<vuln vid="cebd05d6-ed7b-11e7-95f2-005056925db4">
<topic>OTRS -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>otrs</name>
<range><lt>5.0.26</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OTRS reports:</p>
<blockquote cite="https://www.otrs.com/security-advisory-2017-07-security-update-otrs-framework/">
<p>An attacker who is logged into OTRS as an agent can request special URLs
from OTRS which can lead to the execution of shell commands with the
permissions of the web server user.</p>
</blockquote>
<blockquote cite="https://www.otrs.com/security-advisory-2017-08-security-update-otrs-framework/">
<p>An attacker who is logged into OTRS as a customer can use the ticket search
form to disclose internal article information of their customer tickets.</p>
</blockquote>
<blockquote cite="https://www.otrs.com/security-advisory-2017-09-security-update-otrs-framework/">
<p>An attacker who is logged into OTRS as an agent can manipulate form
parameters and execute arbitrary shell commands with the permissions of the
OTRS or web server user.</p>
</blockquote>
<blockquote cite="https://www.otrs.com/security-advisory-2017-10-security-update-otrs-framework/">
<p>An attacker can send a specially prepared email to an OTRS system. If this
system has cookie support disabled, and a logged in agent clicks a link in this
email, the session information could be leaked to external systems, allowing the
attacker to take over the agent’s session.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-16664</cvename>
<cvename>CVE-2017-16854</cvename>
<cvename>CVE-2017-16921</cvename>
<freebsdpr>ports/224729</freebsdpr>
<url>https://www.otrs.com/security-advisory-2017-07-security-update-otrs-framework/</url>
<url>https://www.otrs.com/security-advisory-2017-08-security-update-otrs-framework/</url>
<url>https://www.otrs.com/security-advisory-2017-09-security-update-otrs-framework/</url>
<url>https://www.otrs.com/security-advisory-2017-10-security-update-otrs-framework/</url>
</references>
<dates>
<discovery>2017-11-21</discovery>
<entry>2017-12-30</entry>
</dates>
</vuln>
<vuln vid="6a131fbf-ec76-11e7-aa65-001b216d295b">
<topic>The Bouncy Castle Crypto APIs: CVE-2017-13098 ("ROBOT")</topic>
<affects>
<package>
<name>bouncycastle</name>
<range><lt>1.59</lt></range>
</package>
<package>
<name>bouncycastle15</name>
<range><lt>1.59</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Legion of the Bouncy Castle reports:</p>
<blockquote cite="https://www.bouncycastle.org/releasenotes.html">
<p>Release: 1.59</p>
<p>CVE-2017-13098 ("ROBOT"), a Bleichenbacher oracle in TLS
when RSA key exchange is negotiated. This potentially affected
BCJSSE servers and any other TLS servers configured to use JCE
for the underlying crypto - note the two TLS implementations
using the BC lightweight APIs are not affected by this.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-13098</cvename>
<url>https://www.bouncycastle.org/releasenotes.html</url>
</references>
<dates>
<discovery>2017-12-12</discovery>
<entry>2017-12-29</entry>
</dates>
</vuln>
<vuln vid="6a09c80e-6ec7-442a-bc65-d72ce69fd887">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>thunderbird</name>
<name>linux-thunderbird</name>
<range><lt>52.5.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/">
<p>CVE-2017-7845: Buffer overflow when drawing and validating elements with ANGLE library using Direct 3D 9</p>
<p>CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin</p>
<p>CVE-2017-7847: Local path string can be leaked from RSS feed</p>
<p>CVE-2017-7848: RSS Feed vulnerable to new line Injection</p>
<p>CVE-2017-7829: Mailsploit part 1: From address with encoded null character is cut off in message header display</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-7829</cvename>
<cvename>CVE-2017-7845</cvename>
<cvename>CVE-2017-7846</cvename>
<cvename>CVE-2017-7847</cvename>
<cvename>CVE-2017-7848</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2017-30/</url>
</references>
<dates>
<discovery>2017-12-22</discovery>
<entry>2017-12-25</entry>
</dates>
</vuln>
<vuln vid="63eb2b11-e802-11e7-a58c-6805ca0b3d42">
<topic>phpMyAdmin -- XSRF/CSRF vulnerability</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><ge>4.7.0</ge><lt>4.7.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin team reports:</p>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2017-9/">
<h3>Description</h3>
<p>By deceiving a user to click on a crafted URL, it is
possible to perform harmful database operations such as
deleting records, dropping/truncating tables etc.</p>
<h3>Severity</h3>
<p>We consider this vulnerability to be critical.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.phpmyadmin.net/security/PMASA-2017-9/</url>
</references>
<dates>
<discovery>2017-12-23</discovery>
<entry>2017-12-23</entry>
</dates>
</vuln>
<vuln vid="2a3bc6ac-e7c6-11e7-a90b-001999f8d30b">
<topic>asterisk -- Crash in PJSIP resource when missing a contact header</topic>
<affects>
<package>
<name>asterisk13</name>
<range><lt>13.18.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="https://www.asterisk.org/downloads/security-advisories">
<p>A select set of SIP messages create a dialog in Asterisk.
Those SIP messages must contain a contact header. For
those messages, if the header was not present and using
the PJSIP channel driver, it would cause Asterisk to
crash. The severity of this vulnerability is somewhat
mitigated if authentication is enabled. If authentication
is enabled a user would have to first be authorized before
reaching the crash point.</p>
</blockquote>
</body>
</description>
<references>
<url>https://downloads.asterisk.org/pub/security/AST-2017-014.html</url>
<cvename>CVE-2017-17850</cvename>
</references>
<dates>
<discovery>2017-12-12</discovery>
<entry>2017-12-23</entry>
</dates>
</vuln>
<vuln vid="b7d89082-e7c0-11e7-ac58-b499baebfeaf">
<topic>MariaDB -- unspecified vulnerability</topic>
<affects>
<package>
<name>mariadb101-client</name>
<range><lt>10.1.30</lt></range>
</package>
<package>
<name>mariadb102-client</name>
<range><lt>10.2.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MariaDB project reports:</p>
<blockquote cite="https://mariadb.com/kb/en/library/mariadb-10130-release-notes/">
<p>Fixes for the following security vulnerabilities:
CVE-2017-15365</p>
</blockquote>
</body>
</description>
<references>
<url>https://mariadb.com/kb/en/library/mariadb-10130-release-notes/</url>
<cvename>CVE-2017-15365</cvename>
</references>
<dates>
<discovery>2017-12-23</discovery>
<entry>2017-12-23</entry>
</dates>
</vuln>
<vuln vid="72fff788-e561-11e7-8097-0800271d4b9c">
<topic>rsync -- multiple vulnerabilities</topic>
<affects>
<package>
<name>rsync</name>
<range><ge>3.1.2</ge><le>3.1.2_7</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jeriko One reports:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16548">
<p>The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character in an xattr name, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact by sending crafted data to the daemon.</p>
</blockquote>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17433">
<p>The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file metadata updates before checking for a filename in the daemon_filter_list data structure, which allows remote attackers to bypass intended access restrictions.</p>
</blockquote>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17434">
<p>The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_filter_list data structure (in the recv_files function in receiver.c) and also does not apply the sanitize_paths protection mechanism to pathnames found in "xname follows" strings (in the read_ndx_and_attrs function in rsync.c), which allows remote attackers to bypass intended access restrictions.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.debian.org/security/2017/dsa-4068</url>
<cvename>CVE-2017-16548</cvename>
<cvename>CVE-2017-17433</cvename>
<cvename>CVE-2017-17434</cvename>
<freebsdpr>ports/224477</freebsdpr>
</references>
<dates>
<discovery>2017-12-17</discovery>
<entry>2017-12-20</entry>
<modified>2017-12-31</modified>
</dates>
</vuln>
<vuln vid="dd644964-e10e-11e7-8097-0800271d4b9c">
<topic>ruby -- Command injection vulnerability in Net::FTP</topic>
<affects>
<package>
<name>ruby</name>
<range><ge>2.2.0,1</ge><lt>2.2.9,1</lt></range>
<range><ge>2.3.0,1</ge><lt>2.3.6,1</lt></range>
<range><ge>2.4.0,1</ge><lt>2.4.3,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Etienne Stalmans from the Heroku product security team reports:</p>
<blockquote cite="https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/">
<p>There is a command injection vulnerability in Net::FTP bundled with Ruby.</p>
<p><code>Net::FTP#get</code>, <code>getbinaryfile</code>, <code>gettextfile</code>, <code>put</code>, <code>putbinaryfile</code>, and <code>puttextfile</code> use <code>Kernel#open</code> to open a local file. If the <code>localfile</code> argument starts with the pipe character <code>"|"</code>, the command following the pipe character is executed. The default value of <code>localfile</code> is <code>File.basename(remotefile)</code>, so malicious FTP servers could cause arbitrary command execution.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/</url>
<cvename>CVE-2017-17405</cvename>
</references>
<dates>
<discovery>2017-12-14</discovery>
<entry>2017-12-14</entry>
</dates>
</vuln>
<vuln vid="8cf25a29-e063-11e7-9b2c-001e672571bc">
<topic>rubygem-passenger -- arbitrary file read vulnerability</topic>
<affects>
<package>
<name>rubygem-passenger</name>
<range><ge>5.0.10</ge><lt>5.1.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Phusion reports:</p>
<blockquote cite="https://blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11/">
<p>The cPanel Security Team discovered a vulnerability in Passenger
that allows users to list the contents of arbitrary files on the
system. CVE-2017-16355 has been assigned to this issue.</p>
</blockquote>
</body>
</description>
<references>
<url>https://blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11/</url>
<cvename>CVE-2017-16355</cvename>
</references>
<dates>
<discovery>2017-10-13</discovery>
<entry>2017-12-18</entry>
</dates>
</vuln>
<vuln vid="08a125f3-e35a-11e7-a293-54e1ad3d6335">
<topic>libXfont -- permission bypass when opening files through symlinks</topic>
<affects>
<package>
<name>libXfont</name>
<range><lt>1.5.4</lt></range>
</package>
<package>
<name>libXfont2</name>
<range><lt>2.0.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>the freedesktop.org project reports:</p>
<blockquote cite="https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=7b377456f95d2ec3ead40f4fb74ea620191f88c8">
<p>A non-privileged X client can instruct X server running under root
to open any file by creating own directory with "fonts.dir",
"fonts.alias" or any font file being a symbolic link to any other
file in the system. X server will then open it. This can be issue
with special files such as /dev/watchdog.</p>
</blockquote>
</body>
</description>
<references>
<url>https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=7b377456f95d2ec3ead40f4fb74ea620191f88c8</url>
<cvename>CVE-2017-16611</cvename>
</references>
<dates>
<discovery>2017-11-25</discovery>
<entry>2017-12-17</entry>
</dates>
</vuln>
<vuln vid="3b9590a1-e358-11e7-a293-54e1ad3d6335">
<topic>libXfont -- multiple memory leaks</topic>
<affects>
<package>
<name>libXfont</name>
<range><lt>1.5.3</lt></range>
</package>
<package>
<name>libXfont2</name>
<range><lt>2.0.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The freedesktop.org project reports:</p>
<blockquote cite="https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d1e670a4a8704b8708e493ab6155589bcd570608">
<p>If a pattern contains '?' character, any character in the string
is skipped, even if it is '\0'. The rest of the matching then reads
invalid memory.</p>
</blockquote>
<blockquote cite="https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=672bb944311392e2415b39c0d63b1e1902906bcd">
<p>Without the checks a malformed PCF file can cause the library to
make atom from random heap memory that was behind the `strings`
buffer. This may crash the process or leak information.</p>
</blockquote>
</body>
</description>
<references>
<url>https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d1e670a4a8704b8708e493ab6155589bcd570608</url>
<url>https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=672bb944311392e2415b39c0d63b1e1902905bcd</url>
<cvename>CVE-2017-13720</cvename>
<cvename>CVE-2017-13722</cvename>
</references>
<dates>
<discovery>2017-10-04</discovery>
<entry>2017-12-17</entry>
</dates>
</vuln>
<vuln vid="ddecde18-e33b-11e7-a293-54e1ad3d6335">
<topic>libXcursor -- integer overflow that can lead to heap buffer overflow</topic>
<affects>
<package>
<name>libXcursor</name>
<range><lt>1.1.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The freedesktop.org project reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2017/q4/339">
<p>It is possible to trigger heap overflows due to an integer
overflow while parsing images and a signedness issue while
parsing comments.</p>
<p>The integer overflow occurs because the chosen limit 0x10000
for dimensions is too large for 32 bit systems, because each pixel
takes 4 bytes. Properly chosen values allow an overflow which in
turn will lead to less allocated memory than needed for subsequent
reads.</p>
<p>The signedness bug is triggered by reading the length of a comment
as unsigned int, but casting it to int when calling the function
XcursorCommentCreate. Turning length into a negative value allows
the check against XCURSOR_COMMENT_MAX_LEN to pass, and the following
addition of sizeof (XcursorComment) + 1 makes it possible to
allocate less memory than needed for subsequent reads.</p>
</blockquote>
</body>
</description>
<references>
<url>http://seclists.org/oss-sec/2017/q4/339</url>
<url>https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8</url>
<cvename>CVE-2017-16612</cvename>
</references>
<dates>
<discovery>2017-11-28</discovery>
<entry>2017-12-17</entry>
</dates>
</vuln>
<vuln vid="48cca164-e269-11e7-be51-6599c735afc8">
<topic>global -- gozilla vulnerability</topic>
<affects>
<package>
<name>global</name>
<range><ge>4.8.6</ge><lt>6.6.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17531">
<p>gozilla.c in GNU GLOBAL 4.8.6 does not validate strings before launching
the program specified by the BROWSER environment variable, which might
allow remote attackers to conduct argument-injection attacks via a crafted
URL.</p>
</blockquote>
</body>
</description>
<references>
<url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17531</url>
<url>http://lists.gnu.org/archive/html/info-global/2017-12/msg00001.html</url>
<cvename>CVE-2017-17531</cvename>
</references>
<dates>
<discovery>2017-12-11</discovery>
<entry>2017-12-16</entry>
</dates>
</vuln>
<vuln vid="7136e6b7-e1b3-11e7-a4d3-000c292ee6b8">
