. Forwarding the
headers potentially allows malicious sites to trick the user into
providing them with login information. Reported by Chris John Riley.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-2503</cvename>
<freebsdpr>ports/176813</freebsdpr>
<url>http://www.privoxy.org/3.0.21/user-manual/whatsnew.html</url>
</references>
<dates>
<discovery>2013-03-07</discovery>
<entry>2016-01-26</entry>
</dates>
</vuln>
<vuln vid="2e8cdd36-c3cc-11e5-b5fe-002590263bf5">
<topic>sudo -- potential privilege escalation via symlink misconfiguration</topic>
<affects>
<package>
<name>sudo</name>
<range><lt>1.8.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5602">
<p>sudoedit in Sudo before 1.8.15 allows local users to gain
privileges via a symlink attack on a file whose full path is defined
using multiple wildcards in /etc/sudoers, as demonstrated by
"/home/*/*/file.txt."</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5602</cvename>
<freebsdpr>ports/206590</freebsdpr>
<url>https://www.exploit-db.com/exploits/37710/</url>
<url>https://bugzilla.sudo.ws/show_bug.cgi?id=707</url>
<url>http://www.sudo.ws/stable.html#1.8.15</url>
</references>
<dates>
<discovery>2015-11-17</discovery>
<entry>2016-01-26</entry>
</dates>
</vuln>
<vuln vid="99d3a8a5-c13c-11e5-96d6-14dae9d210b8">
<topic>imlib2 -- denial of service vulnerabilities</topic>
<affects>
<package>
<name>imlib2</name>
<range><lt>1.4.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Enlightenment reports:</p>
<blockquote cite="https://git.enlightenment.org/legacy/imlib2.git/tree/ChangeLog">
<p>GIF loader: Fix segv on images without colormap</p>
<p>Prevent division-by-zero crashes.</p>
<p>Fix segfault when opening input/queue/id:000007,src:000000,op:flip1,pos:51 with feh</p>
</blockquote>
</body>
</description>
<references>
<url>https://git.enlightenment.org/legacy/imlib2.git/tree/ChangeLog</url>
<url>http://seclists.org/oss-sec/2016/q1/162</url>
<cvename>CVE-2014-9762</cvename>
<cvename>CVE-2014-9763</cvename>
<cvename>CVE-2014-9764</cvename>
</references>
<dates>
<discovery>2013-12-21</discovery>
<entry>2016-01-22</entry>
</dates>
</vuln>
<vuln vid="b4578647-c12b-11e5-96d6-14dae9d210b8">
<topic>bind -- denial of service vulnerability</topic>
<affects>
<package>
<name>bind99</name>
<range><lt>9.9.8P3</lt></range>
</package>
<package>
<name>bind910</name>
<range><lt>9.10.3P3</lt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>9.3</ge><lt>9.3_35</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://kb.isc.org/article/AA-01335">
<p>Specific APL data could trigger an INSIST in apl_42.c</p>
</blockquote>
</body>
</description>
<references>
<url>https://kb.isc.org/article/AA-01335</url>
<cvename>CVE-2015-8704</cvename>
<freebsdsa>SA-16:08.bind</freebsdsa>
</references>
<dates>
<discovery>2016-01-19</discovery>
<entry>2016-01-22</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="371bbea9-3836-4832-9e70-e8e928727f8c">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>48.0.2564.82</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.de/2016/01/stable-channel-update_20.html">
<p>This update includes 37 security fixes, including:</p>
<ul>
<li>[497632] High CVE-2016-1612: Bad cast in V8.</li>
<li>[572871] High CVE-2016-1613: Use-after-free in PDFium.</li>
<li>[544691] Medium CVE-2016-1614: Information leak in Blink.</li>
<li>[468179] Medium CVE-2016-1615: Origin confusion in Omnibox.</li>
<li>[541415] Medium CVE-2016-1616: URL Spoofing.</li>
<li>[544765] Medium CVE-2016-1617: History sniffing with HSTS and
CSP.</li>
<li>[552749] Medium CVE-2016-1618: Weak random number generator in
Blink.</li>
<li>[557223] Medium CVE-2016-1619: Out-of-bounds read in
PDFium.</li>
<li>[579625] CVE-2016-1620: Various fixes from internal audits,
fuzzing and other initiatives.</li>
<li>Multiple vulnerabilities in V8 fixed at the tip of the 4.8
branch.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1612</cvename>
<cvename>CVE-2016-1613</cvename>
<cvename>CVE-2016-1614</cvename>
<cvename>CVE-2016-1615</cvename>
<cvename>CVE-2016-1616</cvename>
<cvename>CVE-2016-1617</cvename>
<cvename>CVE-2016-1618</cvename>
<cvename>CVE-2016-1619</cvename>
<cvename>CVE-2016-1620</cvename>
<url>http://googlechromereleases.blogspot.de/2016/01/stable-channel-update_20.html</url>
</references>
<dates>
<discovery>2016-01-20</discovery>
<entry>2016-01-21</entry>
</dates>
</vuln>
<vuln vid="5237f5d7-c020-11e5-b397-d050996490d0">
<topic>ntp -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ntp</name>
<range><lt>4.2.8p6</lt></range>
</package>
<package>
<name>ntp-devel</name>
<range><lt>4.3.90</lt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>10.2</ge><lt>10.2_11</lt></range>
<range><ge>10.1</ge><lt>10.1_28</lt></range>
<range><ge>9.3</ge><lt>9.3_35</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Network Time Foundation reports:</p>
<blockquote cite="http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit">
<p>NTF's NTP Project has been notified of the following low-
and medium-severity vulnerabilities that are fixed in
ntp-4.2.8p6, released on Tuesday, 19 January 2016:</p>
<ul>
<li>Bug 2948 / CVE-2015-8158: Potential Infinite Loop
in ntpq. Reported by Cisco ASIG.</li>
<li>Bug 2945 / CVE-2015-8138: origin: Zero Origin
Timestamp Bypass. Reported by Cisco ASIG.</li>
<li>Bug 2942 / CVE-2015-7979: Off-path Denial of
Service (DoS) attack on authenticated broadcast
mode. Reported by Cisco ASIG.</li>
<li>Bug 2940 / CVE-2015-7978: Stack exhaustion in
recursive traversal of restriction list.
Reported by Cisco ASIG.</li>
<li>Bug 2939 / CVE-2015-7977: reslist NULL pointer
dereference. Reported by Cisco ASIG.</li>
<li>Bug 2938 / CVE-2015-7976: ntpq saveconfig command
allows dangerous characters in filenames.
Reported by Cisco ASIG.</li>
<li>Bug 2937 / CVE-2015-7975: nextvar() missing length
check. Reported by Cisco ASIG.</li>
<li>Bug 2936 / CVE-2015-7974: Skeleton Key: Missing
key check allows impersonation between authenticated
peers. Reported by Cisco ASIG.</li>
<li>Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on
authenticated broadcast mode. Reported by Cisco ASIG.</li>
</ul>
<p>Additionally, mitigations are published for the following
two issues:</p>
<ul>
<li>Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay
attacks. Reported by Cisco ASIG.</li>
<li>Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc,
disclose origin. Reported by Cisco ASIG.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-16:09.ntp</freebsdsa>
<cvename>CVE-2015-7973</cvename>
<cvename>CVE-2015-7974</cvename>
<cvename>CVE-2015-7975</cvename>
<cvename>CVE-2015-7976</cvename>
<cvename>CVE-2015-7977</cvename>
<cvename>CVE-2015-7978</cvename>
<cvename>CVE-2015-7979</cvename>
<cvename>CVE-2015-8138</cvename>
<cvename>CVE-2015-8139</cvename>
<cvename>CVE-2015-8140</cvename>
<cvename>CVE-2015-8158</cvename>
<url>http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit</url>
</references>
<dates>
<discovery>2016-01-20</discovery>
<entry>2016-01-21</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="62c0dbbd-bfce-11e5-b5fe-002590263bf5">
<topic>cgit -- multiple vulnerabilities</topic>
<affects>
<package>
<name>cgit</name>
<range><lt>0.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jason A. Donenfeld reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2016/01/14/6">
<p>Reflected Cross Site Scripting and Header Injection in Mimetype
Query String.</p>
<p>Stored Cross Site Scripting and Header Injection in Filename
Parameter.</p>
<p>Integer Overflow resulting in Buffer Overflow.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1899</cvename>
<cvename>CVE-2016-1900</cvename>
<cvename>CVE-2016-1901</cvename>
<freebsdpr>ports/206417</freebsdpr>
<url>http://lists.zx2c4.com/pipermail/cgit/2016-January/002817.html</url>
<url>http://www.openwall.com/lists/oss-security/2016/01/14/6</url>
</references>
<dates>
<discovery>2016-01-14</discovery>
<entry>2016-01-20</entry>
</dates>
</vuln>
<vuln vid="314830d8-bf91-11e5-96d6-14dae9d210b8">
<topic>bind -- denial of service vulnerability</topic>
<affects>
<package>
<name>bind910</name>
<range><lt>9.10.3P3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://kb.isc.org/article/AA-01336">
<p>Problems converting OPT resource records and ECS options to
text format can cause BIND to terminate</p>
</blockquote>
</body>
</description>
<references>
<url>https://kb.isc.org/article/AA-01336</url>
<cvename>CVE-2015-8705</cvename>
</references>
<dates>
<discovery>2016-01-19</discovery>
<entry>2016-01-20</entry>
<modified>2016-01-22</modified>
</dates>
</vuln>
<vuln vid="51358314-bec8-11e5-82cd-bcaec524bf84">
<topic>claws-mail -- no bounds checking on the output buffer in conv_jistoeuc, conv_euctojis, conv_sjistoeuc</topic>
<affects>
<package>
<name>claws-mail</name>
<range><lt>3.13.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>DrWhax reports:</p>
<blockquote cite="http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3557">
<p>So in codeconv.c there is a function for Japanese character set
conversion called conv_jistoeuc(). There is no bounds checking on
the output buffer, which is created on the stack with alloca()
Bug can be triggered by sending an email to TAILS_luser@riseup.net
or whatever.
Since my C is completely rusty, you might be able to make a better
judgment on the severity of this issue. Marking critical for now.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8614</cvename>
<url>https://security-tracker.debian.org/tracker/CVE-2015-8614</url>
</references>
<dates>
<discovery>2015-11-04</discovery>
<entry>2016-01-19</entry>
</dates>
</vuln>
<vuln vid="7c63775e-be31-11e5-b5fe-002590263bf5">
<topic>libarchive -- multiple vulnerabilities</topic>
<affects>
<package>
<name>libarchive</name>
<range><lt>3.1.2_5,1</lt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>10.3</ge><lt>10.3_4</lt></range>
<range><ge>10.2</ge><lt>10.2_18</lt></range>
<range><ge>10.1</ge><lt>10.1_35</lt></range>
<range><ge>9.3</ge><lt>9.3_43</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE reports:</p>
<blockquote cite="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0211">
<p>Integer signedness error in the archive_write_zip_data function in
archive_write_set_format_zip.c in libarchive 3.1.2 and earlier, when
running on 64-bit machines, allows context-dependent attackers to
cause a denial of service (crash) via unspecified vectors, which
triggers an improper conversion between unsigned and signed types,
leading to a buffer overflow.</p>
</blockquote>
<blockquote cite="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304">
<p>Absolute path traversal vulnerability in bsdcpio in libarchive
3.1.2 and earlier allows remote attackers to write to arbitrary
files via a full pathname in an archive.</p>
</blockquote>
<p>Libarchive issue tracker reports:</p>
<blockquote cite="https://github.com/libarchive/libarchive/issues/502">
<p>Using a crafted tar file bsdtar can perform an out-of-bounds memory
read which will lead to a SEGFAULT. The issue exists when the
executable skips data in the archive. The amount of data to skip is
defined in byte offset [16-19] If ASLR is disabled, the issue can
lead to an infinite loop.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-0211</cvename>
<cvename>CVE-2015-2304</cvename>
<freebsdpr>ports/200176</freebsdpr>
<freebsdsa>SA-16:22.libarchive</freebsdsa>
<freebsdsa>SA-16:23.libarchive</freebsdsa>
<url>https://github.com/libarchive/libarchive/pull/110</url>
<url>https://github.com/libarchive/libarchive/commit/5935715</url>
<url>https://github.com/libarchive/libarchive/commit/2253154</url>
<url>https://github.com/libarchive/libarchive/issues/502</url>
<url>https://github.com/libarchive/libarchive/commit/3865cf2</url>
<url>https://github.com/libarchive/libarchive/commit/e6c9668</url>
<url>https://github.com/libarchive/libarchive/commit/24f5de6</url>
</references>
<dates>
<discovery>2012-12-06</discovery>
<entry>2016-01-18</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="6809c6db-bdeb-11e5-b5fe-002590263bf5">
<topic>go -- information disclosure vulnerability</topic>
<affects>
<package>
<name>go</name>
<range><ge>1.5,1</ge><lt>1.5.3,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jason Buberel reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2016/01/13/7">
<p>A security-related issue has been reported in Go's math/big
package. The issue was introduced in Go 1.5. We recommend that all
users upgrade to Go 1.5.3, which fixes the issue. Go programs must
be recompiled with Go 1.5.3 in order to receive the fix.</p>
<p>The Go team would like to thank Nick Craig-Wood for identifying the
issue.</p>
<p>This issue can affect RSA computations in crypto/rsa, which is used
by crypto/tls. TLS servers on 32-bit systems could plausibly leak
their RSA private key due to this issue. Other protocol
implementations that create many RSA signatures could also be
impacted in the same way.</p>
<p>Specifically, incorrect results in one part of the RSA Chinese
Remainder computation can cause the result to be incorrect in such a
way that it leaks one of the primes. While RSA blinding should
prevent an attacker from crafting specific inputs that trigger the
bug, on 32-bit systems the bug can be expected to occur at random
around one in 2^26 times. Thus collecting around 64 million
signatures (of known data) from an affected server should be enough
to extract the private key used.</p>
<p>On 64-bit systems, the frequency of the bug is so low (less than
one in 2^50) that it would be very difficult to exploit.
Nonetheless, everyone is strongly encouraged to upgrade.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8618</cvename>
<url>http://www.openwall.com/lists/oss-security/2016/01/13/7</url>
<url>https://go-review.googlesource.com/#/c/17672/</url>
<url>https://go-review.googlesource.com/#/c/18491/</url>
</references>
<dates>
<discovery>2016-01-13</discovery>
<entry>2016-01-18</entry>
</dates>
</vuln>
<vuln vid="05eeb7e9-b987-11e5-83ef-14dae9d210b8">
<topic>isc-dhcpd -- Denial of Service</topic>
<affects>
<package>
<name>isc-dhcp41-server</name>
<range><lt>4.1.e_10,2</lt></range>
</package>
<package>
<name>isc-dhcp41-client</name>
<range><lt>4.1.e_3,2</lt></range>
</package>
<package>
<name>isc-dhcp41-relay</name>
<range><lt>4.1.e_6,2</lt></range>
</package>
<package>
<name>isc-dhcp42-client</name>
<name>isc-dhcp42-server</name>
<name>isc-dhcp42-relay</name>
<range><ge>0</ge></range>
</package>
<package>
<name>isc-dhcp43-client</name>
<name>isc-dhcp43-server</name>
<name>isc-dhcp43-relay</name>
<range><lt>4.3.3.p1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://kb.isc.org/article/AA-01334">
<p>A badly formed packet with an invalid IPv4 UDP length field
can cause a DHCP server, client, or relay program to terminate
abnormally.</p>
</blockquote>
</body>
</description>
<references>
<url>https://kb.isc.org/article/AA-01334</url>
<cvename>CVE-2015-8605</cvename>
</references>
<dates>
<discovery>2016-01-05</discovery>
<entry>2016-01-12</entry>
</dates>
</vuln>
<vuln vid="3b5c2362-bd07-11e5-b7ef-5453ed2e2b49">
<topic>libproxy -- stack-based buffer overflow</topic>
<affects>
<!-- libproxy-python is not affected. It only installs a .py file that
dlopen()s libproxy.so. -->
<package>
<name>libproxy</name>
<range><ge>0.4.0</ge><lt>0.4.6_1</lt></range>
</package>
<package>
<name>libproxy-gnome</name>
<range><ge>0.4.0</ge><lt>0.4.6_2</lt></range>
</package>
<package>
<name>libproxy-kde</name>
<range><ge>0.4.0</ge><lt>0.4.6_6</lt></range>
</package>
<package>
<name>libproxy-perl</name>
<range><ge>0.4.0</ge><lt>0.4.6_3</lt></range>
</package>
<package>
<name>libproxy-webkit</name>
<range><ge>0.4.0</ge><lt>0.4.6_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Tomas Hoger reports:</p>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=864417#c0">
<p>A buffer overflow flaw was discovered in the libproxy's
url::get_pac() used to download proxy.pac proxy auto-configuration
file. A malicious host hosting proxy.pac, or a man in the middle
attacker, could use this flaw to trigger a stack-based buffer
overflow in an application using libproxy, if proxy configuration
instructed it to download proxy.pac file from a remote HTTP
server.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4504</cvename>
<url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4504</url>
<mlist>http://www.openwall.com/lists/oss-security/2012/10/12/1</mlist>
<url>https://github.com/libproxy/libproxy/commit/c440553c12836664afd24a24fb3a4d10a2facd2c</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=864417</url>
<mlist>https://groups.google.com/forum/?fromgroups=#!topic/libproxy/VxZ8No7mT0E</mlist>
</references>
<dates>
<discovery>2012-10-10</discovery>
<entry>2016-01-17</entry>
<modified>2016-01-18</modified>
</dates>
</vuln>
<vuln vid="046fedd1-bd01-11e5-bbf4-5404a68ad561">
<topic>ffmpeg -- remote attacker can access local files</topic>
<affects>
<package>
<name>ffmpeg</name>
<range>
<gt>2.0,1</gt>
<lt>2.8.5,1</lt>
</range>
</package>
<package>
<name>mplayer</name>
<name>mencoder</name>
<range>
<lt>1.2.r20151219_2</lt>
</range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Arch Linux reports:</p>
<blockquote cite="https://bugs.archlinux.org/task/47738">
<p>ffmpeg has a vulnerability in the current version that allows the
attacker to create a specially crafted video file, downloading which
will send files from a user PC to a remote attacker server. The