<topic>jenkins -- Two startup race conditions</topic>
<affects>
<package>
<name>jenkins</name>
<range><lt>2.95</lt></range>
</package>
<package>
<name>jenkins-lts</name>
<range><lt>2.89.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Jenkins project reports:</p>
<blockquote cite="https://jenkins.io/security/advisory/2017-12-14/">
<p>A race condition during Jenkins startup could result in the wrong
order of execution of commands during initialization.</p>
<p>On Jenkins 2.81 and newer, including LTS 2.89.1, this could in
rare cases (we estimate less than 20% of new instances) result in
failure to initialize the setup wizard on the first startup.</p>
<p>There is a very short window of time after startup during which
Jenkins may no longer show the "Please wait while Jenkins is
getting ready to work" message, but Cross-Site Request Forgery
(CSRF) protection may not yet be effective.</p>
</blockquote>
</body>
</description>
<references>
<url>https://jenkins.io/security/advisory/2017-12-14/</url>
</references>
<dates>
<discovery>2017-12-14</discovery>
<entry>2017-12-15</entry>
</dates>
</vuln>
<vuln vid="bea84a7a-e0c9-11e7-b4f3-11baa0c2df21">
<topic>node.js -- Data Confidentiality/Integrity Vulnerability, December 2017</topic>
<affects>
<package>
<name>node4</name>
<range><lt>4.8.7</lt></range>
</package>
<package>
<name>node6</name>
<range><lt>6.12.2</lt></range>
</package>
<package>
<name>node8</name>
<range><lt>8.9.3</lt></range>
</package>
<package>
<name>node</name>
<range><lt>9.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Node.js reports:</p>
<blockquote cite="https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/">
<h1>Data Confidentiality/Integrity Vulnerability - CVE-2017-15896</h1>
<p>Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption.</p>
<h1>Uninitialized buffer vulnerability - CVE-2017-15897</h1>
<p>Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This is not correctly encoded", "hex");' The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases.</p>
<h1>Also included in OpenSSL update - CVE 2017-3738</h1>
<p>Note that CVE 2017-3738 of OpenSSL-1.0.2 affected Node but it was low severity.</p>
</blockquote>
</body>
</description>
<references>
<url>https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/</url>
<cvename>CVE-2017-15896</cvename>
<cvename>CVE-2017-15897</cvename>
<cvename>CVE-2017-3738</cvename>
</references>
<dates>
<discovery>2017-12-08</discovery>
<entry>2017-12-14</entry>
</dates>
</vuln>
<vuln vid="e72a8864-e0bc-11e7-b627-d43d7e971a1b">
<topic>GitLab -- multiple vulnerabilities</topic>
<affects>
<package>
<name>gitlab</name>
<range><ge>4.2.0</ge><le>10.0.6</le></range>
<range><ge>10.1.0</ge><le>10.1.4</le></range>
<range><ge>10.2.0</ge><le>10.2.3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GitLab reports:</p>
<blockquote cite="https://about.gitlab.com/2017/12/08/gitlab-10-dot-2-dot-4-security-release/">
<h1>User without access to private Wiki can see it on the project page</h1>
<p>Matthias Burtscher reported that it was possible for a user to see a
private Wiki on the project page without having the corresponding
permission.</p>
<h1>E-mail address disclosure through member search fields</h1>
<p>Hugo Geoffroy reported via HackerOne that it was possible to find out the
full e-mail address of any user by brute-forcing the member search
field.</p>
<h1>Groups API leaks private projects</h1>
<p>An internal code review discovered that users were able to list private
projects they had no access to by using the Groups API.</p>
<h1>Cross-Site Scripting (XSS) possible by editing a comment</h1>
<p>Sylvain Heiniger reported via HackerOne that it was possible for
arbitrary JavaScript code to be executed when editing a comment.</p>
<h1>Issue API allows any user to create a new issue even when issues are
restricted or disabled</h1>
<p>Mohammad Hasbini reported that any user could create a new issues in a
project even when issues were disabled or restricted to team members in the
project settings.</p>
</blockquote>
</body>
</description>
<references>
<url>https://about.gitlab.com/2017/12/08/gitlab-10-dot-2-dot-4-security-release/</url>
</references>
<dates>
<discovery>2017-12-08</discovery>
<entry>2017-12-14</entry>
</dates>
</vuln>
<vuln vid="36ef8753-d86f-11e7-ad28-0025908740c2">
<topic>tor -- Use-after-free in onion service v2</topic>
<affects>
<package>
<name>tor</name>
<range><lt>0.3.1.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Torproject.org reports:</p>
<blockquote cite="https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516">
<ul>
<li>TROVE-2017-009: Replay-cache ineffective for v2 onion services</li>
<li>TROVE-2017-010: Remote DoS attack against directory authorities</li>
<li>TROVE-2017-011: An attacker can make Tor ask for a password</li>
<li>TROVE-2017-012: Relays can pick themselves in a circuit path</li>
<li>TROVE-2017-013: Use-after-free in onion service v2</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516</url>
<cvename>CVE-2017-8819</cvename>
</references>
<dates>
<discovery>2017-12-01</discovery>
<entry>2017-12-14</entry>
</dates>
</vuln>
<vuln vid="4a67450a-e044-11e7-accc-001999f8d30b">
<topic>asterisk -- Remote Crash Vulnerability in RTCP Stack</topic>
<affects>
<package>
<name>asterisk13</name>
<range><lt>13.18.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="https://www.asterisk.org/downloads/security-advisories">
<p>If a compound RTCP packet is received containing more
than one report (for example a Receiver Report and a
Sender Report) the RTCP stack will incorrectly store
report information outside of allocated memory potentially
causing a crash.</p>
</blockquote>
</body>
</description>
<references>
<url>https://downloads.asterisk.org/pub/security/AST-2017-012.html</url>
</references>
<dates>
<discovery>2017-12-12</discovery>
<entry>2017-12-13</entry>
</dates>
</vuln>
<vuln vid="76e59f55-4f7a-4887-bcb0-11604004163a">
<topic>libxml2 -- Multiple Issues</topic>
<affects>
<package>
<name>libxml2</name>
<range><le>2.9.4</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>libxml2 developers report:</p>
<p>The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.</p>
<p>A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits) whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about "size" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash.</p>
<p>libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 < size. This vulnerability causes programs that use libxml2, such as PHP, to crash.</p>
<p>libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398.</p>
<p>libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.</p>
</body>
</description>
<references>
<url>https://bugzilla.gnome.org/show_bug.cgi?id=775200</url>
<url>http://www.openwall.com/lists/oss-security/2017/05/15/1</url>
<url>http://www.securityfocus.com/bid/98599</url>
<url>http://www.openwall.com/lists/oss-security/2017/05/15/1</url>
<url>http://www.securityfocus.com/bid/98556</url>
<url>http://www.openwall.com/lists/oss-security/2017/05/15/1</url>
<url>http://www.securityfocus.com/bid/98601</url>
<url>http://www.openwall.com/lists/oss-security/2017/05/15/1</url>
<url>http://www.securityfocus.com/bid/98568</url>
<cvename>CVE-2017-8872</cvename>
<cvename>CVE-2017-9047</cvename>
<cvename>CVE-2017-9048</cvename>
<cvename>CVE-2017-9049</cvename>
<cvename>CVE-2017-9050</cvename>
</references>
<dates>
<discovery>2017-05-10</discovery>
<entry>2017-12-13</entry>
</dates>
</vuln>
<vuln vid="9f7a0f39-ddc0-11e7-b5af-a4badb2f4699">
<topic>FreeBSD -- OpenSSL multiple vulnerabilities</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>11.1</ge><lt>11.1_6</lt></range>
<range><ge>10.4</ge><lt>10.4_5</lt></range>
<range><ge>10.3</ge><lt>10.3_26</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>Invoking SSL_read()/SSL_write() while in an error state
causes data to be passed without being decrypted/encrypted
directly from the SSL/TLS record layer.</p>
<p>In order to exploit this issue an application bug would
have to be present that resulted in a call to
SSL_read()/SSL_write() being issued after having already
received a fatal error. [CVE-2017-3737]</p>
<p>There is an overflow bug in the x86_64 Montgomery
multiplication procedure used in exponentiation with 1024-bit
moduli. This only affects processors that support the AVX2
but not ADX extensions like Intel Haswell (4th generation).
[CVE-2017-3738] This bug only affects FreeBSD 11.x.</p>
<h1>Impact:</h1>
<p>Applications with incorrect error handling may inappropriately
pass unencrypted data. [CVE-2017-3737]</p>
<p>Mishandling of carry propagation will produce incorrect
output, and make it easier for a remote attacker to obtain
sensitive private-key information. No EC algorithms are
affected and analysis suggests that attacks against RSA and
DSA as a result of this defect would be very difficult to
perform and are not believed likely.</p>
<p>Attacks against DH1024 are considered just feasible
(although very difficult) because most of the work necessary
to deduce information about a private key may be performed
offline. The amount of resources required for such an attack
would be very significant and likely only accessible to a
limited number of attackers. However, for an attack on TLS
to be meaningful, the server would have to share the DH1024
private key among multiple clients, which is no longer an
option since CVE-2016-0701. [CVE-2017-3738]</p>
</body>
</description>
<references>
<cvename>CVE-2016-0701</cvename>
<cvename>CVE-2017-3737</cvename>
<cvename>CVE-2017-3738</cvename>
<freebsdsa>SA-17:12.openssl</freebsdsa>
</references>
<dates>
<discovery>2017-12-09</discovery>
<entry>2017-12-10</entry>
</dates>
</vuln>
<vuln vid="4b228e69-22e1-4019-afd0-8aa716d0ec0b">
<topic>wireshark -- multiple security issues</topic>
<affects>
<package>
<name>wireshark</name>
<range><ge>2.2.0</ge><le>2.2.10</le></range>
<range><ge>2.4.0</ge><le>2.4.2</le></range>
</package>
<package>
<name>wireshark-lite</name>
<range><ge>2.2.0</ge><le>2.2.10</le></range>
<range><ge>2.4.0</ge><le>2.4.2</le></range>
</package>
<package>
<name>wireshark-qt5</name>
<range><ge>2.2.0</ge><le>2.2.10</le></range>
<range><ge>2.4.0</ge><le>2.4.2</le></range>
</package>
<package>
<name>tshark</name>
<range><ge>2.2.0</ge><le>2.2.10</le></range>
<range><ge>2.4.0</ge><le>2.4.2</le></range>
</package>
<package>
<name>tshark-lite</name>
<range><ge>2.2.0</ge><le>2.2.10</le></range>
<range><ge>2.4.0</ge><le>2.4.2</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>wireshark developers reports:</p>
<blockquote cite="https://www.wireshark.org/security/">
<p>wnpa-sec-2017-47: The IWARP_MPA dissector could crash. (CVE-2017-17084)</p>
<p>wnpa-sec-2017-48: The NetBIOS dissector could crash. Discovered by Kamil Frankowicz. (CVE-2017-17083)</p>
<p>wnpa-sec-2017-49: The CIP Safety dissector could crash. (CVE-2017-17085)</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.wireshark.org/security/</url>
<url>https://www.wireshark.org/security/wnpa-sec-2017-47.html</url>
<url>https://www.wireshark.org/security/wnpa-sec-2017-48.html</url>
<url>https://www.wireshark.org/security/wnpa-sec-2017-49.html</url>
<cvename>CVE-2017-17083</cvename>
<cvename>CVE-2017-17084</cvename>
<cvename>CVE-2017-17085</cvename>
</references>
<dates>
<discovery>2017-11-30</discovery>
<entry>2017-12-10</entry>
</dates>
</vuln>
<vuln vid="3bb451fc-db64-11e7-ac58-b499baebfeaf">
<topic>OpenSSL -- multiple vulnerabilities</topic>
<affects>
<package>
<name>openssl</name>
<range><gt>1.0.2</gt><lt>1.0.2n</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenSSL project reports:</p>
<blockquote cite="https://www.openssl.org/news/secadv/20171207.txt">
<ul><li>Read/write after SSL object in error state (CVE-2017-3737)<br/>
OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error
state" mechanism. The intent was that if a fatal error occurred
during a handshake then OpenSSL would move into the error state and
would immediately fail if you attempted to continue the handshake.
This works as designed for the explicit handshake functions
(SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to
a bug it does not work correctly if SSL_read() or SSL_write() is
called directly. In that scenario, if the handshake fails then a
fatal error will be returned in the initial function call. If
SSL_read()/SSL_write() is subsequently called by the application for
the same SSL object then it will succeed and the data is passed
without being decrypted/encrypted directly from the SSL/TLS record
layer.</li>
<li>rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)<br/>
There is an overflow bug in the AVX2 Montgomery multiplication
procedure used in exponentiation with 1024-bit moduli. No EC
algorithms are affected. Analysis suggests that attacks against
RSA and DSA as a result of this defect would be very difficult to
perform and are not believed likely. Attacks against DH1024 are
considered just feasible, because most of the work necessary to
deduce information about a private key may be performed offline.
The amount of resources required for such an attack would be
significant. However, for an attack on TLS to be meaningful, the
server would have to share the DH1024 private key among multiple
clients, which is no longer an option since CVE-2016-0701.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://www.openssl.org/news/secadv/20171207.txt</url>
<cvename>CVE-2017-3737</cvename>
<cvename>CVE-2017-3738</cvename>
</references>
<dates>
<discovery>2017-12-07</discovery>
<entry>2017-12-07</entry>
</dates>
</vuln>
<vuln vid="9442a811-dab3-11e7-b5af-a4badb2f4699">
<topic>FreeBSD -- OpenSSL multiple vulnerabilities</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>11.1</ge><lt>11.1_5</lt></range>
<range><ge>11.0</ge><lt>11.0_16</lt></range>
<range><ge>10.4</ge><lt>10.4_4</lt></range>
<range><ge>10.3</ge><lt>10.3_25</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>If an X.509 certificate has a malformed IPAddressFamily
extension, OpenSSL could do a one-byte buffer overread.
[CVE-2017-3735]</p>
<p>There is a carry propagating bug in the x86_64 Montgomery
squaring procedure. This only affects processors that support
the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th
generation) and later or AMD Ryzen. [CVE-2017-3736] This
bug only affects FreeBSD 11.x.</p>
<h1>Impact:</h1>
<p>Application using OpenSSL may display erroneous certificate
in text format. [CVE-2017-3735]</p>
<p>Mishandling of carry propagation will produce incorrect
output, and make it easier for a remote attacker to obtain
sensitive private-key information. No EC algorithms are
affected, analysis suggests that attacks against RSA and
DSA as a result of this defect would be very difficult to
perform and are not believed likely.</p>
<p>Attacks against DH are considered just feasible (although
very difficult) because most of the work necessary to deduce
information about a private key may be performed offline.