attack does not even require the user to open that file — for
example, KDE Dolphin thumbnail generation is enough.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1897</cvename>
<cvename>CVE-2016-1898</cvename>
<freebsdpr>ports/206282</freebsdpr>
<url>https://www.ffmpeg.org/security.html</url>
</references>
<dates>
<discovery>2016-01-13</discovery>
<entry>2016-01-17</entry>
</dates>
</vuln>
<vuln vid="6c808811-bb9a-11e5-a65c-485d605f4717">
<topic>h2o -- directory traversal vulnerability</topic>
<affects>
<package>
<name>h2o</name>
<range><lt>1.6.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Yakuzo OKU reports:</p>
<blockquote cite="http://h2o.examp1e.net/vulnerabilities.html">
<p>When redirect directive is used, this flaw allows a remote
attacker to inject response headers into an HTTP redirect response.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1133</cvename>
<url>https://h2o.examp1e.net/vulnerabilities.html</url>
</references>
<dates>
<discovery>2016-01-13</discovery>
<entry>2016-01-15</entry>
</dates>
</vuln>
<vuln vid="dfe0cdc1-baf2-11e5-863a-b499baebfeaf">
<topic>openssh -- information disclosure</topic>
<affects>
<package>
<name>openssh-portable</name>
<range>
<gt>5.4.p0,1</gt>
<lt>7.1.p2,1</lt>
</range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>10.2</ge><lt>10.2_10</lt></range>
<range><ge>10.1</ge><lt>10.1_27</lt></range>
<range><ge>9.3</ge><lt>9.3_34</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenSSH reports:</p>
<blockquote cite="http://www.openssh.com/security.html">
<p>OpenSSH clients between versions 5.4 and 7.1 are vulnerable to
information disclosure that may allow a malicious server to retrieve
information including under some circumstances, user's private keys.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openssh.com/security.html</url>
<cvename>CVE-2016-0777</cvename>
<cvename>CVE-2016-0778</cvename>
<freebsdsa>SA-16:07</freebsdsa>
</references>
<dates>
<discovery>2016-01-14</discovery>
<entry>2016-01-14</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="842cd117-ba54-11e5-9728-002590263bf5">
<topic>prosody -- multiple vulnerabilities</topic>
<affects>
<package>
<name>prosody</name>
<range><lt>0.9.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Prosody Team reports:</p>
<blockquote cite="http://blog.prosody.im/prosody-0-9-9-security-release/">
<p>Fix path traversal vulnerability in mod_http_files
(CVE-2016-1231)</p>
<p>Fix use of weak PRNG in generation of dialback secrets
(CVE-2016-1232)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1231</cvename>
<cvename>CVE-2016-1232</cvename>
<freebsdpr>ports/206150</freebsdpr>
<url>http://blog.prosody.im/prosody-0-9-9-security-release/</url>
</references>
<dates>
<discovery>2016-01-08</discovery>
<entry>2016-01-14</entry>
</dates>
</vuln>
<vuln vid="a7a4e96c-ba50-11e5-9728-002590263bf5">
<topic>kibana4 -- XSS vulnerability</topic>
<affects>
<package>
<name>kibana4</name>
<name>kibana41</name>
<range><lt>4.1.4</lt></range>
</package>
<package>
<name>kibana42</name>
<range><lt>4.2.2</lt></range>
</package>
<package>
<name>kibana43</name>
<range><lt>4.3.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Elastic reports:</p>
<blockquote cite="https://www.elastic.co/blog/kibana-4-3-1-and-4-2-2-and-4-1-4">
<p>Fixes XSS vulnerability (CVE pending) - Thanks to Vladimir Ivanov
for responsibly reporting.</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/205961</freebsdpr>
<freebsdpr>ports/205962</freebsdpr>
<freebsdpr>ports/205963</freebsdpr>
<url>https://www.elastic.co/blog/kibana-4-3-1-and-4-2-2-and-4-1-4</url>
</references>
<dates>
<discovery>2015-12-17</discovery>
<entry>2016-01-13</entry>
</dates>
</vuln>
<vuln vid="333f655a-b93a-11e5-9efa-5453ed2e2b49">
<topic>p5-PathTools -- File::Spec::canonpath loses taint</topic>
<affects>
<package>
<name>p5-PathTools</name>
<range>
<gt>3.4000</gt>
<lt>3.6200</lt>
</range>
</package>
<package>
<name>perl5</name>
<name>perl5.20</name>
<name>perl5.22</name>
<name>perl5-devel</name>
<range><ge>5.19.9</ge><lt>5.20.2</lt></range>
<range><ge>5.21.0</ge><lt>5.22.2</lt></range>
<range><ge>5.23.0</ge><lt>5.23.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ricardo Signes reports:</p>
<blockquote>
<p>Beginning in PathTools 3.47 and/or perl 5.20.0, the
File::Spec::canonpath() routine returned untained strings even if
passed tainted input. This defect undermines the guarantee of taint
propagation, which is sometimes used to ensure that unvalidated
user input does not reach sensitive code.</p>
<p>This defect was found and reported by David Golden of MongoDB.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8607</cvename>
<url>https://rt.perl.org/Public/Bug/Display.html?id=126862</url>
</references>
<dates>
<discovery>2016-01-11</discovery>
<entry>2016-01-12</entry>
<modified>2016-08-22</modified>
</dates>
</vuln>
<vuln vid="6b771fe2-b84e-11e5-92f9-485d605f4717">
<topic>php -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php55</name>
<name>php55-gd</name>
<name>php55-wddx</name>
<name>php55-xmlrpc</name>
<range><lt>5.5.31</lt></range>
</package>
<package>
<name>php56</name>
<name>php56-gd</name>
<name>php56-soap</name>
<name>php56-wddx</name>
<name>php56-xmlrpc</name>
<range><lt>5.6.17</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PHP reports:</p>
<blockquote cite="http://www.php.net/ChangeLog-5.php#5.5.31">
<ul><li>Core:
<ul>
<li>Fixed bug #70755 (fpm_log.c memory leak and buffer overflow).</li>
</ul></li>
<li>GD:
<ul>
<li>Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array
Index Out of Bounds).</li>
</ul></li>
<li>SOAP:
<ul>
<li>Fixed bug #70900 (SoapClient systematic out of memory error).</li>
</ul></li>
<li>Wddx
<ul>
<li>Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet
Deserialization).</li>
<li>Fixed bug #70741 (Session WDDX Packet Deserialization Type
Confusion Vulnerability).</li>
</ul></li>
<li>XMLRPC:
<ul>
<li>Fixed bug #70728 (Type Confusion Vulnerability in
PHP_to_XMLRPC_worker()).</li>
</ul></li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://www.php.net/ChangeLog-5.php#5.5.31</url>
<url>http://www.php.net/ChangeLog-5.php#5.6.17</url>
</references>
<dates>
<discovery>2016-01-07</discovery>
<entry>2016-01-11</entry>
</dates>
</vuln>
<vuln vid="5f276780-b6ce-11e5-9731-5453ed2e2b49">
<topic>pygments -- shell injection vulnerability</topic>
<affects>
<package>
<name>py27-pygments</name>
<name>py32-pygments</name>
<name>py33-pygments</name>
<name>py34-pygments</name>
<name>py35-pygments</name>
<range><lt>2.0.2_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NVD reports:</p>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8557">
<p>The FontManager._get_nix_font_path function in formatters/img.py
in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute
arbitrary commands via shell metacharacters in a font name.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8557</cvename>
<mlist>http://seclists.org/fulldisclosure/2015/Oct/4</mlist>
<url>https://bitbucket.org/birkenfeld/pygments-main/commits/0036ab1c99e256298094505e5e92fdacdfc5b0a8</url>
</references>
<dates>
<discovery>2015-09-28</discovery>
<entry>2016-01-09</entry>
</dates>
</vuln>
<vuln vid="631fc042-b636-11e5-83ef-14dae9d210b8">
<topic>polkit -- multiple vulnerabilities</topic>
<affects>
<package>
<name>polkit</name>
<range><lt>0.113</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Colin Walters reports:</p>
<blockquote cite="http://lists.freedesktop.org/archives/polkit-devel/2015-June/000425.html">
<ul>
<li><p>Integer overflow in the
authentication_agent_new_cookie function in PolicyKit (aka polkit)
before 0.113 allows local users to gain privileges by creating a large
number of connections, which triggers the issuance of a duplicate cookie
value.</p></li>
<li><p>The authentication_agent_new function in
polkitbackend/polkitbackendinteractiveauthority.c in PolicyKit (aka
polkit) before 0.113 allows local users to cause a denial of service
(NULL pointer dereference and polkitd daemon crash) by calling
RegisterAuthenticationAgent with an invalid object path.</p></li>
<li><p>The polkit_backend_action_pool_init function in
polkitbackend/polkitbackendactionpool.c in PolicyKit (aka polkit) before