The amount of resources required for such an attack would
be very significant and likely only accessible to a limited
number of attackers. An attacker would additionally need
online access to an unpatched system using the target private
key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients. [CVE-2017-3736]</p>
</body>
</description>
<references>
<cvename>CVE-2017-3735</cvename>
<cvename>CVE-2017-3736</cvename>
<freebsdsa>SA-17:11.openssl</freebsdsa>
</references>
<dates>
<discovery>2017-11-29</discovery>
<entry>2017-12-06</entry>
</dates>
</vuln>
<vuln vid="759059ac-dab3-11e7-b5af-a4badb2f4699">
<topic>FreeBSD -- Information leak in kldstat(2)</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>11.1</ge><lt>11.1_4</lt></range>
<range><ge>11.0</ge><lt>11.0_15</lt></range>
<range><ge>10.4</ge><lt>10.4_3</lt></range>
<range><ge>10.3</ge><lt>10.3_24</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The kernel does not properly clear the memory of the
kld_file_stat structure before filling the data. Since the
structure filled by the kernel is allocated on the kernel
stack and copied to userspace, a leak of information from
the kernel stack is possible.</p>
<h1>Impact:</h1>
<p>Some bytes from the kernel stack can be observed in
userspace.</p>
</body>
</description>
<references>
<cvename>CVE-2017-1088</cvename>
<freebsdsa>SA-17:10.kldstat</freebsdsa>
</references>
<dates>
<discovery>2017-11-15</discovery>
<entry>2017-12-06</entry>
</dates>
</vuln>
<vuln vid="5b1463dd-dab3-11e7-b5af-a4badb2f4699">
<topic>FreeBSD -- POSIX shm allows jails to access global namespace</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>10.4</ge><lt>10.4_3</lt></range>
<range><ge>10.3</ge><lt>10.3_24</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>Named paths are globally scoped, meaning a process located
in one jail can read and modify the content of POSIX shared
memory objects created by a process in another jail or the
host system.</p>
<h1>Impact:</h1>
<p>A malicious user that has access to a jailed system is
able to abuse shared memory by injecting malicious content
in the shared memory region. This memory region might be
executed by applications trusting the shared memory, like
Squid.</p>
<p>This issue could lead to a Denial of Service or local
privilege escalation.</p>
</body>
</description>
<references>
<cvename>CVE-2017-1087</cvename>
<freebsdsa>SA-17:09.shm</freebsdsa>
</references>
<dates>
<discovery>2017-11-15</discovery>
<entry>2017-12-06</entry>
</dates>
</vuln>
<vuln vid="34a3f9b5-dab3-11e7-b5af-a4badb2f4699">
<topic>FreeBSD -- Kernel data leak via ptrace(PT_LWPINFO)</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>11.1</ge><lt>11.1_4</lt></range>
<range><ge>11.0</ge><lt>11.0_15</lt></range>
<range><ge>10.4</ge><lt>10.4_3</lt></range>
<range><ge>10.3</ge><lt>10.3_24</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>Not all information in the struct ptrace_lwpinfo is
relevant for the state of any thread, and the kernel does
not fill the irrelevant bytes or short strings. Since the
structure filled by the kernel is allocated on the kernel
stack and copied to userspace, a leak of information of the
kernel stack of the thread is possible from the debugger.</p>
<h1>Impact:</h1>
<p>Some bytes from the kernel stack of the thread using
ptrace(PT_LWPINFO) call can be observed in userspace.</p>
</body>
</description>
<references>
<cvename>CVE-2017-1086</cvename>
<freebsdsa>SA-17:08.ptrace</freebsdsa>
</references>
<dates>
<discovery>2017-11-15</discovery>
<entry>2017-12-06</entry>
</dates>
</vuln>
<vuln vid="1f8de723-dab3-11e7-b5af-a4badb2f4699">
<topic>FreeBSD -- WPA2 protocol vulnerability</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>11.1</ge><lt>11.1_2</lt></range>
<range><ge>11.0</ge><lt>11.0_13</lt></range>
<range><ge>10.4</ge><lt>10.4_1</lt></range>
<range><ge>10.3</ge><lt>10.3_22</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>A vulnerability was found in how a number of implementations
can be triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK,
or IGTK) by replaying a specific frame that is used to
manage the keys.</p>
<h1>Impact:</h1>
<p>Such reinstallation of the encryption key can result in
two different types of vulnerabilities: disabling replay
protection and significantly reducing the security of
encryption to the point of allowing frames to be decrypted
or some parts of the keys to be determined by an attacker
depending on which cipher is used.</p>
</body>
</description>
<references>
<cvename>CVE-2017-1307</cvename>
<cvename>CVE-2017-1308</cvename>
<freebsdsa>SA-17:07.wpa</freebsdsa>
</references>
<dates>
<discovery>2017-10-16</discovery>
<entry>2017-12-06</entry>
</dates>
</vuln>
<vuln vid="b7e23050-2d5d-4e61-9b48-62e89db222ca">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><ge>57.0,1</ge><lt>57.0.1,1</lt></range>
<range><lt>56.0.2_11,1</lt></range>
</package>
<package>
<name>waterfox</name>
<range><lt>56.0.s20171130</lt></range>
</package>
<package>
<name>seamonkey</name>
<name>linux-seamonkey</name>
<range><lt>2.49.2</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><lt>52.5.1,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>52.5.1,2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-27/">
<p>CVE-2017-7843: Web worker in Private Browsing mode can write IndexedDB data</p>
<p>CVE-2017-7844: Visited history information leak through SVG image</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-7843</cvename>
<cvename>CVE-2017-7844</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2017-27/</url>
</references>
<dates>
<discovery>2017-11-29</discovery>
<entry>2017-12-05</entry>
</dates>
</vuln>
<vuln vid="17133e7e-d764-11e7-b5af-a4badb2f4699">
<topic>varnish -- information disclosure vulnerability</topic>
<affects>
<package>
<name>varnish4</name>
<range><lt>4.1.9</lt></range>
</package>
<package>
<name>varnish5</name>
<range><lt>5.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Varnish reports:</p>
<blockquote cite="https://varnish-cache.org/security/VSV00002.html">
<p>A wrong if statement in the varnishd source code means that
synthetic objects in stevedores which over-allocate, may leak up to page
size of data from a malloc(3) memory allocation.</p>
</blockquote>
</body>
</description>
<references>
<url>https://varnish-cache.org/security/VSV00002.html</url>
<cvename>CVE-2017-8807</cvename>
</references>
<dates>
<discovery>2017-11-15</discovery>
<entry>2017-12-02</entry>
</dates>
</vuln>
<vuln vid="addad6de-d752-11e7-99bf-00e04c1ea73d">
<topic>mybb -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mybb</name>
<range><lt>1.8.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>mybb Team reports:</p>
<blockquote cite="https://blog.mybb.com/2017/11/28/mybb-1-8-14-released-security-maintenance-release/">
<p>High risk: Language file headers RCE</p>
<p>Low risk: Language Pack Properties XSS</p>
</blockquote>
</body>
</description>
<references>
<url>https://blog.mybb.com/2017/11/28/mybb-1-8-14-released-security-maintenance-release/</url>
</references>
<dates>
<discovery>2017-11-27</discovery>
<entry>2017-12-02</entry>
</dates>
</vuln>
<vuln vid="a2589511-d6ba-11e7-88dd-00e04c1ea73d">
<topic>wordpress -- multiple issues</topic>
<affects>
<package>
<name>wordpress</name>
<name>fr-wordpress</name>
<range><lt>4.9.1,1</lt></range>
</package>
<package>
<name>de-wordpress</name>
<name>ja-wordpress</name>
<name>ru-wordpress</name>
<name>zh-wordpress-zh_CN</name>
<name>zh-wordpress-zh_TW</name>
<range><lt>4.9.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>wordpress developers reports:</p>
<blockquote cite="https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/">
<p>Use a properly generated hash for the newbloguser key instead of a determinate substring.</p>
<p>Add escaping to the language attributes used on html elements.</p>
<p>Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.</p>
<p>Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability.</p>
</blockquote>
</body>
</description>
<references>
<url>https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/</url>
</references>
<dates>
<discovery>2017-11-29</discovery>
<entry>2017-12-01</entry>
</dates>
</vuln>
<vuln vid="e91cf90c-d6dd-11e7-9d10-001999f8d30b">
<topic>asterisk -- DOS Vulnerability in Asterisk chan_skinny</topic>
<affects>
<package>
<name>asterisk13</name>
<range><lt>13.18.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="https://www.asterisk.org/downloads/security-advisories">
<p>If the chan_skinny (AKA SCCP protocol) channel driver
is flooded with certain requests it can cause the asterisk
process to use excessive amounts of virtual memory
eventually causing asterisk to stop processing requests
of any kind.</p>
</blockquote>
</body>
</description>
<references>
<url>https://downloads.asterisk.org/pub/security/AST-2017-013.html</url>
<cvename>CVE-2017-17090</cvename>
</references>
<dates>
<discovery>2017-11-30</discovery>
<entry>2017-12-01</entry>
<modified>2017-12-13</modified>
</dates>
</vuln>
<vuln vid="75dd622c-d5fd-11e7-b9fe-c13eb7bcbf4f">
<topic>exim -- remote DoS attack in BDAT processing</topic>
<affects>
<package>
<name>exim</name>
<range><ge>4.88</ge><lt>4.89.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Exim developers team reports:</p>
<blockquote cite="https://bugs.exim.org/show_bug.cgi?id=2199">
<p>The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugs.exim.org/show_bug.cgi?id=2199</url>
<cvename>CVE-2017-16944</cvename>
</references>
<dates>
<discovery>2017-11-23</discovery>
<entry>2017-11-30</entry>
</dates>
</vuln>
<vuln vid="a66f9be2-d519-11e7-9866-c85b763a2f96">
<topic>xrdp -- local user can cause a denial of service</topic>
<affects>
<package>
<name>xrdp-devel</name>
<range><le>0.9.3,1</le></range>
<range><gt>0.9.3_1,1</gt><le>0.9.4,1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>xrdp reports:</p>
<blockquote cite="https://github.com/neutrinolabs/xrdp/pull/958">
<p>The scp_v0s_accept function in the session manager uses an untrusted integer as a write length,
which allows local users to cause a denial of service (buffer overflow and application crash)
or possibly have unspecified other impact via a crafted input stream.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-16927</cvename>
</references>
<dates>
<discovery>2017-11-23</discovery>
<entry>2017-11-29</entry>
</dates>
</vuln>
<vuln vid="301a01b7-d50e-11e7-ac58-b499baebfeaf">
<topic>cURL -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>curl</name>
<range><ge>7.21.0</ge><lt>7.57.0</lt></range>
</package>
<package>
<name>linux-c7-curl</name>
<range><ge>7.21.0</ge><lt>7.29.0_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The cURL project reports:</p>
<blockquote cite="https://curl.haxx.se/changes.html">
<ul><li>NTLM buffer overflow via integer overflow
(CVE-2017-8816)<br/>libcurl contains a buffer overrun flaw
in the NTLM authentication code.
The internal function Curl_ntlm_core_mk_ntlmv2_hash sums up
the lengths of the user name + password (= SUM) and multiplies
the sum by two (= SIZE) to figure out how large storage to
allocate from the heap.</li>
<li>FTP wildcard out of bounds read (CVE-2017-8817)<br/>
libcurl contains a read out of bounds flaw in the FTP wildcard
function.
libcurl's FTP wildcard matching feature, which is enabled with
the CURLOPT_WILDCARDMATCH option can use a built-in wildcard
function or a user provided one. The built-in wildcard function
has a flaw that makes it not detect the end of the pattern
string if it ends with an open bracket ([) but instead it will
continue reading the heap beyond the end of the URL buffer that
holds the wildcard.</li>
<li>SSL out of buffer access (CVE-2017-8818)<br/>
libcurl contains an out boundary access flaw in SSL related code.
When allocating memory for a connection (the internal struct
called connectdata), a certain amount of memory is allocated at
the end of the struct to be used for SSL related structs. Those
structs are used by the particular SSL library libcurl is built
to use. The application can also tell libcurl which specific SSL
library to use if it was built to support more than one.
</li></ul>
</blockquote>
</body>
</description>
<references>
<url>https://curl.haxx.se/changes.html</url>
<cvename>CVE-2017-8816</cvename>
<cvename>CVE-2017-8817</cvename>
<cvename>CVE-2017-8818</cvename>
</references>
<dates>
<discovery>2017-11-29</discovery>
<entry>2017-11-29</entry>
<modified>2017-12-11</modified>
</dates>
</vuln>
<vuln vid="0d369972-d4ba-11e7-bfca-005056925db4">
<topic>borgbackup -- remote users can override repository restrictions</topic>
<affects>
<package>
<name>py34-borgbackup</name>
<name>py35-borgbackup</name>
<name>py36-borgbackup</name>
<range><ge>1.1.0</ge><lt>1.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>BorgBackup reports:</p>
<blockquote cite="https://github.com/borgbackup/borg/blob/1.1.3/docs/changes.rst#version-113-2017-11-27">
<p>Incorrect implementation of access controls allows remote users to
override repository restrictions in Borg servers. A user able to
access a remote Borg SSH server is able to circumvent access controls
post-authentication. Affected releases: 1.1.0, 1.1.1, 1.1.2. Releases
1.0.x are NOT affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-15914</cvename>
<url>https://github.com/borgbackup/borg/blob/1.1.3/docs/changes.rst#version-113-2017-11-27</url>
</references>
<dates>
<discovery>2017-11-27</discovery>
<entry>2017-11-29</entry>
</dates>
</vuln>
<vuln vid="6056bf68-f570-4e70-b740-b9f606971283">
<topic>palemoon -- multiple vulnerabilities</topic>
<affects>
<package>
<name>palemoon</name>
<range><lt>27.6.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Pale Moon reports:</p>
<blockquote cite="http://www.palemoon.org/releasenotes.shtml">
<p>CVE-2017-7832: Domain spoofing through use of dotless 'i' character followed by accent markers</p>
<p>CVE-2017-7835: Mixed content blocking incorrectly applies with redirects</p>
<p>CVE-2017-7840: Exported bookmarks do not strip script elements from user-supplied tags</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-7832</cvename>
<cvename>CVE-2017-7835</cvename>
<cvename>CVE-2017-7840</cvename>
</references>
<dates>
<discovery>2017-11-14</discovery>
<entry>2017-11-28</entry>
</dates>
</vuln>
<vuln vid="68b29058-d348-11e7-b9fe-c13eb7bcbf4f">
<topic>exim -- remote code execution, deny of service in BDAT</topic>
<affects>
<package>
<name>exim</name>
<range><ge>4.88</ge><lt>4.89_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Exim team reports:</p>
<blockquote cite="https://bugs.exim.org/show_bug.cgi?id=2199">
<p>The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugs.exim.org/show_bug.cgi?id=2199</url>
</references>
<dates>
<discovery>2017-11-23</discovery>
<entry>2017-11-27</entry>
</dates>
</vuln>
<vuln vid="7761288c-d148-11e7-87e5-00e04c1ea73d">
<topic>mybb -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mybb</name>
<range><lt>1.8.13</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>myBB Team reports:</p>
<blockquote cite="https://blog.mybb.com/2017/11/07/mybb-1-8-13-released-security-maintenance-release/">
<p>High risk: Installer RCE on configuration file write</p>
<p>High risk: Language file headers RCE</p>
<p>Medium risk: Installer XSS</p>
<p>Medium risk: Mod CP Edit Profile XSS</p>
<p>Low risk: Insufficient moderator permission check in delayed moderation tools</p>
<p>Low risk: Announcements HTML filter bypass</p>
<p>Low risk: Language Pack Properties XSS.</p>
</blockquote>
</body>
</description>
<references>
<url>https://blog.mybb.com/2017/11/07/mybb-1-8-13-released-security-maintenance-release/</url>
</references>
<dates>
<discovery>2017-11-07</discovery>
<entry>2017-11-24</entry>
</dates>
</vuln>
<vuln vid="50127e44-7b88-4ade-8e12-5d57320823f1">
<topic>salt -- multiple vulnerabilities</topic>
<affects>
<package>
<name>py27-salt</name>
<name>py32-salt</name>
<name>py33-salt</name>
<name>py34-salt</name>
<name>py35-salt</name>
<name>py36-salt</name>
<range><lt>2016.11.8</lt></range>
<range><ge>2017.7.0</ge><lt>2017.7.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SaltStack reports:</p>
<blockquote cite="https://docs.saltstack.com/en/latest/topics/releases/2017.7.2.html">
<p>Directory traversal vulnerability in minion id validation in SaltStack.
Allows remote minions with incorrect credentials to authenticate to a
master via a crafted minion ID. Credit for discovering the security flaw
goes to: Julian Brost (julian@0x4a42.net). NOTE: this vulnerability exists
because of an incomplete fix for CVE-2017-12791.</p>
<p>Remote Denial of Service with a specially crafted authentication request.