0.113 might allow local users to gain privileges via duplicate action
IDs in action descriptions.</p></li>
<li><p>PolicyKit (aka polkit) before 0.113 allows local
users to cause a denial of service (memory corruption and polkitd daemon
crash) and possibly gain privileges via unspecified vectors, related to
"javascript rule evaluation."</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://lists.freedesktop.org/archives/polkit-devel/2015-June/000425.html</url>
<cvename>CVE-2015-4625</cvename>
<cvename>CVE-2015-3218</cvename>
<cvename>CVE-2015-3255</cvename>
<cvename>CVE-2015-3256</cvename>
</references>
<dates>
<discovery>2015-06-03</discovery>
<entry>2016-01-08</entry>
</dates>
</vuln>
<vuln vid="b22b016b-b633-11e5-83ef-14dae9d210b8">
<topic>librsync -- collision vulnerability</topic>
<affects>
<package>
<name>librsync</name>
<range><lt>1.0.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Michael Samuel reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2014/07/28/1">
<p>librsync before 1.0.0 uses a truncated MD4 checksum to
match blocks, which makes it easier for remote attackers to modify
transmitted data via a birthday attack.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openwall.com/lists/oss-security/2014/07/28/1</url>
<cvename>CVE-2014-8242</cvename>
</references>
<dates>
<discovery>2014-07-28</discovery>
<entry>2016-01-08</entry>
</dates>
</vuln>
<vuln vid="4eae4f46-b5ce-11e5-8a2b-d050996490d0">
<topic>ntp -- denial of service vulnerability</topic>
<affects>
<package>
<name>ntp</name>
<range><lt>4.2.8p5</lt></range>
</package>
<package>
<name>ntp-devel</name>
<range><lt>4.3.78</lt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>10.2</ge><lt>10.2_9</lt></range>
<range><ge>10.1</ge><lt>10.1_26</lt></range>
<range><ge>9.3</ge><lt>9.3_33</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Network Time Foundation reports:</p>
<blockquote cite="http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p5_Securit">
<p>NTF's NTP Project has been notified of the following
1 medium-severity vulnerability that is fixed in
ntp-4.2.8p5, released on Thursday, 7 January 2016:</p>
<p>NtpBug2956: Small-step/Big-step CVE-2015-5300</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-16:02.ntp</freebsdsa>
<cvename>CVE-2015-5300</cvename>
<url>https://www.cs.bu.edu/~goldbe/NTPattack.html</url>
<url>http://support.ntp.org/bin/view/Main/NtpBug2956</url>
<url>http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p5_Securit</url>
</references>
<dates>
<discovery>2015-10-21</discovery>
<entry>2016-01-08</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="df587aa2-b5a5-11e5-9728-002590263bf5">
<topic>dhcpcd -- multiple vulnerabilities</topic>
<affects>
<package>
<name>dhcpcd</name>
<range><lt>6.10.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Nico Golde reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2016/01/07/3">
<p>heap overflow via malformed dhcp responses later in print_option
(via dhcp_envoption1) due to incorrect option length values.
Exploitation is non-trivial, but I'd love to be proven wrong.</p>
<p>invalid read/crash via malformed dhcp responses. not exploitable
beyond DoS as far as I can judge.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-1503</cvename>
<cvename>CVE-2016-1504</cvename>
<freebsdpr>ports/206015</freebsdpr>
<url>http://roy.marples.name/projects/dhcpcd/info/76a1609352263bd9def1300d7ba990679571fa30</url>
<url>http://roy.marples.name/projects/dhcpcd/info/595883e2a431f65d8fabf33059aa4689cca17403</url>
<url>http://www.openwall.com/lists/oss-security/2016/01/07/3</url>
</references>
<dates>
<discovery>2016-01-04</discovery>
<entry>2016-01-08</entry>
</dates>
</vuln>
<vuln vid="4084168e-b531-11e5-a98c-0011d823eebd">
<topic>mbedTLS/PolarSSL -- SLOTH attack on TLS 1.2 server authentication</topic>
<affects>
<package>
<name>polarssl13</name>
<range><lt>1.3.16</lt></range>
</package>
<package>
<name>mbedtls</name>
<range><lt>2.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ARM Limited reports:</p>
<blockquote cite="https://tls.mbed.org/tech-updates/releases/mbedtls-2.2.1-2.1.4-1.3.16-and-polarssl.1.2.19-released">
<p>MD5 handshake signatures in TLS 1.2 are vulnerable to the SLOTH attack
on TLS 1.2 server authentication. They have been disabled by default.
Other attacks from the SLOTH paper do not apply to any version of mbed
TLS or PolarSSL.</p>
</blockquote>
</body>
</description>
<references>
<url>https://tls.mbed.org/tech-updates/releases/mbedtls-2.2.1-2.1.4-1.3.16-and-polarssl.1.2.19-released</url>
</references>
<dates>
<discovery>2016-01-04</discovery>
<entry>2016-01-07</entry>
</dates>
</vuln>
<vuln vid="6aa2d135-b40e-11e5-9728-002590263bf5">
<topic>xen-kernel -- ioreq handling possibly susceptible to multiple read issue</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><lt>4.5.2_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-166.html">
<p>Single memory accesses in source code can be translated to multiple
ones in machine code by the compiler, requiring special caution when
accessing shared memory. Such precaution was missing from the
hypervisor code inspecting the state of I/O requests sent to the
device model for assistance.</p>
<p>Due to the offending field being a bitfield, it is however believed
that there is no issue in practice, since compilers, at least when
optimizing (which is always the case for non-debug builds), should find
it more expensive to extract the bit field value twice than to keep the
calculated value in a register.</p>
<p>This vulnerability is exposed to malicious device models. In
conventional Xen systems this means the qemu which service an HVM
domain. On such systems this vulnerability can only be exploited if
the attacker has gained control of the device model qemu via another
vulnerability.</p>
<p>Privilege escalation, host crash (Denial of Service), and leaked
information all cannot be excluded.</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/205841</freebsdpr>
<url>http://xenbits.xen.org/xsa/advisory-166.html</url>
</references>
<dates>
<discovery>2015-12-17</discovery>
<entry>2016-01-06</entry>
</dates>
</vuln>
<vuln vid="e839ca04-b40d-11e5-9728-002590263bf5">
<topic>xen-kernel -- information leak in legacy x86 FPU/XMM initialization</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><lt>4.5.2_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-165.html">
<p>When XSAVE/XRSTOR are not in use by Xen to manage guest extended
register state, the initial values in the FPU stack and XMM
registers seen by the guest upon first use are those left there by
the previous user of those registers.</p>
<p>A malicious domain may be able to leverage this to obtain sensitive
information such as cryptographic keys from another domain.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8555</cvename>
<freebsdpr>ports/205841</freebsdpr>
<url>http://xenbits.xen.org/xsa/advisory-165.html</url>
</references>
<dates>
<discovery>2015-12-17</discovery>
<entry>2016-01-06</entry>
</dates>
</vuln>
<vuln vid="5d1d4473-b40d-11e5-9728-002590263bf5">
<topic>xen-tools -- libxl leak of pv kernel and initrd on error</topic>
<affects>
<package>
<name>xen-tools</name>
<range><ge>4.1</ge><lt>4.5.2_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-160.html">
<p>When constructing a guest which is configured to use a PV
bootloader which runs as a userspace process in the toolstack domain
(e.g. pygrub) libxl creates a mapping of the files to be used as
kernel and initial ramdisk when building the guest domain.</p>
<p>However if building the domain subsequently fails these mappings
would not be released leading to a leak of virtual address space in
the calling process, as well as preventing the recovery of the
temporary disk files containing the kernel and initial ramdisk.</p>
<p>For toolstacks which manage multiple domains within the same
process, an attacker who is able to repeatedly start a suitable
domain (or many such domains) can cause an out-of-memory condition in the
toolstack process, leading to a denial of service.</p>
<p>Under the same circumstances an attacker can also cause files to
accumulate on the toolstack domain filesystem (usually under /var in
dom0) used to temporarily store the kernel and initial ramdisk,
perhaps leading to a denial of service against arbitrary other
services using that filesystem.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8341</cvename>
<freebsdpr>ports/205841</freebsdpr>
<url>http://xenbits.xen.org/xsa/advisory-160.html</url>
</references>
<dates>
<discovery>2015-12-08</discovery>
<entry>2016-01-06</entry>
</dates>
</vuln>
<vuln vid="bcad3faa-b40c-11e5-9728-002590263bf5">
<topic>xen-kernel -- XENMEM_exchange error handling issues</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><lt>4.5.2_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-159.html">
<p>Error handling in the operation may involve handing back pages to
the domain. This operation may fail when in parallel the domain gets
torn down. So far this failure unconditionally resulted in the host
being brought down due to an internal error being assumed. This is
CVE-2015-8339.</p>
<p>Furthermore error handling so far wrongly included the release of a
lock. That lock, however, was either not acquired or already released
on all paths leading to the error handling sequence. This is
CVE-2015-8340.</p>
<p>A malicious guest administrator may be able to deny service by
crashing the host or causing a deadlock.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8339</cvename>
<cvename>CVE-2015-8340</cvename>
<freebsdpr>ports/205841</freebsdpr>
<url>http://xenbits.xen.org/xsa/advisory-159.html</url>
</references>
<dates>
<discovery>2015-12-08</discovery>
<entry>2016-01-06</entry>
</dates>
</vuln>
<vuln vid="b65e4914-b3bc-11e5-8255-5453ed2e2b49">
<topic>tiff -- out-of-bounds read in CIE Lab image format</topic>
<affects>
<package>
<name>tiff</name>
<range><lt>4.0.6_1</lt></range>
</package>
<package>
<name>linux-c6-tiff</name>
<range><lt>3.9.4_2</lt></range>
</package>
<package>
<name>linux-f10-tiff</name>
<range><ge>*</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>zzf of Alibaba discovered an out-of-bounds vulnerability in the code
processing the LogLUV and CIE Lab image format files. An attacker
could create a specially-crafted TIFF file that could cause libtiff
to crash.</p>
</body>
</description>
<references>
<cvename>CVE-2015-8683</cvename>
<mlist>http://www.openwall.com/lists/oss-security/2015/12/25/2</mlist>
</references>
<dates>
<discovery>2015-12-25</discovery>
<entry>2016-01-05</entry>
<modified>2016-09-06</modified>
</dates>
</vuln>
<vuln vid="bd349f7a-b3b9-11e5-8255-5453ed2e2b49">
<topic>tiff -- out-of-bounds read in tif_getimage.c</topic>
<affects>
<package>
<name>tiff</name>
<range><lt>4.0.6_1</lt></range>
</package>
<package>
<name>linux-c6-tiff</name>
<range><lt>3.9.4_2</lt></range>
</package>
<package>
<name>linux-f10-tiff</name>
<range><ge>*</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>LMX of Qihoo 360 Codesafe Team discovered an out-of-bounds read in
tif_getimage.c. An attacker could create a specially-crafted TIFF
file that could cause libtiff to crash.</p>
</body>
</description>
<references>
<cvename>CVE-2015-8665</cvename>
<mlist>http://www.openwall.com/lists/oss-security/2015/12/24/2</mlist>
</references>
<dates>
<discovery>2015-12-24</discovery>
<entry>2016-01-05</entry>
<modified>2016-09-06</modified>
</dates>
</vuln>
<vuln vid="86c3c66e-b2f5-11e5-863a-b499baebfeaf">
<topic>unzip -- multiple vulnerabilities</topic>
<affects>
<package>
<name>unzip</name>
<range><lt>6.0_7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gustavo Grieco reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/07/4">
<p>Two issues were found in unzip 6.0:</p>
<p> * A heap overflow triggered by unzipping a file with password
(e.g unzip -p -P x sigsegv.zip).</p>
<p> * A denegation of service with a file that never finishes unzipping
(e.g. unzip sigxcpu.zip).</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openwall.com/lists/oss-security/2015/09/07/4</url>
<freebsdpr>ports/204413</freebsdpr>
<cvename>CVE-2015-7696</cvename>
<cvename>CVE-2015-7697</cvename>
</references>
<dates>
<discovery>2015-09-26</discovery>
<entry>2016-01-04</entry>
</dates>
</vuln>
<vuln vid="bb961ff3-b3a4-11e5-8255-5453ed2e2b49">
<topic>cacti -- SQL injection vulnerabilities</topic>
<affects>
<package>
<name>cacti</name>
<range><le>0.8.8f_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NVD reports:</p>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8369">
<p>SQL injection vulnerability in include/top_graph_header.php in
Cacti 0.8.8f and earlier allows remote attackers to execute arbitrary
SQL commands via the rra_id parameter in a properties action to
graph.php.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8369</cvename>
<url>http://bugs.cacti.net/view.php?id=2646</url>
<url>http://svn.cacti.net/viewvc?view=rev&revision=7767</url>
<mlist>http://seclists.org/fulldisclosure/2015/Dec/8</mlist>
</references>
<dates>
<discovery>2015-12-05</discovery>
<entry>2016-01-05</entry>
</dates>
</vuln>
<vuln vid="59e7eb28-b309-11e5-af83-80ee73b5dcf5">
<topic>kea -- unexpected termination while handling a malformed packet</topic>
<affects>
<package>
<name>kea</name>
<range><ge>0.9.2</ge><lt>1.0.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC Support reports:</p>
<blockquote cite="https://kb.isc.org/article/AA-01318/0/CVE-2015-8373-ISC-Kea%3A-unexpected-termination-while-handling-a-malformed-packet.html">
<p>ISC Kea may terminate unexpectedly (crash) while handling
a malformed client packet. Related defects in the kea-dhcp4
and kea-dhcp6 servers can cause the server to crash during
option processing if a client sends a malformed packet.
An attacker sending a crafted malformed packet can cause
an ISC Kea server providing DHCP services to IPv4 or IPv6
clients to exit unexpectedly.</p>
<ul>
<li><p>The kea-dhcp4 server is vulnerable only in versions
0.9.2 and 1.0.0-beta, and furthermore only when logging
at debug level 40 or higher. Servers running kea-dhcp4
versions 0.9.1 or lower, and servers which are not
logging or are logging at debug level 39 or below are
not vulnerable.</p></li>
<li><p>The kea-dhcp6 server is vulnerable only in versions
0.9.2 and 1.0.0-beta, and furthermore only when
logging at debug level 45 or higher. Servers running
kea-dhcp6 versions 0.9.1 or lower, and servers
which are not logging or are logging at debug level 44
or below are not vulnerable.</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8373</cvename>
<url>https://kb.isc.org/article/AA-01318/0/CVE-2015-8373-ISC-Kea%3A-unexpected-termination-while-handling-a-malformed-packet.html</url>
</references>
<dates>
<discovery>2015-12-15</discovery>
<entry>2016-01-04</entry>
<modified>2016-01-05</modified>
</dates>
</vuln>
<vuln vid="84dc49b0-b267-11e5-8a5b-00262d5ed8ee">
<topic>mini_httpd -- buffer overflow via snprintf</topic>
<affects>
<package>
<name>mini_httpd</name>
<range><lt>1.23</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ACME Updates reports:</p>
<blockquote cite="https://cxsecurity.com/acveshow/CVE-2015-1548">
<p>mini_httpd 1.21 and earlier allows remote attackers to obtain
sensitive information from process memory via an HTTP request with
a long protocol string, which triggers an incorrect response size
calculation and an out-of-bounds read.</p>
<p>(rene) ACME, the author, claims that the vulnerability is fixed
*after* version 1.22, released on 2015-12-28</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-1548</cvename>
<url>https://cxsecurity.com/cveshow/CVE-2015-1548</url>
<url>http://acme.com/updates/archive/192.html</url>
</references>
<dates>
<discovery>2015-02-10</discovery>
<entry>2016-01-03</entry>
</dates>
</vuln>
<vuln vid="1384f2fd-b1be-11e5-9728-002590263bf5">
<topic>qemu -- denial of service vulnerability in Rocker switch emulation</topic>
<affects>
<package>
<name>qemu</name>
<name>qemu-devel</name>
<range><lt>2.5.50</lt></range>
</package>
<package>
<name>qemu-sbruno</name>
<name>qemu-user-static</name>
<range><lt>2.5.50.g20160213</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/28/6">
<p>Qemu emulator built with the Rocker switch emulation support is
vulnerable to an off-by-one error. It happens while processing
transmit(tx) descriptors in 'tx_consume' routine, if a descriptor
was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments.