Credit for discovering the security flaw goes to: Julian Brost
(julian@0x4a42.net)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-14695</cvename>
<cvename>CVE-2017-14696</cvename>
<url>https://docs.saltstack.com/en/latest/topics/releases/2017.7.2.html</url>
<url>https://docs.saltstack.com/en/2016.11/topics/releases/2016.11.8.html</url>
<url>https://github.com/saltstack/salt/commit/80d90307b07b3703428ecbb7c8bb468e28a9ae6d</url>
<url>https://github.com/saltstack/salt/commit/5f8b5e1a0f23fe0f2be5b3c3e04199b57a53db5b</url>
</references>
<dates>
<discovery>2017-10-09</discovery>
<entry>2017-11-23</entry>
</dates>
</vuln>
<vuln vid="ef3423e4-d056-11e7-a52c-002590263bf5">
<topic>codeigniter -- input validation bypass</topic>
<affects>
<package>
<name>codeigniter</name>
<range><lt>3.1.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The CodeIgniter changelog reports:</p>
<blockquote cite="https://www.codeigniter.com/user_guide/changelog.html">
<p>Security: Fixed a potential object injection in Cache Library 'apc'
driver when save() is used with $raw = TRUE.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.codeigniter.com/user_guide/changelog.html</url>
</references>
<dates>
<discovery>2017-09-25</discovery>
<entry>2017-11-23</entry>
</dates>
</vuln>
<vuln vid="288f7cee-ced6-11e7-8ae9-0050569f0b83">
<topic>procmail -- Heap-based buffer overflow</topic>
<affects>
<package>
<name>procmail</name>
<range><lt>3.22_10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE reports:</p>
<blockquote cite="https://www.debian.org/security/2017/dsa-4041">
<p>A remote attacker could use a flaw to cause formail to crash,
resulting in a denial of service or data loss.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-16844</cvename>
<url>https://www.debian.org/security/2017/dsa-4041</url>
<url>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876511</url>
</references>
<dates>
<discovery>2017-11-16</discovery>
<entry>2017-11-21</entry>
<modified>2017-12-08</modified>
</dates>
</vuln>
<vuln vid="bf266183-cec7-11e7-af2d-2047478f2f70">
<topic>frr -- BGP Mishandled attribute length on Error</topic>
<affects>
<package>
<name>frr</name>
<range><lt>3.0.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>FRR reports:</p>
<blockquote cite="https://frrouting.org/community/security/cve-2017-15865.html">
<p>BGP Mishandled attribute length on Error</p>
<p>A vulnerability exists in the BGP daemon of FRR where a malformed BGP UPDATE
packet can leak information from the BGP daemon and cause a denial of
service by crashing the daemon.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-15865</cvename>
<url>https://frrouting.org/community/security/cve-2017-15865.html</url>
</references>
<dates>
<discovery>2017-11-08</discovery>
<entry>2017-11-21</entry>
</dates>
</vuln>
<vuln vid="db570002-ce06-11e7-804e-c85b763a2f96">
<topic>cacti -- multiple vulnerabilities</topic>
<affects>
<package>
<name>cacti</name>
<range><lt>1.1.28</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>cacti reports:</p>
<blockquote cite="https://www.cacti.net/release_notes.php?version=1.1.28">
<p>Changelog</p>
<p>issue#1057: CVE-2017-16641 - Potential vulnerability in RRDtool functions</p>
<p>issue#1066: CVE-2017-16660 in remote_agent.php logging function</p>
<p>issue#1066: CVE-2017-16661 in view log file</p>
<p>issue#1071: CVE-2017-16785 in global_session.php Reflection XSS</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-16641</cvename>
<cvename>CVE-2017-16660</cvename>
<cvename>CVE-2017-16661</cvename>
<cvename>CVE-2017-16785</cvename>
<url>https://sourceforge.net/p/cacti/mailman/message/36122745/</url>
</references>
<dates>
<discovery>2017-11-01</discovery>
<entry>2017-11-20</entry>
</dates>
</vuln>
<vuln vid="298829e2-ccce-11e7-92e4-000c29649f92">
<topic>mediawiki -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mediawiki127</name>
<range><lt>1.27.3</lt></range>
</package>
<package>
<name>mediawiki128</name>
<range><lt>1.28.2</lt></range>
</package>
<package>
<name>mediawiki129</name>
<range><lt>1.29.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>mediawiki reports:</p>
<blockquote cite="https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html">
<p>security fixes:</p>
<p>T128209: Reflected File Download from api.php. Reported by Abdullah Hussam.</p>
<p>T165846: BotPasswords doesn't throttle login attempts.</p>
<p>T134100: On private wikis, login form shouldn't distinguish between login failure due to bad username and bad password.</p>
<p>T178451: XSS when $wgShowExceptionDetails = false and browser sends non-standard url escaping.</p>
<p>T176247: It's possible to mangle HTML via raw message parameter expansion.</p>
<p>T125163: id attribute on headlines allow raw.</p>
<p>T124404: language converter can be tricked into replacing text inside tags by adding a lot of junk after the rule definition.</p>
<p>T119158: Language converter: unsafe attribute injection via glossary rules.</p>
<p>T180488: api.log contains passwords in plaintext wasn't correctly fixed.</p>
<p>T180231: composer.json has require-dev versions of PHPUnit with known security issues. Reported by Tom Hutchison.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-8808</cvename>
<cvename>CVE-2017-8809</cvename>
<cvename>CVE-2017-8810</cvename>
<cvename>CVE-2017-8811</cvename>
<cvename>CVE-2017-8812</cvename>
<cvename>CVE-2017-8814</cvename>
<cvename>CVE-2017-8815</cvename>
<cvename>CVE-2017-0361</cvename>
<cvename>CVE-2017-9841</cvename>
<url>https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html</url>
</references>
<dates>
<discovery>2017-11-14</discovery>
<entry>2017-11-19</entry>
</dates>
</vuln>
<vuln vid="52f10525-caff-11e7-b590-6451062f0f7a">
<topic>Flash Player -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-flashplayer</name>
<range><lt>27.0.0.187</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb17-33.html">
<ul>
<li>These updates resolve out-of-bounds read vulnerabilities that
could lead to remote code execution (CVE-2017-3112,
CVE-2017-3114, CVE-2017-11213).</li>
<li>These updates resolve use after free vulnerabilities that
could lead to remote code execution (CVE-2017-11215,
CVE-2017-11225).</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-3112</cvename>
<cvename>CVE-2017-3114</cvename>
<cvename>CVE-2017-11213</cvename>
<cvename>CVE-2017-11215</cvename>
<cvename>CVE-2017-11225</cvename>
<url>https://helpx.adobe.com/security/products/flash-player/apsb17-33.html</url>
</references>
<dates>
<discovery>2017-11-14</discovery>
<entry>2017-11-16</entry>
</dates>
</vuln>
<vuln vid="b4b7ec7d-ca27-11e7-a12d-6cc21735f730">
<topic>shibboleth2-sp -- "Dynamic" metadata provider plugin issue</topic>
<affects>
<package>
<name>shibboleth2-sp</name>
<range><lt>2.6.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Internet2 community reports:</p>
<blockquote cite="http://shibboleth.internet2.edu/secadv/secadv_20171115.txt">
<p>
The Shibboleth Service Provider software includes a MetadataProvider
plugin with the plugin type "Dynamic" to obtain metadata on demand
from a query server, in place of the more typical mode of
downloading aggregates separately containing all of the metadata to
load.
</p><p>
All the plugin types rely on MetadataFilter plugins to perform
critical security checks such as signature verification, enforcement
of validity periods, and other checks specific to deployments.
</p><p>
Due to a coding error, the "Dynamic" plugin fails to configure
itself with the filters provided to it and thus omits whatever
checks they are intended to perform, which will typically leave
deployments vulnerable to active attacks involving the substitution
of metadata if the network path to the query service is
compromised.
</p>
</blockquote>
</body>
</description>
<references>
<url>http://shibboleth.internet2.edu/secadv/secadv_20171115.txt</url>
</references>
<dates>
<discovery>2017-11-15</discovery>
<entry>2017-11-15</entry>
</dates>
</vuln>
<vuln vid="f78eac48-c3d1-4666-8de5-63ceea25a578">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<!-- 56.0.2_10,1 unlike 57.0,1 has CVE-2017-7827 partially unfixed:
bug 1384615, 1386490, 1393840, 1403716 -->
<range><lt>56.0.2_10,1</lt></range>
</package>
<package>
<name>seamonkey</name>
<name>linux-seamonkey</name>
<range><lt>2.49.2</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><lt>52.5.0,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>52.5.0,2</lt></range>
</package>
<package>
<name>libxul</name>
<name>thunderbird</name>
<name>linux-thunderbird</name>
<range><lt>52.5.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/">
<p>CVE-2017-7828: Use-after-free of PressShell while restyling layout</p>
<p>CVE-2017-7830: Cross-origin URL information leak through Resource Timing API</p>
<p>CVE-2017-7831: Information disclosure of exposed properties on JavaScript proxy objects</p>
<p>CVE-2017-7832: Domain spoofing through use of dotless 'i' character followed by accent markers</p>
<p>CVE-2017-7833: Domain spoofing with Arabic and Indic vowel marker characters</p>
<p>CVE-2017-7834: data: URLs opened in new tabs bypass CSP protections</p>
<p>CVE-2017-7835: Mixed content blocking incorrectly applies with redirects</p>
<p>CVE-2017-7836: Pingsender dynamically loads libcurl on Linux and OS X</p>
<p>CVE-2017-7837: SVG loaded as <img> can use meta tags to set cookies</p>
<p>CVE-2017-7838: Failure of individual decoding of labels in international domain names triggers punycode display of entire IDN</p>
<p>CVE-2017-7839: Control characters before javascript: URLs defeats self-XSS prevention mechanism</p>
<p>CVE-2017-7840: Exported bookmarks do not strip script elements from user-supplied tags</p>
<p>CVE-2017-7842: Referrer Policy is not always respected for <link> elements</p>
<p>CVE-2017-7827: Memory safety bugs fixed in Firefox 57</p>
<p>CVE-2017-7826: Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-7826</cvename>
<cvename>CVE-2017-7827</cvename>
<cvename>CVE-2017-7828</cvename>
<cvename>CVE-2017-7830</cvename>
<cvename>CVE-2017-7831</cvename>
<cvename>CVE-2017-7832</cvename>
<cvename>CVE-2017-7833</cvename>
<cvename>CVE-2017-7834</cvename>
<cvename>CVE-2017-7835</cvename>
<cvename>CVE-2017-7836</cvename>
<cvename>CVE-2017-7837</cvename>
<cvename>CVE-2017-7838</cvename>
<cvename>CVE-2017-7839</cvename>
<cvename>CVE-2017-7840</cvename>
<cvename>CVE-2017-7842</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2017-24/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2017-25/</url>
</references>
<dates>
<discovery>2017-11-14</discovery>
<entry>2017-11-14</entry>
</dates>
</vuln>
<vuln vid="27b38d85-c891-11e7-a7bd-cd1209e563f2">
<topic>rubygem-geminabox -- XSS vulnerabilities</topic>
<affects>
<package>
<name>rubygem-geminabox</name>
<range><lt>0.13.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NVD reports:</p>
<blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-16792">
<p>Stored cross-site scripting (XSS) vulnerability in "geminabox"
(Gem in a Box) before 0.13.10 allows attackers to inject arbitrary
web script via the "homepage" value of a ".gemspec" file, related
to views/gem.erb and views/index.erb.</p>
</blockquote>
</body>
</description>
<references>
<url>https://nvd.nist.gov/vuln/detail/CVE-2017-16792</url>
<cvename>CVE-2017-16792</cvename>
</references>
<dates>
<discovery>2017-11-13</discovery>
<entry>2017-11-13</entry>
</dates>
</vuln>
<vuln vid="795ccee1-c7ed-11e7-ad7d-001e2a3f778d">
<topic>konversation -- crash in IRC message parsing</topic>
<affects>
<package>
<name>konversation</name>
<range><lt>1.7.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>KDE reports:</p>
<blockquote cite="https://www.kde.org/info/security/advisory-20171112-1.txt">
<p>Konversation has support for colors in IRC messages. Any malicious user connected to the same IRC network can send a carefully crafted message that will crash the Konversation user client.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-15923</cvename>
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15923</url>
<url>https://www.kde.org/info/security/advisory-20171112-1.txt</url>
</references>
<dates>
<discovery>2017-10-27</discovery>
<entry>2017-11-12</entry>
</dates>
</vuln>
<vuln vid="f622608c-c53c-11e7-a633-009c02a2ab30">
<topic>roundcube -- file disclosure vulnerability</topic>
<affects>
<package>
<name>roundcube</name>
<range><lt>1.3.3,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE reports:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16651">
<p>Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before
1.3.3 allows unauthorized access to arbitrary files on the host's filesystem,
including configuration files, as exploited in the wild in November 2017.
The attacker must be able to authenticate at the target system with a valid
username/password as the attack requires an active session.</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/roundcube/roundcubemail/issues/6026</url>
<url>https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10</url>
<cvename>CVE-2017-16651</cvename>
<freebsdpr>ports/223557</freebsdpr>
</references>
<dates>
<discovery>2017-11-06</discovery>
<entry>2017-11-11</entry>
<modified>2017-12-31</modified>
</dates>
</vuln>
<vuln vid="f8e72cd4-c66a-11e7-bb17-e8e0b747a45a">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>62.0.3202.89</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2017/11/stable-channel-update-for-desktop.html">
<p>2 security fixes in this release, including:</p>
<ul>
<li>[777728] Critical CVE-2017-15398: Stack buffer overflow in QUIC.
Reported by Ned Williamson on 2017-10-24</li>
<li>[776677] High CVE-2017-15399: Use after free in V8. Reported by
Zhao Qixun of Qihoo 360 Vulcan Team on 2017-10-20</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-15398</cvename>
<cvename>CVE-2017-15399</cvename>
<url>https://chromereleases.googleblog.com/2017/11/stable-channel-update-for-desktop.html</url>
</references>
<dates>
<discovery>2017-11-06</discovery>
<entry>2017-11-10</entry>
</dates>
</vuln>
<vuln vid="1f02af5d-c566-11e7-a12d-6cc21735f730">
<topic>PostgreSQL vulnerabilities</topic>
<affects>
<package>
<name>postgresql92-server</name>
<range><ge>9.2.0</ge><lt>9.2.24</lt></range>
</package>
<package>
<name>postgresql93-server</name>
<range><ge>9.3.0</ge><lt>9.3.20</lt></range>
</package>
<package>
<name>postgresql94-server</name>
<range><ge>9.4.0</ge><lt>9.4.15</lt></range>
</package>
<package>
<name>postgresql95-server</name>
<range><ge>9.5.0</ge><lt>9.5.10</lt></range>
</package>
<package>
<name>postgresql96-server</name>
<range><ge>9.6.0</ge><lt>9.6.6</lt></range>
</package>
<package>
<name>postgresql10-server</name>
<range><ge>10.0</ge><lt>10.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PostgreSQL project reports:</p>
<blockquote cite="https://www.postgresql.org/about/news/1801/">
<ul>
<li>CVE-2017-15098: Memory disclosure in JSON functions</li>
<li>CVE-2017-15099: INSERT ... ON CONFLICT DO UPDATE fails to
enforce SELECT privileges</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-15099</cvename>
<cvename>CVE-2017-15098</cvename>
</references>
<dates>
<discovery>2017-10-10</discovery>
<entry>2017-11-09</entry>
</dates>
</vuln>
<vuln vid="1c2a9d76-9d98-43c3-8f5d-8c059b104d99">
<topic>jenkins -- multiple issues</topic>
<affects>
<package>
<name>jenkins</name>
<range><lt>2.89</lt></range>
</package>
<package>
<name>jenkins-lts</name>
<range><lt>2.73.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jenkins developers report:</p>
<blockquote cite="http://www.securityfocus.com/bid/99574">
<p>Jenkins stores metadata related to people, which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping. This potentially resulted in a number of problems.</p>
<p>Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.</p>
</blockquote>
</body>
</description>
<references>
<url>https://jenkins.io/security/advisory/2017-11-08/</url>
</references>
<dates>
<discovery>2017-11-08</discovery>
<entry>2017-11-09</entry>
</dates>
</vuln>
<vuln vid="be261737-c535-11e7-8da5-001999f8d30b">
<topic>asterisk -- Memory/File Descriptor/RTP leak in pjsip session resource</topic>
<affects>
<package>
<name>asterisk13</name>
<range><ge>13.5.0</ge><lt>13.18.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="http://www.asterisk.org/downloads/security-advisories">
<p>A memory leak occurs when an Asterisk pjsip session
object is created and that call gets rejected before the
session itself is fully established. When this happens
the session object never gets destroyed. This then leads
to file descriptors and RTP ports being leaked as well.</p>
</blockquote>
</body>
</description>
<references>
<url>https://downloads.asterisk.org/pub/security/AST-2017-011.html</url>
<cvename>CVE-2017-16672</cvename>
</references>
<dates>
<discovery>2017-10-15</discovery>
<entry>2017-11-09</entry>
<modified>2017-12-13</modified>
</dates>
</vuln>
<vuln vid="ab04cb0b-c533-11e7-8da5-001999f8d30b">
<topic>asterisk -- Buffer overflow in CDR's set user</topic>
<affects>
<package>
<name>asterisk13</name>
<range><lt>13.18.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="http://www.asterisk.org/downloads/security-advisories">
<p>No size checking is done when setting the user field
for Party B on a CDR. Thus, it is possible for someone
to use an arbitrarily large string and write past the end
of the user field storage buffer. The earlier AST-2017-001
advisory for the CDR user field overflow was for the Party
A buffer.</p>
</blockquote>
</body>
</description>
<references>
<url>https://downloads.asterisk.org/pub/security/AST-2017-010.html</url>
<cvename>CVE-2017-16671</cvename>
</references>
<dates>
<discovery>2017-10-09</discovery>
<entry>2017-11-09</entry>
<modified>2017-12-13</modified>
</dates>
</vuln>
<vuln vid="19b052c9-c533-11e7-8da5-001999f8d30b">
<topic>asterisk -- Buffer overflow in pjproject header parsing can cause crash in Asterisk</topic>
<affects>
<package>
<name>asterisk13</name>
<range><lt>13.18.1</lt></range>
</package>
<package>
<name>pjsip</name>
<range><lt>2.7.1</lt></range>
</package>
<package>
<name>pjsip-extsrtp</name>
<range><lt>2.7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="http://www.asterisk.org/downloads/security-advisories">
<p>By carefully crafting invalid values in the Cseq and
the Via header port, pjprojects packet parsing code can
create strings larger than the buffer allocated to hold
them. This will usually cause Asterisk to crash immediately.