</p>
<p>A privileged user inside guest could use this flaw to cause memory
leakage on the host or crash the Qemu process instance resulting in
DoS issue.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8701</cvename>
<freebsdpr>ports/205813</freebsdpr>
<freebsdpr>ports/205814</freebsdpr>
<url>http://www.openwall.com/lists/oss-security/2015/12/28/6</url>
<url>https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg04629.html</url>
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=007cd223de527b5f41278f2d886c1a4beb3e67aa</url>
<url>https://github.com/seanbruno/qemu-bsd-user/commit/007cd223de527b5f41278f2d886c1a4beb3e67aa</url>
</references>
<dates>
<discovery>2015-12-28</discovery>
<entry>2016-01-03</entry>
<modified>2016-07-06</modified>
</dates>
</vuln>
<vuln vid="152acff3-b1bd-11e5-9728-002590263bf5">
<topic>qemu -- denial of service vulnerability in Q35 chipset emulation</topic>
<affects>
<package>
<name>qemu</name>
<name>qemu-devel</name>
<range><lt>2.5.50</lt></range>
</package>
<package>
<name>qemu-sbruno</name>
<name>qemu-user-static</name>
<range><lt>2.5.50.g20151224</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/24/1">
<p>Qemu emulator built with the Q35 chipset based pc system emulator
is vulnerable to a heap based buffer overflow. It occurs during VM
guest migration, as more(16 bytes) data is moved into allocated
(8 bytes) memory area.</p>
<p>A privileged guest user could use this issue to corrupt the VM
guest image, potentially leading to a DoS. This issue affects q35
machine types.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8666</cvename>
<url>http://www.openwall.com/lists/oss-security/2015/12/24/1</url>
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=d9a3b33d2c9f996537b7f1d0246dee2d0120cefb</url>
<url>https://github.com/seanbruno/qemu-bsd-user/commit/d9a3b33d2c9f996537b7f1d0246dee2d0120cefb</url>
</references>
<dates>
<discovery>2015-11-19</discovery>
<entry>2016-01-03</entry>
<modified>2016-07-06</modified>
</dates>
</vuln>
<vuln vid="62ab8707-b1bc-11e5-9728-002590263bf5">
<topic>qemu -- denial of service vulnerability in Human Monitor Interface support</topic>
<affects>
<package>
<name>qemu</name>
<name>qemu-devel</name>
<range><lt>2.5.0</lt></range>
</package>
<package>
<name>qemu-sbruno</name>
<name>qemu-user-static</name>
<range><lt>2.5.50.g20160213</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/22/8">
<p>Qemu emulator built with the Human Monitor Interface(HMP) support
is vulnerable to an OOB write issue. It occurs while processing
'sendkey' command in hmp_sendkey routine, if the command argument is
longer than the 'keyname_buf' buffer size.</p>
<p>A user/process could use this flaw to crash the Qemu process
instance resulting in DoS.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8619</cvename>
<freebsdpr>ports/205813</freebsdpr>
<freebsdpr>ports/205814</freebsdpr>
<url>http://www.openwall.com/lists/oss-security/2015/12/22/8</url>
<url>https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02930.html</url>
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=64ffbe04eaafebf4045a3ace52a360c14959d196</url>
<url>https://github.com/seanbruno/qemu-bsd-user/commit/64ffbe04eaafebf4045a3ace52a360c14959d196</url>
</references>
<dates>
<discovery>2015-12-23</discovery>
<entry>2016-01-03</entry>
<modified>2016-07-06</modified>
</dates>
</vuln>
<vuln vid="b3f9f8ef-b1bb-11e5-9728-002590263bf5">
<topic>qemu -- denial of service vulnerability in MegaRAID SAS HBA emulation</topic>
<affects>
<package>
<name>qemu</name>
<name>qemu-devel</name>
<range><lt>2.5.0</lt></range>
</package>
<package>
<name>qemu-sbruno</name>
<name>qemu-user-static</name>
<range><lt>2.5.50.g20160213</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/21/7">
<p>Qemu emulator built with the SCSI MegaRAID SAS HBA emulation
support is vulnerable to a stack buffer overflow issue. It occurs
while processing the SCSI controller's CTRL_GET_INFO command. A
privileged guest user could use this flaw to crash the Qemu process
instance resulting in DoS.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8613</cvename>
<freebsdpr>ports/205813</freebsdpr>
<freebsdpr>ports/205814</freebsdpr>
<url>http://www.openwall.com/lists/oss-security/2015/12/21/7</url>
<url>https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg03737.html</url>
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=36fef36b91f7ec0435215860f1458b5342ce2811</url>
<url>https://github.com/seanbruno/qemu-bsd-user/commit/36fef36b91f7ec0435215860f1458b5342ce2811</url>
</references>
<dates>
<discovery>2015-12-21</discovery>
<entry>2016-01-03</entry>
<modified>2016-07-06</modified>
</dates>
</vuln>
<vuln vid="9ad8993e-b1ba-11e5-9728-002590263bf5">
<topic>qemu -- denial of service vulnerability in VMWARE VMXNET3 NIC support</topic>
<affects>
<package>
<name>qemu</name>
<name>qemu-devel</name>
<range><lt>2.5.0</lt></range>
</package>
<package>
<name>qemu-sbruno</name>
<name>qemu-user-static</name>
<range><lt>2.5.50.g20160213</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/15/4">
<p>Qemu emulator built with a VMWARE VMXNET3 paravirtual NIC emulator
support is vulnerable to a memory leakage flaw. It occurs when a
guest repeatedly tries to activate the vmxnet3 device.</p>
<p>A privileged guest user could use this flaw to leak host memory,
resulting in DoS on the host.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8567</cvename>
<cvename>CVE-2015-8568</cvename>
<freebsdpr>ports/205813</freebsdpr>
<freebsdpr>ports/205814</freebsdpr>
<url>http://www.openwall.com/lists/oss-security/2015/12/15/4</url>
<url>https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02299.html</url>
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=aa4a3dce1c88ed51b616806b8214b7c8428b7470</url>
<url>https://github.com/seanbruno/qemu-bsd-user/commit/aa4a3dce1c88ed51b616806b8214b7c8428b7470</url>
</references>
<dates>
<discovery>2015-12-15</discovery>
<entry>2016-01-03</entry>
<modified>2016-07-06</modified>
</dates>
</vuln>
<vuln vid="60cb2055-b1b8-11e5-9728-002590263bf5">
<topic>qemu -- denial of service vulnerability in USB EHCI emulation support</topic>
<affects>
<package>
<name>qemu</name>
<name>qemu-devel</name>
<range><lt>2.5.0</lt></range>
</package>
<package>
<name>qemu-sbruno</name>
<name>qemu-user-static</name>
<range><lt>2.5.50.g20151224</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/14/9">
<p>Qemu emulator built with the USB EHCI emulation support is
vulnerable to an infinite loop issue. It occurs during communication
between host controller interface(EHCI) and a respective device
driver. These two communicate via a isochronous transfer descriptor
list(iTD) and an infinite loop unfolds if there is a closed loop in
this list.</p>
<p>A privileges user inside guest could use this flaw to consume
excessive CPU cycles & resources on the host.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8558</cvename>
<freebsdpr>ports/205814</freebsdpr>
<url>http://www.openwall.com/lists/oss-security/2015/12/14/9</url>
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=156a2e4dbffa85997636a7a39ef12da6f1b40254</url>
<url>https://github.com/seanbruno/qemu-bsd-user/commit/156a2e4dbffa85997636a7a39ef12da6f1b40254</url>
</references>
<dates>
<discovery>2015-12-14</discovery>
<entry>2016-01-03</entry>
</dates>
</vuln>
<vuln vid="3fb06284-b1b7-11e5-9728-002590263bf5">
<topic>qemu -- denial of service vulnerability in MSI-X support</topic>
<affects>
<package>
<name>qemu</name>
<name>qemu-devel</name>
<range><lt>2.5.0</lt></range>
</package>
<package>
<name>qemu-sbruno</name>
<name>qemu-user-static</name>
<range><lt>2.5.50.g20151224</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/14/2">
<p>Qemu emulator built with the PCI MSI-X support is vulnerable to
null pointer dereference issue. It occurs when the controller
attempts to write to the pending bit array(PBA) memory region.
Because the MSI-X MMIO support did not define the .write method.</p>
<p>A privileges used inside guest could use this flaw to crash the
Qemu process resulting in DoS issue.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7549</cvename>
<url>http://www.openwall.com/lists/oss-security/2015/12/14/2</url>
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=43b11a91dd861a946b231b89b7542856ade23d1b</url>
<url>https://github.com/seanbruno/qemu-bsd-user/commit/43b11a91dd861a946b231b89b7542856ade23d1b</url>
</references>
<dates>
<discovery>2015-06-26</discovery>
<entry>2016-01-03</entry>
</dates>
</vuln>
<vuln vid="67feba97-b1b5-11e5-9728-002590263bf5">
<topic>qemu -- denial of service vulnerability in VNC</topic>
<affects>
<package>
<name>qemu</name>
<name>qemu-devel</name>
<range><lt>2.5.0</lt></range>
</package>
<package>
<name>qemu-sbruno</name>
<name>qemu-user-static</name>
<range><lt>2.5.50.g20151224</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/12/08/4">
<p>Qemu emulator built with the VNC display driver support is
vulnerable to an arithmetic exception flaw. It occurs on the VNC
server side while processing the 'SetPixelFormat' messages from a
client.</p>
<p>A privileged remote client could use this flaw to crash the guest
resulting in DoS.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8504</cvename>
<url>http://www.openwall.com/lists/oss-security/2015/12/08/4</url>
<url>http://git.qemu.org/?p=qemu.git;a=commitdiff;h=4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3</url>
<url>https://github.com/seanbruno/qemu-bsd-user/commit/4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3</url>
</references>
<dates>
<discovery>2015-12-08</discovery>
<entry>2016-01-03</entry>
</dates>
</vuln>
<vuln vid="405446f4-b1b3-11e5-9728-002590263bf5">
<topic>qemu and xen-tools -- denial of service vulnerabilities in AMD PC-Net II NIC support</topic>
<affects>
<package>
<name>qemu</name>
<name>qemu-devel</name>
<range><lt>2.5.0</lt></range>
</package>
<package>
<name>qemu-sbruno</name>
<name>qemu-user-static</name>
<range><lt>2.5.50.g20151224</lt></range>
</package>
<package>
<name>xen-tools</name>
<range><lt>4.5.2_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/11/30/2">
<p>Qemu emulator built with the AMD PC-Net II Ethernet Controller
support is vulnerable to a heap buffer overflow flaw. While
receiving packets in the loopback mode, it appends CRC code to the
receive buffer. If the data size given is same as the receive buffer
size, the appended CRC code overwrites 4 bytes beyond this
's->buffer' array.</p>
<p>A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw
to crash the Qemu instance resulting in DoS or potentially execute
arbitrary code with privileges of the Qemu process on the host.</p>
</blockquote>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/11/30/3">
<p>The AMD PC-Net II emulator(hw/net/pcnet.c), while receiving packets
from a remote host(non-loopback mode), fails to validate the
received data size, thus resulting in a buffer overflow issue. It
could potentially lead to arbitrary code execution on the host, with
privileges of the Qemu process. It requires the guest NIC to have
larger MTU limit.</p>
<p>A remote user could use this flaw to crash the guest instance
resulting in DoS or potentially execute arbitrary code on a remote
host with privileges of the Qemu process.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7504</cvename>
<cvename>CVE-2015-7512</cvename>
<url>http://www.openwall.com/lists/oss-security/2015/11/30/2</url>
<url>http://www.openwall.com/lists/oss-security/2015/11/30/3</url>
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=837f21aacf5a714c23ddaadbbc5212f9b661e3f7</url>
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=8b98a2f07175d46c3f7217639bd5e03f2ec56343</url>
<url>https://github.com/seanbruno/qemu-bsd-user/commit/837f21aacf5a714c23ddaadbbc5212f9b661e3f7</url>
<url>https://github.com/seanbruno/qemu-bsd-user/commit/8b98a2f07175d46c3f7217639bd5e03f2ec56343</url>
<url>http://xenbits.xen.org/xsa/advisory-162.html</url>
</references>
<dates>
<discovery>2015-11-30</discovery>
<entry>2016-01-03</entry>
<modified>2016-01-06</modified>
</dates>
</vuln>
<vuln vid="b56fe6bb-b1b1-11e5-9728-002590263bf5">
<topic>qemu -- denial of service vulnerabilities in eepro100 NIC support</topic>
<affects>
<package>
<name>qemu</name>
<name>qemu-devel</name>
<range><lt>2.5.50</lt></range>
</package>
<package>
<name>qemu-sbruno</name>
<name>qemu-user-static</name>
<range><lt>2.5.50.g20160213</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/11/25/3">
<p>Qemu emulator built with the i8255x (PRO100) emulation support is
vulnerable to an infinite loop issue. It could occur while
processing a chain of commands located in the Command Block List
(CBL). Each Command Block(CB) points to the next command in the
list. An infinite loop unfolds if the link to the next CB points
to the same block or there is a closed loop in the chain.</p>
<p>A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw
to crash the Qemu instance resulting in DoS.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-8345</cvename>
<freebsdpr>ports/205813</freebsdpr>
<freebsdpr>ports/205814</freebsdpr>
<url>http://www.openwall.com/lists/oss-security/2015/11/25/3</url>
<url>https://lists.gnu.org/archive/html/qemu-devel/2015-10/msg03911.html</url>
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=00837731d254908a841d69298a4f9f077babaf24</url>
<url>https://github.com/seanbruno/qemu-bsd-user/commit/00837731d254908a841d69298a4f9f077babaf24</url>
</references>
<dates>
<discovery>2015-10-16</discovery>
<entry>2016-01-03</entry>
<modified>2016-07-06</modified>
</dates>
</vuln>
<vuln vid="42cbd1e8-b152-11e5-9728-002590263bf5">
<topic>qemu -- denial of service vulnerability in virtio-net support</topic>
<affects>
<package>
<name>qemu</name>
<name>qemu-devel</name>
<range><lt>2.4.1</lt></range>
</package>
<package>
<name>qemu-sbruno</name>
<name>qemu-user-static</name>
<range><lt>2.5.50.g20151224</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/18/5">
<p>Qemu emulator built with the Virtual Network Device(virtio-net)
support is vulnerable to a DoS issue. It could occur while receiving
large packets over the tuntap/macvtap interfaces and when guest's
virtio-net driver did not support big/mergeable receive buffers.</p>
<p>An attacker on the local network could use this flaw to disable
guest's networking by sending a large number of jumbo frames to the
guest, exhausting all receive buffers and thus leading to a DoS
situation.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7295</cvename>
<url>http://www.openwall.com/lists/oss-security/2015/09/18/5</url>
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=696317f1895e836d53b670c7b77b7be93302ba08</url>
<url>https://github.com/seanbruno/qemu-bsd-user/commit/0cf33fb6b49a19de32859e2cdc6021334f448fb3</url>
</references>
<dates>
<discovery>2015-09-18</discovery>
<entry>2016-01-02</entry>
</dates>
</vuln>
<vuln vid="6aa3322f-b150-11e5-9728-002590263bf5">
<topic>qemu -- denial of service vulnerabilities in NE2000 NIC support</topic>
<affects>
<package>
<name>qemu</name>
<name>qemu-devel</name>
<range><lt>2.4.0.1</lt></range>
</package>
<package>
<name>qemu-sbruno</name>
<name>qemu-user-static</name>
<range><lt>2.5.50.g20151224</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/15/2">
<p>Qemu emulator built with the NE2000 NIC emulation support is
vulnerable to an infinite loop issue. It could occur when receiving
packets over the network.</p>
<p>A privileged user inside guest could use this flaw to crash the
Qemu instance resulting in DoS.</p>
</blockquote>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/15/3">
<p>Qemu emulator built with the NE2000 NIC emulation support is
vulnerable to a heap buffer overflow issue. It could occur when
receiving packets over the network.</p>
<p>A privileged user inside guest could use this flaw to crash the
Qemu instance or potentially execute arbitrary code on the host.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5278</cvename>
<cvename>CVE-2015-5279</cvename>
<url>http://www.openwall.com/lists/oss-security/2015/09/15/2</url>
<url>http://www.openwall.com/lists/oss-security/2015/09/15/3</url>
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=5a1ccdfe44946e726b4c6fda8a4493b3931a68c1</url>
<url>https://github.com/seanbruno/qemu-bsd-user/commit/737d2b3c41d59eb8f94ab7eb419b957938f24943</url>
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=7aa2bcad0ca837dd6d4bf4fa38a80314b4a6b755</url>
<url>https://github.com/seanbruno/qemu-bsd-user/commit/9bbdbc66e5765068dce76e9269dce4547afd8ad4</url>
</references>
<dates>
<discovery>2015-09-15</discovery>
<entry>2016-01-02</entry>
</dates>
</vuln>
<vuln vid="bbc97005-b14e-11e5-9728-002590263bf5">
<topic>qemu -- denial of service vulnerability in IDE disk/CD/DVD-ROM emulation</topic>
<affects>
<package>
<name>qemu</name>
<name>qemu-devel</name>
<range><lt>2.4.1</lt></range>
</package>
<package>
<name>qemu-sbruno</name>
<name>qemu-user-static</name>
<range><lt>2.5.50.g20151224</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/10/1">
<p>Qemu emulator built with the IDE disk and CD/DVD-ROM emulation
support is vulnerable to a divide by zero issue. It could occur
while executing an IDE command WIN_READ_NATIVE_MAX to determine
the maximum size of a drive.</p>
<p>A privileged user inside guest could use this flaw to crash the
Qemu instance resulting in DoS.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-6855</cvename>
<url>http://www.openwall.com/lists/oss-security/2015/09/10/1</url>
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=63d761388d6fea994ca498c6e7a210851a99ad93</url>
<url>https://github.com/seanbruno/qemu-bsd-user/commit/d9033e1d3aa666c5071580617a57bd853c5d794a</url>
</references>
<dates>
<discovery>2015-09-09</discovery>
<entry>2016-01-02</entry>
</dates>
</vuln>
<vuln vid="10bf8eed-b14d-11e5-9728-002590263bf5">
<topic>qemu -- denial of service vulnerability in e1000 NIC support</topic>
<affects>
<package>
<name>qemu</name>
<name>qemu-devel</name>
<range><lt>2.4.0.1</lt></range>
</package>
<package>
<name>qemu-sbruno</name>
<name>qemu-user-static</name>
<range><lt>2.5.50.g20151224</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/04/4">
<p>Qemu emulator built with the e1000 NIC emulation support is
vulnerable to an infinite loop issue. It could occur while
processing transmit descriptor data when sending a network packet.