The packets do not have to be authenticated.</p>
</blockquote>
</body>
</description>
<references>
<url>https://downloads.asterisk.org/pub/security/AST-2017-009.html</url>
</references>
<dates>
<discovery>2017-10-05</discovery>
<entry>2017-11-09</entry>
<modified>2017-11-15</modified>
</dates>
</vuln>
<vuln vid="f40f07aa-c00f-11e7-ac58-b499baebfeaf">
<topic>OpenSSL -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.0.2m,1</lt></range>
</package>
<package>
<name>openssl-devel</name>
<range><lt>1.1.0g</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenSSL project reports:</p>
<blockquote cite="https://www.openssl.org/news/secadv/20171102.txt">
<p>bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)<br/>
Severity: Moderate<br/>
There is a carry propagating bug in the x86_64 Montgomery squaring
procedure. No EC algorithms are affected. Analysis suggests that
attacks against RSA and DSA as a result of this defect would be
very difficult to perform and are not believed likely. Attacks
against DH are considered just feasible (although very difficult)
because most of the work necessary to deduce information about a
private key may be performed offline.</p>
<p>Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)<br/>
Severity: Low<br/>
This issue was previously announced in security advisory
https://www.openssl.org/news/secadv/20170828.txt, but the fix has
not previously been included in a release due to its low severity.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.openssl.org/news/secadv/20171102.txt</url>
<cvename>CVE-2017-3735</cvename>
<cvename>CVE-2017-3736</cvename>
</references>
<dates>
<discovery>2017-11-02</discovery>
<entry>2017-11-02</entry>
</dates>
</vuln>
<vuln vid="cee3d12f-bf41-11e7-bced-00e04c1ea73d">
<topic>wordpress -- multiple issues</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>4.8.3,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>wordpress developers reports:</p>
<blockquote cite="https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/">
<p>WordPress versions 4.8.2 and earlier are affected by an issue
where $wpdb->prepare() can create unexpected and unsafe queries
leading to potential SQL injection (SQLi). WordPress core is not
directly vulnerable to this issue, but we've added hardening to
prevent plugins and themes from accidentally causing a vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<url>https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/</url>
</references>
<dates>
<discovery>2017-10-31</discovery>
<entry>2017-11-01</entry>
</dates>
</vuln>
<vuln vid="4684a426-774d-4390-aa19-b8dd481c4c94">
<topic>wireshark -- multiple security issues</topic>
<affects>
<package>
<name>wireshark</name>
<range><ge>2.2.0</ge><le>2.2.9</le></range>
<range><ge>2.4.0</ge><le>2.4.1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>wireshark developers reports:</p>
<blockquote cite="http://www.securityfocus.com/bid/101228">
<p>In Wireshark 2.4.0 to 2.4.1, the DOCSIS dissector could go into an infinite loop. This was addressed in plugins/docsis/packet-docsis.c by adding decrements.</p>
<p>In Wireshark 2.4.0 to 2.4.1, the RTSP dissector could crash. This was addressed in epan/dissectors/packet-rtsp.c by correcting the scope of a variable.</p>
<p>In Wireshark 2.4.0 to 2.4.1, 2.2.0 to 2.2.9, and 2.0.0 to 2.0.15, the DMP dissector could crash. This was addressed in epan/dissectors/packet-dmp.c by validating a string length.</p>
<p>In Wireshark 2.4.0 to 2.4.1 and 2.2.0 to 2.2.9, the BT ATT dissector could crash. This was addressed in epan/dissectors/packet-btatt.c by considering a case where not all of the BTATT packets have the same encapsulation level.</p>
<p>In Wireshark 2.4.0 to 2.4.1 and 2.2.0 to 2.2.9, the MBIM dissector could crash or exhaust system memory. This was addressed in epan/dissectors/packet-mbim.c by changing the memory-allocation approach.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.securityfocus.com/bid/101227</url>
<url>http://www.securityfocus.com/bid/101228</url>
<url>http://www.securityfocus.com/bid/101229</url>
<url>http://www.securityfocus.com/bid/101235</url>
<url>http://www.securityfocus.com/bid/101240</url>
<url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14049</url>
<url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14056</url>
<url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14068</url>
<url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14077</url>
<url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14080</url>
<url>https://code.wireshark.org/review/23470</url>
<url>https://code.wireshark.org/review/23537</url>
<url>https://code.wireshark.org/review/23591</url>
<url>https://code.wireshark.org/review/23635</url>
<url>https://code.wireshark.org/review/23663</url>
<url>https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=3689dc1db36037436b1616715f9a3f888fc9a0f6</url>
<url>https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=625bab309d9dd21db2d8ae2aa3511810d32842a8</url>
<url>https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=8dbb21dfde14221dab09b6b9c7719b9067c1f06e</url>
<url>https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=afb9ff7982971aba6e42472de0db4c1bedfc641b</url>
<url>https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=e27870eaa6efa1c2dac08aa41a67fe9f0839e6e0</url>
<url>https://www.wireshark.org/security/wnpa-sec-2017-42.html</url>
<url>https://www.wireshark.org/security/wnpa-sec-2017-43.html</url>
<url>https://www.wireshark.org/security/wnpa-sec-2017-44.html</url>
<url>https://www.wireshark.org/security/wnpa-sec-2017-45.html</url>
<url>https://www.wireshark.org/security/wnpa-sec-2017-46.html</url>
<cvename>CVE-2017-15189</cvename>
<cvename>CVE-2017-15190</cvename>
<cvename>CVE-2017-15191</cvename>
<cvename>CVE-2017-15192</cvename>
<cvename>CVE-2017-15193</cvename>
</references>
<dates>
<discovery>2017-10-10</discovery>
<entry>2017-10-30</entry>
</dates>
</vuln>
<vuln vid="de7a2b32-bd7d-11e7-b627-d43d7e971a1b">
<topic>PHP -- denial of service attack</topic>
<affects>
<package>
<name>php56</name>
<range><lt>5.6.32</lt></range>
</package>
<package>
<name>php70</name>
<range><lt>7.0.25</lt></range>
</package>
<package>
<name>php71</name>
<range><lt>7.1.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PHP project reports:</p>
<blockquote cite="http://php.net/archive/2017.php#id2017-10-26-3">
<p>The PHP development team announces the immediate availability of PHP
5.6.32. This is a security release. Several security bugs were fixed in this
release. All PHP 5.6 users are encouraged to upgrade to this version.</p>
</blockquote>
<blockquote cite="http://php.net/archive/2017.php#id2017-10-26-1">
<p>The PHP development team announces the immediate availability of PHP
7.0.25. This is a security release. Several security bugs were fixed in this
release. All PHP 7.0 users are encouraged to upgrade to this version.</p>
</blockquote>
<blockquote cite="http://php.net/archive/2017.php#id2017-10-27-1">
<p>The PHP development team announces the immediate availability of PHP
7.1.11. This is a bugfix release, with several bug fixes included. All PHP
7.1 users are encouraged to upgrade to this version. </p>
</blockquote>
</body>
</description>
<references>
<url>http://php.net/archive/2017.php#id2017-10-26-3</url>
<url>http://php.net/archive/2017.php#id2017-10-26-1</url>
<url>http://php.net/archive/2017.php#id2017-10-27-1</url>
<cvename>CVE-2016-1283</cvename>
</references>
<dates>
<discovery>2017-10-26</discovery>
<entry>2017-10-30</entry>
<modified>2017-11-14</modified>
</dates>
</vuln>
<vuln vid="3cd46257-bbc5-11e7-a3bc-e8e0b747a45a">
<topic>chromium -- Stack overflow in V8</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>62.0.3202.75</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop_26.html">
<p>2 security fixes in this release, including:</p>
<ul>
<li>[770452] High CVE-2017-15396: Stack overflow in V8. Reported by
Yuan Deng of Ant-financial Light-Year Security Lab on 2017-09-30</li>
<li>[770450] Medium CVE-2017-15406: Stack overflow in V8. Reported by
Yuan Deng of Ant-financial Light-Year Security Lab on 2017-09-30</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-15396</cvename>
<cvename>CVE-2017-15406</cvename>
<url>https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop_26.html</url>
</references>
<dates>
<discovery>2017-10-26</discovery>
<entry>2017-10-28</entry>
<modified>2018-01-23</modified>
</dates>
</vuln>
<vuln vid="d77ceb8c-bb13-11e7-8357-3065ec6f3643">
<topic>wget -- Heap overflow in HTTP protocol handling</topic>
<affects>
<package>
<name>wget</name>
<range><lt>1.19.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Antti Levomäki, Christian Jalio, Joonas Pihlaja:</p>
<blockquote cite="https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html">
<p>Wget contains two vulnerabilities, a stack overflow and a heap
overflow, in the handling of HTTP chunked encoding. By convincing
a user to download a specific link over HTTP, an attacker may be
able to execute arbitrary code with the privileges of the user.
</p>
</blockquote>
</body>
</description>
<references>
<url>http://git.savannah.gnu.org/cgit/wget.git/commit/?id=ba6b44f6745b14dce414761a8e4b35d31b176bba</url>
<cvename>CVE-2017-13090</cvename>
</references>
<dates>
<discovery>2017-10-20</discovery>
<entry>2017-10-27</entry>
</dates>
</vuln>
<vuln vid="09849e71-bb12-11e7-8357-3065ec6f3643">
<topic>wget -- Stack overflow in HTTP protocol handling</topic>
<affects>
<package>
<name>wget</name>
<range><lt>1.19.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Antti Levomäki, Christian Jalio, Joonas Pihlaja:</p>
<blockquote cite="https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html">
<p>Wget contains two vulnerabilities, a stack overflow and a heap
overflow, in the handling of HTTP chunked encoding. By convincing
a user to download a specific link over HTTP, an attacker may be
able to execute arbitrary code with the privileges of the user.
</p>
</blockquote>
</body>
</description>
<references>
<url>http://git.savannah.gnu.org/cgit/wget.git/commit/?id=d892291fb8ace4c3b734ea5125770989c215df3f</url>
<cvename>CVE-2017-13089</cvename>
</references>
<dates>
<discovery>2017-10-20</discovery>
<entry>2017-10-27</entry>
</dates>
</vuln>
<vuln vid="d7d1cc94-b971-11e7-af3a-f1035dd0da62">
<topic>Node.js -- remote DOS security vulnerability</topic>
<affects>
<package>
<name>node</name>
<range><lt>8.8.0</lt></range>
</package>
<package>
<name>node6</name>
<range><ge>6.10.2</ge><lt>6.11.5</lt></range>
</package>
<package>
<name>node4</name>
<range><ge>4.8.2</ge><lt>4.8.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Node.js reports:</p>
<blockquote cite="https://nodejs.org/en/blog/vulnerability/oct-2017-dos/">
<p>Node.js was susceptible to a remote DoS attack due to a change that came in as part of zlib v1.2.9. In zlib v1.2.9 8 became an invalid value for the windowBits parameter and Node's zlib module will crash or throw an exception (depending on the version)</p>
</blockquote>
</body>
</description>
<references>
<url>https://nodejs.org/en/blog/vulnerability/oct-2017-dos/</url>
<cvename>CVE-2017-14919</cvename>
</references>
<dates>
<discovery>2017-10-17</discovery>
<entry>2017-10-25</entry>
</dates>
</vuln>
<vuln vid="418c172b-b96f-11e7-b627-d43d7e971a1b">
<topic>GitLab -- multiple vulnerabilities</topic>
<affects>
<package>
<name>gitlab</name>
<range><ge>2.8.0</ge><le>9.4.6</le></range>
<range><ge>9.5.0</ge><le>9.5.8</le></range>
<range><ge>10.0.0</ge><le>10.0.3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GitLab reports:</p>
<blockquote cite="https://about.gitlab.com/2017/10/17/gitlab-10-dot-0-dot-4-security-release/">
<h1>Cross-Site Scripting (XSS) vulnerability in the Markdown sanitization
filter</h1>
<p>Yasin Soliman via HackerOne reported a Cross-Site Scripting (XSS)
vulnerability in the GitLab markdown sanitization filter. The sanitization
filter was not properly stripping invalid characters from URL schemes and
was therefore vulnerable to persistent XSS attacks anywhere Markdown was
supported.</p>
<h1>Cross-Site Scripting (XSS) vulnerability in search bar</h1>
<p>Josh Unger reported a Cross-Site Scripting (XSS) vulnerability in the
issue search bar. Usernames were not being properly HTML escaped inside the
author filter would could allow arbitrary script execution.</p>
<h1>Open redirect in repository git redirects</h1>
<p>Eric Rafaloff via HackerOne reported that GitLab was vulnerable to an
open redirect vulnerability when redirecting requests for repository names
that include the git extension. GitLab was not properly removing dangerous
parameters from the params field before redirecting which could allow an
attacker to redirect users to arbitrary hosts.</p>
<h1>Username changes could leave repositories behind</h1>
<p>An internal code review discovered that a bug in the code that moves
repositories during a username change could potentially leave behind
projects, allowing an attacker who knows the previous username to
potentially steal the contents of repositories on instances that are not
configured with hashed namespaces.</p>
</blockquote>
</body>
</description>
<references>
<url>https://about.gitlab.com/2017/10/17/gitlab-10-dot-0-dot-4-security-release/</url>
</references>
<dates>
<discovery>2017-10-17</discovery>
<entry>2017-10-25</entry>
</dates>
</vuln>
<vuln vid="27229c67-b8ff-11e7-9f79-ac9e174be3af">
<topic>Apache OpenOffice -- multiple vulnerabilities</topic>
<affects>
<package>
<name>apache-openoffice</name>
<range><lt>4.1.4</lt></range>
</package>
<package>
<name>apache-openoffice-devel</name>
<range><lt>4.2.1810071_1,4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache Openofffice project reports:</p>
<blockquote cite="https://www.openoffice.org/security/cves/CVE-2017-3157.html">
<h1>CVE-2017-3157: Arbitrary file disclosure in Calc and Writer</h1>
<p>By exploiting the way OpenOffice renders embedded objects, an attacker could craft a document that allows reading in a file from the user's filesystem. Information could be retrieved by the attacker by, e.g., using hidden sections to store the information, tricking the user into saving the document and convincing the user to sent the document back to the attacker.</p>
<p>The vulnerability is mitigated by the need for the attacker to know the precise file path in the target system, and the need to trick the user into saving the document and sending it back.</p>
</blockquote>
<blockquote cite="https://www.openoffice.org/security/cves/CVE-2017-9806.html">
<h1>CVE-2017-9806: Out-of-Bounds Write in Writer's WW8Fonts Constructor</h1>
<p>A vulnerability in the OpenOffice Writer DOC file parser, and specifically in the WW8Fonts Constructor, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution.</p>
</blockquote>
<blockquote cite="https://www.openoffice.org/security/cves/CVE-2017-12607.html">
<h1>CVE-2017-12607: Out-of-Bounds Write in Impress' PPT Filter</h1>
<p>A vulnerability in OpenOffice's PPT file parser, and specifically in PPTStyleSheet, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution.</p>
</blockquote>
<blockquote cite="https://www.openoffice.org/security/cves/CVE-2017-12608.html">
<h1>CVE-2017-12608: Out-of-Bounds Write in Writer's ImportOldFormatStyles</h1>
<p>A vulnerability in OpenOffice Writer DOC file parser, and specifically in ImportOldFormatStyles, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.openoffice.org/security/cves/CVE-2017-3157.html</url>
<url>https://www.openoffice.org/security/cves/CVE-2017-9806.html</url>
<url>https://www.openoffice.org/security/cves/CVE-2017-12607.html</url>
<url>https://www.openoffice.org/security/cves/CVE-2017-12608.html</url>
<cvename>CVE-2017-3157</cvename>
<cvename>CVE-2017-9806</cvename>
<cvename>CVE-2017-12607</cvename>
<cvename>CVE-2017-12608</cvename>
</references>
<dates>
<discovery>2016-09-11</discovery>
<entry>2017-10-24</entry>
<modified>2017-10-26</modified>
</dates>
</vuln>
<vuln vid="143ec3d6-b7cf-11e7-ac58-b499baebfeaf">
<topic>cURL -- out of bounds read</topic>
<affects>
<package>
<name>curl</name>
<range><ge>7.20</ge><lt>7.56.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The cURL project reports:</p>
<blockquote cite="https://curl.haxx.se/docs/adv_20171023.html">
<p>libcurl contains a buffer overrun flaw in the IMAP handler.<br/>
An IMAP FETCH response line indicates the size of the returned data,
in number of bytes. When that response says the data is zero bytes,
libcurl would pass on that (non-existing) data with a pointer and
the size (zero) to the deliver-data function.<br/>
libcurl's deliver-data function treats zero as a magic number and
invokes strlen() on the data to figure out the length. The strlen()
is called on a heap based buffer that might not be zero terminated
so libcurl might read beyond the end of it into whatever memory lies
after (or just crash) and then deliver that to the application as if
it was actually downloaded.</p>
</blockquote>
</body>
</description>
<references>
<url>https://curl.haxx.se/docs/adv_20171023.html</url>
<cvename>CVE-2017-1000257</cvename>
</references>
<dates>
<discovery>2017-10-23</discovery>
<entry>2017-10-23</entry>
</dates>
</vuln>
<vuln vid="10c0fabc-b5da-11e7-816e-00bd5d1fff09">
<topic>h2o -- DoS in workers</topic>
<affects>
<package>
<name>h2o</name>
<range><lt>2.2.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Frederik Deweerdt reports:</p>
<blockquote cite="https://github.com/h2o/h2o/releases/tag/v2.2.3">
<p>Multiple Denial-of-Service vulnerabilities exist in h2o workers -
see references for full details.</p>
<p>CVE-2017-10868: Worker processes may crash when receiving a request with invalid framing.</p>
<p>CVE-2017-10869: The stack may overflow when proxying huge requests.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-10868</cvename>
<cvename>CVE-2017-10869</cvename>
<url>https://github.com/h2o/h2o/issues/1459</url>
<url>https://github.com/h2o/h2o/issues/1460</url>
<url>https://github.com/h2o/h2o/releases/tag/v2.2.3</url>
</references>
<dates>
<discovery>2017-07-19</discovery>
<entry>2017-10-17</entry>
</dates>
</vuln>
<vuln vid="85e2c7eb-b74b-11e7-8546-5cf3fcfdd1f1">
<topic>irssi -- multiple vulnerabilities</topic>
<affects>
<package>
<name>irssi</name>
<range><lt>1.0.5,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Irssi reports:</p>
<blockquote cite="https://irssi.org/security/irssi_sa_2017_10.txt">
<p>When installing themes with unterminated colour formatting
sequences, Irssi may access data beyond the end of the string.</p>
<p>While waiting for the channel synchronisation, Irssi may
incorrectly fail to remove destroyed channels from the query list,
resulting in use after free conditions when updating the state later
on.</p>
<p>Certain incorrectly formatted DCC CTCP messages could cause NULL
pointer dereference.</p>
<p>Overlong nicks or targets may result in a NULL pointer dereference
while splitting the message.</p>
<p>In certain cases Irssi may fail to verify that a Safe channel ID
is long enough, causing reads beyond the end of the string.</p>
</blockquote>
</body>
</description>
<references>
<url>https://irssi.org/security/irssi_sa_2017_10.txt</url>
<cvename>CVE-2017-15721</cvename>
<cvename>CVE-2017-15722</cvename>
<cvename>CVE-2017-15723</cvename>
<cvename>CVE-2017-15227</cvename>
<cvename>CVE-2017-15228</cvename>
<freebsdpr>ports/223169</freebsdpr>
</references>
<dates>
<discovery>2017-10-10</discovery>
<entry>2017-10-22</entry>
<modified>2017-12-31</modified>
</dates>
</vuln>
<vuln vid="a692bffe-b6ad-11e7-a1c2-e8e0b747a45a">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>62.0.3202.62</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop.html">
<p>35 security fixes in this release, including:</p>
<ul>
<li>[762930] High CVE-2017-5124: UXSS with MHTML. Reported by
Anonymous on 2017-09-07</li>
<li>[749147] High CVE-2017-5125: Heap overflow in Skia. Reported by
Anonymous on 2017-07-26</li>
<li>[760455] High CVE-2017-5126: Use after free in PDFium. Reported by
Luat Nguyen on KeenLab, Tencent on 2017-08-30</li>
<li>[765384] High CVE-2017-5127: Use after free in PDFium. Reported by
Luat Nguyen on KeenLab, Tencent on 2017-09-14</li>
<li>[765469] High CVE-2017-5128: Heap overflow in WebGL. Reported by
Omair on 2017-09-14</li>
<li>[765495] High CVE-2017-5129: Use after free in WebAudio. Reported by
Omair on 2017-09-15</li>
<li>[718858] High CVE-2017-5132: Incorrect stack manipulation in WebAssembly. Reported by
Gaurav Dewan of Adobe Systems India Pvt. Ltd. on 2017-05-05</li>
<li>[722079] High CVE-2017-5130: Heap overflow in libxml2. Reported by
Pranjal Jumde on 2017-05-14</li>
<li>[744109] Medium CVE-2017-5131: Out of bounds write in Skia. Reported by
Anonymous on 2017-07-16</li>
<li>[762106] Medium CVE-2017-5133: Out of bounds write in Skia. Reported by
Aleksandar Nikolic of Cisco Talos on 2017-09-05</li>
<li>[752003] Medium CVE-2017-15386: UI spoofing in Blink. Reported by
WenXu Wu of Tencent's Xuanwu Lab on 2017-08-03</li>
<li>[756040] Medium CVE-2017-15387: Content security bypass. Reported by
Jun Kokatsu on 2017-08-16</li>
<li>[756563] Medium CVE-2017-15388: Out of bounds read in Skia. Reported by
Kushal Arvind Shah of Fortinet's FortiGuard Labs on 2017-08-17</li>
<li>[739621] Medium CVE-2017-15389: URL spoofing in Omnibox. Reported by
xisigr of Tencent's Xuanwu Lab on 2017-07-06</li>
<li>[750239] Medium CVE-2017-15390: URL spoofing in Omnibox. Reported by
Haosheng Wang on 2017-07-28</li>
<li>[598265] Low CVE-2017-15391: Extension limitation bypass in Extensions. Reported by
Joao Lucas Melo Brasio on 2016-03-28</li>
<li>[714401] Low CVE-2017-15392: Incorrect registry key handling in PlatformIntegration.
Reported by Xiaoyin Liu on 2017-04-22</li>
<li>[732751] Low CVE-2017-15393: Referrer leak in Devtools. Reported by
Svyat Mitin on 2017-06-13</li>
<li>[745580] Low CVE-2017-15394: URL spoofing in extensions UI. Reported by
Sam on 2017-07-18</li>
<li>[759457] Low CVE-2017-15395: Null pointer dereference in ImageCapture. Reported by
Johannes Bergman on 2017-08-28</li>
<li>[775550] Various fixes from internal audits, fuzzing and other initiatives</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-5124</cvename>
<cvename>CVE-2017-5125</cvename>
<cvename>CVE-2017-5126</cvename>
<cvename>CVE-2017-5127</cvename>
<cvename>CVE-2017-5128</cvename>
<cvename>CVE-2017-5129</cvename>
<cvename>CVE-2017-5132</cvename>
<cvename>CVE-2017-5130</cvename>
<cvename>CVE-2017-5131</cvename>
<cvename>CVE-2017-5133</cvename>
<cvename>CVE-2017-15386</cvename>
<cvename>CVE-2017-15387</cvename>
<cvename>CVE-2017-15388</cvename>
<cvename>CVE-2017-15389</cvename>
<cvename>CVE-2017-15390</cvename>
<cvename>CVE-2017-15391</cvename>
<cvename>CVE-2017-15392</cvename>
<cvename>CVE-2017-15393</cvename>
<cvename>CVE-2017-15394</cvename>
<cvename>CVE-2017-15395</cvename>
<url>https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop.html</url>
</references>
<dates>
<discovery>2017-10-17</discovery>
<entry>2017-10-21</entry>
</dates>
</vuln>
<vuln vid="e1cb9dc9-daa9-44db-adde-e94d900e2f7f">
<topic>cacti -- Cross Site Scripting issue</topic>
<affects>
<package>
<name>cacti</name>
<range><lt>1.1.26</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>cacti developers report:</p>
<blockquote cite=" https://github.com/Cacti/cacti/commit/93f661d8adcfa6618b11522cdab30e97bada33fd">
<p>The file include/global_session.php in Cacti 1.1.25 has XSS related to (1) the URI or (2) the refresh page.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.securitytracker.com/id/1039569</url>
<url>https://github.com/Cacti/cacti/commit/93f661d8adcfa6618b11522cdab30e97bada33fd</url>
<url>https://github.com/Cacti/cacti/issues/1010</url>
<cvename>CVE-2017-15194</cvename>
</references>
<dates>
<discovery>2017-10-10</discovery>
<entry>2017-10-19</entry>
</dates>
</vuln>
<vuln vid="b95e5674-b4d6-11e7-b895-0cc47a494882">
<topic>arj -- multiple vulnerabilities</topic>
<affects>
<package>
<name>arj</name>
<range><lt>3.10.22_5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Several vulnerabilities: symlink directory traversal, absolute path directory
traversal and buffer overflow were discovered in the arj archiver.</p>
</body>
</description>
<references>
<cvename>CVE-2015-0556</cvename>
<cvename>CVE-2015-0557</cvename>
<cvename>CVE-2015-2782</cvename>
</references>
<dates>
<discovery>2015-04-08</discovery>
<entry>2017-10-19</entry>
</dates>
</vuln>
<vuln vid="3f3837cc-48fb-4414-aa46-5b1c23c9feae">
<topic>krb5 -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>krb5</name>
<range><lt>1.14.6</lt></range>
<range><ge>1.15</ge><lt>1.15.2</lt></range>
</package>
<package>
<name>krb5-devel</name>
<range><lt>1.14.6</lt></range>
<range><ge>1.15</ge><lt>1.15.2</lt></range>
</package>
<package>
<name>krb5-115</name>
<range><lt>1.15.2</lt></range>
</package>
<package>
<name>krb5-114</name>
<range><lt>1.14.6</lt></range>
</package>
<package>
<name>krb5-113</name>
<range><lt>1.14.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MIT reports:</p>
<blockquote cite="http://krbdev.mit.edu/rt/Ticket/Display.html?id=8599">
<p>CVE-2017-11368:</p>
<p>In MIT krb5 1.7 and later, an authenticated attacker can cause an
assertion failure in krb5kdc by sending an invalid S4U2Self or
S4U2Proxy request.</p>
</blockquote>
<blockquote cite="http://krbdev.mit.edu/rt/Ticket/Display.html?id=8598">
<p>CVE-2017-11462:</p>
<p>RFC 2744 permits a GSS-API implementation to delete an existing
security context on a second or subsequent call to gss_init_sec_context()
or gss_accept_sec_context() if the call results in an error.