</p>
<p>A privileged user inside guest could use this flaw to crash the
Qemu instance resulting in DoS.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-6815</cvename>
<url>http://www.openwall.com/lists/oss-security/2015/09/04/4</url>
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=3a56af1fbc17ff453f6e90fb08ce0c0e6fd0b61b</url>
<url>https://github.com/seanbruno/qemu-bsd-user/commit/b947ac2bf26479e710489739c465c8af336599e7</url>
</references>
<dates>
<discovery>2015-09-04</discovery>
<entry>2016-01-02</entry>
</dates>
</vuln>
<vuln vid="8a560bcf-b14b-11e5-9728-002590263bf5">
<topic>qemu -- denial of service vulnerability in VNC</topic>
<affects>
<package>
<name>qemu</name>
<name>qemu-devel</name>
<range><lt>2.1.0</lt></range>
</package>
<package>
<name>qemu-sbruno</name>
<name>qemu-user-static</name>
<range><lt>2.2.50.g20141230</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/09/02/7">
<p>Qemu emulator built with the VNC display driver is vulnerable to an
infinite loop issue. It could occur while processing a
CLIENT_CUT_TEXT message with specially crafted payload message.</p>
<p>A privileged guest user could use this flaw to crash the Qemu
process on the host, resulting in DoS.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5239</cvename>
<url>http://www.openwall.com/lists/oss-security/2015/09/02/7</url>
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=f9a70e79391f6d7c2a912d785239ee8effc1922d</url>
<url>https://github.com/seanbruno/qemu-bsd-user/commit/f9a70e79391f6d7c2a912d785239ee8effc1922d</url>
</references>
<dates>
<discovery>2014-06-30</discovery>
<entry>2016-01-02</entry>
</dates>
</vuln>
<vuln vid="2b3b4c27-b0c7-11e5-8d13-bc5ff45d0f28">
<topic>qemu -- buffer overflow vulnerability in VNC</topic>
<affects>
<package>
<name>qemu</name>
<name>qemu-devel</name>
<range><lt>2.4.0.1</lt></range>
</package>
<package>
<name>qemu-sbruno</name>
<name>qemu-user-static</name>
<range><lt>2.4.50.g20151011</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/08/21/6">
<p>Qemu emulator built with the VNC display driver support is
vulnerable to a buffer overflow flaw leading to a heap memory
corruption issue. It could occur while refreshing the server
display surface via routine vnc_refresh_server_surface().</p>
<p>A privileged guest user could use this flaw to corrupt the heap
memory and crash the Qemu process instance OR potentially use it
to execute arbitrary code on the host.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5225</cvename>
<url>http://www.openwall.com/lists/oss-security/2015/08/21/6</url>
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=efec4dcd2552e85ed57f276b58f09fc385727450</url>
<url>https://github.com/seanbruno/qemu-bsd-user/commit/eb8934b0418b3b1d125edddc4fc334a54334a49b</url>
</references>
<dates>
<discovery>2015-08-17</discovery>
<entry>2016-01-01</entry>
</dates>
</vuln>
<vuln vid="21e5abe3-b0c6-11e5-8d13-bc5ff45d0f28">
<topic>qemu -- buffer overflow vulnerability in virtio-serial message exchanges</topic>
<affects>
<package>
<name>qemu</name>
<name>qemu-devel</name>
<range><lt>2.4.0</lt></range>
</package>
<package>
<name>qemu-sbruno</name>
<name>qemu-user-static</name>
<range><lt>2.4.50.g20150814</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2015/08/06/3">
<p>Qemu emulator built with the virtio-serial vmchannel support is
vulnerable to a buffer overflow issue. It could occur while
exchanging virtio control messages between guest and the host.</p>
<p>A malicious guest could use this flaw to corrupt few bytes of Qemu
memory area, potentially crashing the Qemu process.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5745</cvename>
<url>http://www.openwall.com/lists/oss-security/2015/08/06/5</url>
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=7882080388be5088e72c425b02223c02e6cb4295</url>
<url>https://github.com/seanbruno/qemu-bsd-user/commit/7882080388be5088e72c425b02223c02e6cb4295</url>
</references>
<dates>
<discovery>2015-08-06</discovery>
<entry>2016-01-01</entry>
</dates>
</vuln>
<vuln vid="a267cd6c-b0c4-11e5-8d13-bc5ff45d0f28">
<topic>qemu -- stack buffer overflow while parsing SCSI commands</topic>
<affects>
<package>
<name>qemu</name>
<name>qemu-devel</name>
<range><lt>2.4.0</lt></range>
</package>
<package>
<name>qemu-sbruno</name>
<name>qemu-user-static</name>
<range><lt>2.4.50.g20150814</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Prasad J Pandit, Red Hat Product Security Team, reports:</p>
<blockquote cite="http://openwall.com/lists/oss-security/2015/07/23/6">
<p>Qemu emulator built with the SCSI device emulation support is
vulnerable to a stack buffer overflow issue. It could occur while
parsing SCSI command descriptor block with an invalid operation
code.</p>
<p>A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw
to crash the Qemu instance resulting in DoS.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-5158</cvename>
<url>http://openwall.com/lists/oss-security/2015/07/23/6</url>
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=c170aad8b057223b1139d72e5ce7acceafab4fa9</url>
<url>https://github.com/seanbruno/qemu-bsd-user/commit/c170aad8b057223b1139d72e5ce7acceafab4fa9</url>
</references>
<dates>
<discovery>2015-07-23</discovery>
<entry>2016-01-01</entry>
</dates>
</vuln>
<vuln vid="aea8d90e-b0c1-11e5-8d13-bc5ff45d0f28">
<topic>qemu -- code execution on host machine</topic>
<affects>
<package>
<name>qemu</name>
<name>qemu-devel</name>
<range><lt>2.4.0</lt></range>
</package>
<package>
<name>qemu-sbruno</name>
<name>qemu-user-static</name>
<range><lt>2.4.50.g20150814</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Petr Matousek of Red Hat Inc. reports:</p>
<blockquote cite="http://openwall.com/lists/oss-security/2015/06/17/5">
<p>Due converting PIO to the new memory read/write api we no longer
provide separate I/O region lenghts for read and write operations.
As a result, reading from PIT Mode/Command register will end with
accessing pit->channels with invalid index and potentially cause
memory corruption and/or minor information leak.</p>
<p>A privileged guest user in a guest with QEMU PIT emulation enabled
could potentially (tough unlikely) use this flaw to execute
arbitrary code on the host with the privileges of the hosting QEMU
process.</p>
<p>Please note that by default QEMU/KVM guests use in-kernel (KVM) PIT
emulation and are thus not vulnerable to this issue.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-3214</cvename>
<url>http://openwall.com/lists/oss-security/2015/06/17/5</url>
<url>http://git.qemu.org/?p=qemu.git;a=commit;h=d4862a87e31a51de9eb260f25c9e99a75efe3235</url>
<url>https://github.com/seanbruno/qemu-bsd-user/commit/d4862a87e31a51de9eb260f25c9e99a75efe3235</url>
</references>
<dates>
<discovery>2015-06-17</discovery>
<entry>2016-01-01</entry>
</dates>
</vuln>