This API behavior has been found to be dangerous, leading to the
possibility of memory errors in some callers. For safety, GSS-API
implementations should instead preserve existing security contexts
on error until the caller deletes them.</p>
<p>All versions of MIT krb5 prior to this change may delete acceptor
contexts on error. Versions 1.13.4 through 1.13.7, 1.14.1 through
1.14.5, and 1.15 through 1.15.1 may also delete initiator contexts
on error.</p>
</blockquote>
</body>
</description>
<references>
<url>https://nvd.nist.gov/vuln/detail/CVE-2017-11368</url>
<url>https://krbdev.mit.edu/rt/Ticket/Display.html?id=8599</url>
<url>https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970</url>
<url>https://nvd.nist.gov/vuln/detail/CVE-2017-11462</url>
<url>https://krbdev.mit.edu/rt/Ticket/Display.html?id=8598</url>
<url>https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf</url>
<cvename>CVE-2017-11368</cvename>
<cvename>CVE-2017-11462</cvename>
</references>
<dates>
<discovery>2017-07-14</discovery>
<entry>2017-10-18</entry>
</dates>
</vuln>
<vuln vid="c41bedfd-b3f9-11e7-ac58-b499baebfeaf">
<topic>MySQL -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mariadb55-server</name>
<range><lt>5.5.58</lt></range>
</package>
<package>
<name>mariadb100-server</name>
<range><lt>10.0.33</lt></range>
</package>
<package>
<name>mariadb101-server</name>
<range><lt>10.1.29</lt></range>
</package>
<package>
<name>mariadb102-server</name>
<range><lt>10.2.10</lt></range>
</package>
<package>
<name>mysql55-server</name>
<range><lt>5.5.58</lt></range>
</package>
<package>
<name>mysql56-server</name>
<range><lt>5.6.38</lt></range>
</package>
<package>
<name>mysql57-server</name>
<range><lt>5.7.20</lt></range>
</package>
<package>
<name>percona55-server</name>
<range><lt>5.5.58</lt></range>
</package>
<package>
<name>percona56-server</name>
<range><lt>5.6.38</lt></range>
</package>
<package>
<name>percona57-server</name>
<range><lt>5.7.20</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Oracle reports:</p>
<blockquote cite="http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL">
<p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL</url>
<cvename>CVE-2017-10155</cvename>
<cvename>CVE-2017-10379</cvename>
<cvename>CVE-2017-10384</cvename>
<cvename>CVE-2017-10276</cvename>
<cvename>CVE-2017-10167</cvename>
<cvename>CVE-2017-10378</cvename>
<cvename>CVE-2017-10277</cvename>
<cvename>CVE-2017-10203</cvename>
<cvename>CVE-2017-10283</cvename>
<cvename>CVE-2017-10313</cvename>
<cvename>CVE-2017-10296</cvename>
<cvename>CVE-2017-10311</cvename>
<cvename>CVE-2017-10320</cvename>
<cvename>CVE-2017-10314</cvename>
<cvename>CVE-2017-10227</cvename>
<cvename>CVE-2017-10279</cvename>
<cvename>CVE-2017-10294</cvename>
<cvename>CVE-2017-10165</cvename>
<cvename>CVE-2017-10284</cvename>
<cvename>CVE-2017-10286</cvename>
<cvename>CVE-2017-10268</cvename>
<cvename>CVE-2017-10365</cvename>
</references>
<dates>
<discovery>2017-10-18</discovery>
<entry>2017-10-18</entry>
<modified>2017-12-23</modified>
</dates>
</vuln>
<vuln vid="ab881a74-c016-4e6d-9f7d-68c8e7cedafb">
<topic>xorg-server -- Multiple Issues</topic>
<affects>
<package>
<name>xorg-server</name>
<range><le>1.18.4_6,1</le></range>
<range><ge>1.19.0,1</ge><le>1.19.3,1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>xorg-server developers reports:</p>
<blockquote cite="http://www.securityfocus.com/bid/99546">
<p>In the X.Org X server before 2017-06-19, a user authenticated to
an X Session could crash or execute code in the context of the X
Server by exploiting a stack overflow in the endianness conversion
of X Events.</p>
<p>Uninitialized data in endianness conversion in the XEvent handling
of the X.Org X Server before 2017-06-19 allowed authenticated
malicious users to access potentially privileged data from the X
server.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.securityfocus.com/bid/99546</url>
<url>https://bugzilla.suse.com/show_bug.cgi?id=1035283</url>
<url>https://cgit.freedesktop.org/xorg/xserver/commit/?id=215f894965df5fb0bb45b107d84524e700d2073c</url>
<url>https://cgit.freedesktop.org/xorg/xserver/commit/?id=8caed4df36b1f802b4992edcfd282cbeeec35d9d</url>
<url>https://cgit.freedesktop.org/xorg/xserver/commit/?id=ba336b24052122b136486961c82deac76bbde455</url>
<url>http://www.securityfocus.com/bid/99543</url>
<url>https://bugzilla.suse.com/show_bug.cgi?id=1035283</url>
<url>https://cgit.freedesktop.org/xorg/xserver/commit/?id=05442de962d3dc624f79fc1a00eca3ffc5489ced</url>
<cvename>CVE-2017-10971</cvename>
<cvename>CVE-2017-10972</cvename>
</references>
<dates>
<discovery>2017-07-06</discovery>
<entry>2017-10-17</entry>
<modified>2018-05-20</modified>
</dates>
</vuln>
<vuln vid="a73518da-b2fa-11e7-98ef-d43d7ef03aa6">
<topic>Flash Player -- Remote code execution</topic>
<affects>
<package>
<name>linux-flashplayer</name>
<range><lt>27.0.0.170</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb17-32.html">
<ul>
<li>This update resolves a type confusion vulnerability that
could lead to remote code execution (CVE-2017-11292).</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-11292</cvename>
<url>https://helpx.adobe.com/security/products/flash-player/apsb17-32.html</url>
</references>
<dates>
<discovery>2017-10-16</discovery>
<entry>2017-10-17</entry>
</dates>
</vuln>
<vuln vid="d670a953-b2a1-11e7-a633-009c02a2ab30">
<topic>WPA packet number reuse with replayed messages and key reinstallation</topic>
<affects>
<package>
<name>wpa_supplicant</name>
<range><le>2.6_1</le></range>
</package>
<package>
<name>hostapd</name>
<range><le>2.6</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>wpa_supplicant developers report:</p>
<blockquote cite="http://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt">
<p>A vulnerability was found in how a number of implementations can be
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
replaying a specific frame that is used to manage the keys.</p>
</blockquote>
</body>
</description>
<references>
<url>http://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt</url>
<url>https://www.kb.cert.org/vuls/id/228519</url>
<cvename>CVE-2017-13077</cvename>
<cvename>CVE-2017-13078</cvename>
<cvename>CVE-2017-13079</cvename>
<cvename>CVE-2017-13080</cvename>
<cvename>CVE-2017-13081</cvename>
<cvename>CVE-2017-13082</cvename>
<cvename>CVE-2017-13084</cvename>
<cvename>CVE-2017-13086</cvename>
<cvename>CVE-2017-13087</cvename>
<cvename>CVE-2017-13088</cvename>
</references>
<dates>
<discovery>2017-10-16</discovery>
<entry>2017-10-16</entry>
</dates>
</vuln>
<vuln vid="b0628e53-092a-4037-938b-29805a7cd31b">
<topic>mercurial -- multiple issues</topic>
<affects>
<package>
<name>mercurial</name>
<range><lt>4.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>mercurial developers reports:</p>
<blockquote cite="http://www.securityfocus.com/bid/100290">
<p>Mercurial prior to version 4.3 is vulnerable to a missing symlink check that can malicious repositories to modify files outside the repository</p>
<p>Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.securityfocus.com/bid/100290</url>
<url>https://security.gentoo.org/glsa/201709-18</url>
<url>https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.3_.2F_4.3.1_.282017-08-10.29</url>
<url>http://www.securityfocus.com/bid/100290</url>
<url>https://security.gentoo.org/glsa/201709-18</url>
<url>https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.3_.2F_4.3.1_.282017-08-10.29</url>
<cvename>CVE-2017-1000115</cvename>
<cvename>CVE-2017-1000116</cvename>
</references>
<dates>
<discovery>2017-10-05</discovery>
<entry>2017-10-16</entry>
</dates>
</vuln>
<vuln vid="555cd806-b031-11e7-a369-14dae9d59f67">
<topic>Multiple exploitable heap-based buffer overflow vulnerabilities exists in FreeXL 1.0.3</topic>
<affects>
<package>
<name>freexl</name>
<range><lt>1.0.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Cisco TALOS reports:</p>
<blockquote cite="http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0430">
<p>An exploitable heap based buffer overflow vulnerability exists in the read_biff_next_record function of FreeXL 1.0.3. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability.</p>
</blockquote>
<blockquote cite="https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0431">
<p>An exploitable heap-based buffer overflow vulnerability exists in the read_legacy_biff function of FreeXL 1.0.3. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0430</url>
<cvename>CVE-2017-2923</cvename>
<url>https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0431</url>
<cvename>CVE-2017-2924</cvename>
</references>
<dates>
<discovery>2017-09-11</discovery>
<entry>2017-10-13</entry>
</dates>
</vuln>
<vuln vid="ed73829d-af6d-11e7-a633-009c02a2ab30">
<topic>FFmpeg -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ffmpeg</name>
<range><lt>3.3.4</lt></range>
</package>
<package>
<name>mythtv</name>
<name>mythtv-frontend</name>
<!-- mythtv-29.x has ffmpeg-3.2 -->
<range><lt>29.1,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>FFmpeg security reports:</p>
<blockquote cite="https://www.ffmpeg.org/security.html">
<p>Multiple vulnerabilities have been fixed in FFmpeg 3.3.4. Please refer to the CVE list for details.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.ffmpeg.org/security.html</url>
<cvename>CVE-2017-14054</cvename>
<cvename>CVE-2017-14055</cvename>
<cvename>CVE-2017-14056</cvename>
<cvename>CVE-2017-14057</cvename>
<cvename>CVE-2017-14058</cvename>
<cvename>CVE-2017-14059</cvename>
<cvename>CVE-2017-14169</cvename>
<cvename>CVE-2017-14170</cvename>
<cvename>CVE-2017-14171</cvename>
<cvename>CVE-2017-14222</cvename>
<cvename>CVE-2017-14223</cvename>
<cvename>CVE-2017-14225</cvename>
<cvename>CVE-2017-14767</cvename>
</references>
<dates>
<discovery>2017-09-11</discovery>
<entry>2017-10-12</entry>
<modified>2018-03-25</modified>
</dates>
</vuln>
<vuln vid="7274e0cc-575f-41bc-8619-14a41b3c2ad0">
<topic>xorg-server -- multiple vulnabilities</topic>
<affects>
<package>
<name>xephyr</name>
<range><lt>1.18.4_5,1</lt></range>
</package>
<package>
<name>xorg-dmx</name>
<range><lt>1.18.4_5,1</lt></range>
</package>
<package>
<name>xorg-nestserver</name>
<range><lt>1.19.1_2,2</lt></range>
</package>
<package>
<name>xorg-server</name>
<range><lt>1.18.4_5,1</lt></range>
</package>
<package>
<name>xorg-vfbserver</name>
<range><lt>1.19.1_2,1</lt></range>
</package>
<package>
<name>xwayland</name>
<range><lt>1.19.1_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adam Jackson reports:</p>
<blockquote cite="https://lists.x.org/archives/xorg-announce/2017-October/002814.html">
<p>One regression fix since 1.19.4 (mea culpa), and fixes for
CVEs 2017-12176 through 2017-12187.</p>
</blockquote>
</body>
</description>
<references>
<url>https://lists.x.org/archives/xorg-announce/2017-October/002814.html</url>
<cvename>CVE-2017-12176</cvename>
<cvename>CVE-2017-12177</cvename>
<cvename>CVE-2017-12178</cvename>
<cvename>CVE-2017-12179</cvename>
<cvename>CVE-2017-12180</cvename>
<cvename>CVE-2017-12181</cvename>
<cvename>CVE-2017-12182</cvename>
<cvename>CVE-2017-12183</cvename>
<cvename>CVE-2017-12184</cvename>
<cvename>CVE-2017-12185</cvename>
<cvename>CVE-2017-12186</cvename>
<cvename>CVE-2017-12187</cvename>
</references>
<dates>
<discovery>2017-10-12</discovery>
<entry>2017-10-13</entry>
</dates>
</vuln>
<vuln vid="e837390d-0ceb-46b8-9b32-29c1195f5dc7">
<topic>solr -- Code execution via entity expansion</topic>
<affects>
<package>
<name>apache-solr</name>
<range><ge>5.1</ge><le>6.6.1</le></range>
<range><ge>7.0.0</ge><lt>7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Solr developers report:</p>
<blockquote cite="http://lucene.472066.n3.nabble.com/Re-Several-critical-vulnerabilities-discovered-in-Apache-Solr-XXE-amp-RCE-td4358308.html">
<p>Lucene XML parser does not explicitly prohibit doctype declaration and expansion of external entities which leads to arbitrary HTTP requests to the local SOLR instance and to bypass all firewall restrictions.</p>
<p>Solr "RunExecutableListener" class can be used to execute arbitrary commands on specific events, for example after each update query. The problem is that such listener can be enabled with any parameters just by using Config API with add-listener command.</p>
</blockquote>
</body>
</description>
<references>
<url>http://lucene.472066.n3.nabble.com/Re-Several-critical-vulnerabilities-discovered-in-Apache-Solr-XXE-amp-RCE-td4358308.html</url>
<url>https://marc.info/?l=apache-announce&m=150786685013286</url>
<cvename>CVE-2017-12629</cvename>
</references>
<dates>
<discovery>2017-10-13</discovery>
<entry>2017-10-13</entry>
<modified>2017-10-16</modified>
</dates>
</vuln>
<vuln vid="6dc3c61c-e866-4c27-93f7-ae50908594fd">
<topic>jenkins -- multiple issues</topic>
<affects>
<package>
<name>jenkins</name>
<range><le>2.83</le></range>
</package>
<package>
<name>jenkins-lts</name>
<range><le>2.73.1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>jenkins developers report:</p>
<blockquote cite="https://jenkins.io/security/advisory/2017-10-11/">
<p>A total of 11 issues are reported, please see reference URL for details.</p>
</blockquote>
</body>
</description>
<references>
<url>https://jenkins.io/security/advisory/2017-10-11/</url>
</references>
<dates>
<discovery>2017-10-11</discovery>
<entry>2017-10-13</entry>
</dates>
</vuln>
<vuln vid="da70d472-af59-11e7-ace2-f8b156b439c5">
<topic>xen-kernel -- multiple vulnerabilities</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><lt>4.7.2_6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen project reports multiple vulnerabilities.</p>
</body>
</description>
<references>
<url>http://xenbits.xen.org/xsa/advisory-237.html</url>
<url>http://xenbits.xen.org/xsa/advisory-238.html</url>
<url>http://xenbits.xen.org/xsa/advisory-239.html</url>
<url>http://xenbits.xen.org/xsa/advisory-240.html</url>
<url>http://xenbits.xen.org/xsa/advisory-241.html</url>
<url>http://xenbits.xen.org/xsa/advisory-242.html</url>
<url>http://xenbits.xen.org/xsa/advisory-243.html</url>
<url>http://xenbits.xen.org/xsa/advisory-244.html</url>
</references>
<dates>
<discovery>2017-10-12</discovery>
<entry>2017-10-12</entry>
</dates>
</vuln>
<vuln vid="e71fd9d3-af47-11e7-a633-009c02a2ab30">
<topic>nss -- Use-after-free in TLS 1.2 generating handshake hashes</topic>
<affects>
<package>
<name>nss</name>
<range><ge>3.32</ge><lt>3.32.1</lt></range>
<range><ge>3.28</ge><lt>3.28.6</lt></range>
</package>
<package>
<name>linux-c6-nss</name>
<range><ge>3.28</ge><lt>3.28.4_2</lt></range>
</package>
<package>
<name>linux-c7-nss</name>
<range><ge>3.28</ge><lt>3.28.4_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7805">
<p>During TLS 1.2 exchanges, handshake hashes are generated which
point to a message buffer. This saved data is used for later
messages but in some cases, the handshake transcript can
exceed the space available in the current buffer, causing the
allocation of a new buffer. This leaves a pointer pointing to
the old, freed buffer, resulting in a use-after-free when
handshake hashes are then calculated afterwards. This can
result in a potentially exploitable crash.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7805</url>
<url>https://hg.mozilla.org/projects/nss/rev/2d7b65b72290</url>
<url>https://hg.mozilla.org/projects/nss/rev/d3865e2957d0</url>
<cvename>CVE-2017-7805</cvename>
</references>
<dates>
<discovery>2017-08-04</discovery>
<entry>2017-10-12</entry>
<modified>2018-01-29</modified>
</dates>
</vuln>
<vuln vid="15a62f22-098a-443b-94e2-2d26c375b993">
<topic>osip -- Improper Restriction of Operations within the Bounds of a Memory Buffer</topic>
<affects>
<package>
<name>libosip2</name>
<range><le>5.0.0</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>osip developers reports:</p>
<blockquote cite="http://www.securityfocus.com/bid/97644">
<p>In libosip2 in GNU oSIP 4.1.0 and 5.0.0, a malformed SIP message can lead to a heap buffer overflow in the msg_osip_body_parse() function defined in osipparser2/osip_message_parse.c, resulting in a remote DoS.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.securityfocus.com/bid/97644</url>
<url>https://savannah.gnu.org/support/index.php?109265</url>
<cvename>CVE-2017-7853</cvename>
</references>
<dates>
<discovery>2017-04-13</discovery>
<entry>2017-10-11</entry>
</dates>
</vuln>
<vuln vid="b84dbd94-e894-4c91-b8cd-d328537b1b2b">
<topic>ncurses -- multiple issues</topic>
<affects>
<package>
<name>ncurses</name>
<range><le>6.0</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ncurses developers reports:</p>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=1484285">
<p>There are multiple illegal address access issues and an infinite loop issue. Please refer to the CVE list for details.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1484274</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1484276</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1484284</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1484285</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1484287</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1484290</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1484291</url>
<cvename>CVE-2017-13728</cvename>
<cvename>CVE-2017-13729</cvename>
<cvename>CVE-2017-13730</cvename>
<cvename>CVE-2017-13731</cvename>
<cvename>CVE-2017-13732</cvename>
<cvename>CVE-2017-13733</cvename>
<cvename>CVE-2017-13734</cvename>
</references>
<dates>
<discovery>2017-08-29</discovery>
<entry>2017-10-11</entry>
</dates>
</vuln>
<vuln vid="9164f51e-ae20-11e7-a633-009c02a2ab30">
<topic>Python 2.7 -- multiple vulnerabilities</topic>
<affects>
<package>
<name>python27</name>
<range><lt>2.7.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Python reports:</p>
<blockquote cite="https://raw.githubusercontent.com/python/cpython/84471935ed2f62b8c5758fd544c7d37076fe0fa5/Misc/NEWS">
<p>Multiple vulnerabilities have been fixed in Python 2.7.14. Please refer to the CVE list for details.</p>
</blockquote>
</body>
</description>
<references>
<url>https://raw.githubusercontent.com/python/cpython/84471935ed2f62b8c5758fd544c7d37076fe0fa5/Misc/NEWS</url>
<cvename>CVE-2012-0876</cvename>
<cvename>CVE-2016-0718</cvename>
<cvename>CVE-2016-4472</cvename>
<cvename>CVE-2016-5300</cvename>
<cvename>CVE-2016-9063</cvename>
<cvename>CVE-2017-9233</cvename>
</references>
<dates>
<discovery>2017-08-26</discovery>
<entry>2017-10-11</entry>
</dates>
</vuln>
<vuln vid="1257718e-be97-458a-9744-d938b592db42">
<topic>node -- access to unintended files</topic>
<affects>
<package>
<name>node</name>
<range><ge>8.5.0</ge><lt>8.6.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>node developers report:</p>
<blockquote cite="http://www.securityfocus.com/bid/101056">
<p>Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.securityfocus.com/bid/101056</url>
<cvename>CVE-2017-14849</cvename>
</references>
<dates>
<discovery>2017-09-27</discovery>
<entry>2017-10-10</entry>
</dates>
</vuln>
<vuln vid="af61b271-9e47-4db0-a0f6-29fb032236a3">
<topic>zookeeper -- Denial Of Service</topic>
<affects>
<package>
<name>zookeeper</name>
<range><lt>3.4.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>zookeeper developers report:</p>
<blockquote cite="https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370@%3Cdev.zookeeper.apache.org%3E">
<p>Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.</p>
</blockquote>
</body>
</description>
<references>
<url>https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370@%3Cdev.zookeeper.apache.org%3E</url>
<cvename>CVE-2017-5637</cvename>
</references>
<dates>
<discovery>2017-10-09</discovery>
<entry>2017-10-10</entry>
</dates>
</vuln>
<vuln vid="9b5a905f-e556-452f-a00c-8f070a086181">
<topic>libtiff -- Improper Input Validation</topic>
<affects>
<package>
<name>libtiff</name>
<range><le>4.0.8</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>libtiff developers report:</p>
<blockquote cite="http://www.securityfocus.com/bid/100524">
<p>There is a reachable assertion abort in the function TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related to tif_dirwrite.c and a SubIFD tag. A crafted input will lead to a remote denial of service attack.</p>
<p>There is a reachable assertion abort in the function TIFFWriteDirectorySec() in LibTIFF 4.0.8, related to tif_dirwrite.c and a SubIFD tag. A crafted input will lead to a remote denial of service attack.</p>
</blockquote>
</body>
</description>
<references>
<url>http://bugzilla.maptools.org/show_bug.cgi?id=2727</url>
<url>http://bugzilla.maptools.org/show_bug.cgi?id=2728</url>
<url>http://www.securityfocus.com/bid/100524</url>
<cvename>CVE-2017-13726</cvename>
<cvename>CVE-2017-13727</cvename>
</references>
<dates>
<discovery>2017-08-29</discovery>
<entry>2017-10-10</entry>
</dates>
</vuln>
<vuln vid="2c8bd00d-ada2-11e7-82af-8dbff7d75206">
<topic>rubygems -- deserialization vulnerability</topic>
<affects>
<package>
<name>ruby22-gems</name>
<name>ruby23-gems</name>
<name>ruby24-gems</name>
<range><lt>2.6.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>oss-security mailing list:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2017/10/10/2">
<p>There is a possible unsafe object desrialization vulnerability in
RubyGems. It is possible for YAML deserialization of gem specifications
to bypass class white lists. Specially crafted serialized objects can
possibly be used to escalate to remote code execution.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openwall.com/lists/oss-security/2017/10/10/2</url>
<url>http://blog.rubygems.org/2017/10/09/2.6.14-released.html</url>
<cvename>CVE-2017-0903</cvename>
</references>
<dates>
<discovery>2017-10-09</discovery>
<entry>2017-10-10</entry>
</dates>
</vuln>
<vuln vid="4f8ffb9c-f388-4fbd-b90f-b3131559d888">
<topic>xorg-server -- multiple vulnabilities</topic>
<affects>
<package>
<name>xephyr</name>
<range><lt>1.18.4_4,1</lt></range>
</package>
<package>
<name>xorg-dmx</name>
<range><lt>1.18.4_4,1</lt></range>
</package>
<package>
<name>xorg-nestserver</name>
<range><lt>1.19.1_1,2</lt></range>
</package>
<package>
<name>xorg-server</name>
<range><lt>1.18.4_4,1</lt></range>
</package>
<package>
<name>xorg-vfbserver</name>
<range><lt>1.19.1_1,1</lt></range>
</package>
<package>
<name>xwayland</name>
<range><lt>1.19.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Alan Coopersmith reports:</p>
<blockquote cite="https://lists.x.org/archives/xorg-announce/2017-October/002809.html">
<p>X.Org thanks Michal Srb of SuSE for finding these issues
and bringing them to our attention, Julien Cristau of
Debian for getting the fixes integrated, and Adam Jackson
of Red Hat for publishing the release.</p>
</blockquote>
</body>
</description>
<references>
<url>https://lists.x.org/archives/xorg-announce/2017-October/002809.html</url>
<cvename>CVE-2017-13721</cvename>
<cvename>CVE-2017-13723</cvename>
</references>
<dates>
<discovery>2017-10-04</discovery>
<entry>2017-10-09</entry>
</dates>
</vuln>
<vuln vid="c0dae634-4820-4505-850d-b1c975d0f67d">
<topic>tomcat -- Remote Code Execution</topic>
<affects>
<package>
<name>tomcat</name>
<range><ge>7.0.0</ge><le>7.0.81</le></range>
<range><ge>8.0.0</ge><le>8.0.46</le></range>
<range><ge>8.5.0</ge><le>8.5.22</le></range>
<range><ge>9.0.0</ge><lt>9.0.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>tomcat developers reports:</p>
<blockquote cite="http://www.securityfocus.com/bid/100954">
<p>When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.securityfocus.com/bid/100954</url>
<url>https://lists.apache.org/thread.html/3fd341a604c4e9eab39e7eaabbbac39c30101a022acc11dd09d7ebcb@%3Cannounce.tomcat.apache.org%3E</url>
<cvename>CVE-2017-12617</cvename>
</references>
<dates>
<discovery>2017-10-04</discovery>
<entry>2017-10-06</entry>
</dates>
</vuln>
<vuln vid="ccace707-a8d8-11e7-ac58-b499baebfeaf">
<topic>cURL -- out of bounds read</topic>
<affects>
<package>
<name>curl</name>
<range><lt>7.56.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The cURL project reports:</p>
<blockquote cite="https://curl.haxx.se/docs/adv_20171004.html">
<p>FTP PWD response parser out of bounds read</p>
<p>libcurl may read outside of a heap allocated buffer when doing FTP.</p>
<p>When libcurl connects to an FTP server and successfully logs in
(anonymous or not), it asks the server for the current directory with
the PWD command. The server then responds with a 257 response containing
the path, inside double quotes. The returned path name is then kept by
libcurl for subsequent uses.</p>
<p>Due to a flaw in the string parser for this directory name, a directory
name passed like this but without a closing double quote would lead to
libcurl not adding a trailing NUL byte to the buffer holding the name.
When libcurl would then later access the string, it could read beyond
the allocated heap buffer and crash or wrongly access data beyond the
buffer, thinking it was part of the path.</p>
<p>A malicious server could abuse this fact and effectively prevent
libcurl-based clients to work with it - the PWD command is always issued
on new FTP connections and the mistake has a high chance of causing a
segfault.</p>
</blockquote>
</body>
</description>
<references>
<url>https://curl.haxx.se/docs/adv_20171004.html</url>
<cvename>CVE-2017-1000254</cvename>
</references>
<dates>
<discovery>2017-10-04</discovery>
<entry>2017-10-04</entry>
</dates>
</vuln>
<vuln vid="6ed5c5e3-a840-11e7-b5af-a4badb2f4699">
<topic>FreeBSD -- OpenSSH Denial of Service vulnerability</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>11.1</ge><lt>11.1_1</lt></range>
<range><ge>11.0</ge><lt>11.0_12</lt></range>
<range><ge>10.3</ge><lt>10.3_21</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>There is no limit on the password length.</p>
<h1>Impact:</h1>
<p>A remote attacker may be able to cause an affected SSH
server to use excessive amount of CPU by sending very long
passwords, when PasswordAuthentication is enabled by the
system administrator.</p>
</body>
</description>
<references>
<cvename>CVE-2016-6515</cvename>
<freebsdsa>SA-17:06.openssh</freebsdsa>
</references>
<dates>
<discovery>2017-08-10</discovery>
<entry>2017-10-03</entry>
</dates>
</vuln>
<vuln vid="420243e9-a840-11e7-b5af-a4badb2f4699">
<topic>FreeBSD -- heimdal KDC-REP service name validation vulnerability</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>11.0</ge><lt>11.0_11</lt></range>
<range><ge>10.3</ge><lt>10.3_20</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>There is a programming error in the Heimdal implementation
that used an unauthenticated, plain-text version of the
KDC-REP service name found in a ticket.</p>
<h1>Impact:</h1>
<p>An attacker who has control of the network between a
client and the service it talks to will be able to impersonate
the service, allowing a successful man-in-the-middle (MITM)
attack that circumvents the mutual authentication.</p>
</body>
</description>
<references>
<cvename>CVE-2017-1110</cvename>
<freebsdsa>SA-17:05.heimdal</freebsdsa>
</references>
<dates>
<discovery>2017-07-12</discovery>
<entry>2017-10-03</entry>
</dates>
</vuln>
<vuln vid="b77b5646-a778-11e7-ac58-b499baebfeaf">
<topic>dnsmasq -- multiple vulnerabilities</topic>
<affects>
<package>
<name>dnsmasq</name>
<range><lt>2.78,1</lt></range>
</package>
<package>
<name>dnsmasq-devel</name>
<range><lt>2.78</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Project Zero reports:</p>
<blockquote cite="https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html">
<ul>
<li>CVE-2017-14491: Heap based overflow (2 bytes). Before 2.76 and this
commit overflow was unrestricted.</li>
<li>CVE-2017-14492: Heap based overflow.</li>
<li>CVE-2017-14493: Stack Based overflow.</li>
<li>CVE-2017-14494: Information Leak</li>
<li>CVE-2017-14495: Lack of free()</li>
<li>CVE-2017-14496: Invalid boundary checks. Integer underflow leading
to a huge memcpy.</li>
<li>CVE-2017-13704: Crash on large DNS query</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html</url>
<cvename>CVE-2017-14491</cvename>
<cvename>CVE-2017-14492</cvename>
<cvename>CVE-2017-14493</cvename>
<cvename>CVE-2017-14494</cvename>
<cvename>CVE-2017-14495</cvename>
<cvename>CVE-2017-14496</cvename>
<cvename>CVE-2017-13704</cvename>
</references>
<dates>
<discovery>2017-10-02</discovery>
<entry>2017-10-02</entry>
</dates>
</vuln>
<vuln vid="33888815-631e-4bba-b776-a9b46fe177b5">
<topic>phpmyfaq -- multiple issues</topic>
<affects>
<package>
<name>phpmyfaq</name>
<range><le>2.9.8</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>phpmyfaq developers report:</p>
<blockquote cite="https://www.exploit-db.com/exploits/42761/">
<p>Cross-site scripting (XSS) vulnerability in inc/PMF/Faq.php in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the Questions field in an "Add New FAQ" action.</p>
<p>Cross-site scripting (XSS) vulnerability in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the "Title of your FAQ" field in the Configuration Module.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.exploit-db.com/exploits/42761/</url>
<url>https://github.com/thorsten/phpMyFAQ/commit/30b0025e19bd95ba28f4eff4d259671e7bb6bb86</url>
<cvename>CVE-2017-14618</cvename>
<cvename>CVE-2017-14619</cvename>
</references>
<dates>
<discovery>2017-09-20</discovery>
<entry>2017-09-29</entry>
</dates>
</vuln>
<vuln vid="a48d4478-e23f-4085-8ae4-6b3a7b6f016b">
<topic>wordpress -- multiple issues</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>4.8.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>wordpress developers report:</p>
<blockquote cite="http://www.securityfocus.com/bid/100912">
<p>Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL.</p>
<p>Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name.</p>
<p>Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components.</p>
<p>Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name.</p>
<p>Before version 4.8.2, WordPress allowed a Directory Traversal attack in the Customizer component via a crafted theme filename.</p>
<p>Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery.</p>
<p>Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.securityfocus.com/bid/100912</url>
<url>https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/</url>
<url>https://core.trac.wordpress.org/changeset/41393</url>
<url>https://core.trac.wordpress.org/changeset/41395</url>
<url>https://core.trac.wordpress.org/changeset/41397</url>
<url>https://core.trac.wordpress.org/changeset/41412</url>
<url>https://core.trac.wordpress.org/changeset/41448</url>
<url>https://core.trac.wordpress.org/changeset/41457</url>
<url>https://wpvulndb.com/vulnerabilities/8911</url>
<url>https://wpvulndb.com/vulnerabilities/8912</url>
<url>https://wpvulndb.com/vulnerabilities/8913</url>
<url>https://wpvulndb.com/vulnerabilities/8914</url>
<cvename>CVE-2017-14718</cvename>
<cvename>CVE-2017-14719</cvename>
<cvename>CVE-2017-14720</cvename>
<cvename>CVE-2017-14721</cvename>
<cvename>CVE-2017-14722</cvename>
<cvename>CVE-2017-14724</cvename>
<cvename>CVE-2017-14726</cvename>
</references>
<dates>
<discovery>2017-09-23</discovery>
<entry>2017-09-29</entry>
</dates>
</vuln>
<vuln vid="1098a15b-b0f6-42b7-b5c7-8a8646e8be07">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>56.0,1</lt></range>
</package>
<package>
<name>seamonkey</name>
<name>linux-seamonkey</name>
<range><lt>2.49.1</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><lt>52.4.0,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>52.4.0,2</lt></range>
</package>
<package>
<name>libxul</name>
<name>thunderbird</name>
<name>linux-thunderbird</name>
<range><lt>52.4.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/">
<p>CVE-2017-7793: Use-after-free with Fetch API</p>
<p>CVE-2017-7817: Firefox for Android address bar spoofing through fullscreen mode</p>
<p>CVE-2017-7818: Use-after-free during ARIA array manipulation</p>
<p>CVE-2017-7819: Use-after-free while resizing images in design mode</p>
<p>CVE-2017-7824: Buffer overflow when drawing and validating elements with ANGLE</p>
<p>CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes</p>
<p>CVE-2017-7812: Drag and drop of malicious page content to the tab bar can open locally stored files</p>
<p>CVE-2017-7814: Blob and data URLs bypass phishing and malware protection warnings</p>
<p>CVE-2017-7813: Integer truncation in the JavaScript parser</p>
<p>CVE-2017-7825: OS X fonts render some Tibetan and Arabic unicode characters as spaces</p>
<p>CVE-2017-7815: Spoofing attack with modal dialogs on non-e10s installations</p>
<p>CVE-2017-7816: WebExtensions can load about: URLs in extension UI</p>
<p>CVE-2017-7821: WebExtensions can download and open non-executable files without user interaction</p>
<p>CVE-2017-7823: CSP sandbox directive did not create a unique origin</p>
<p>CVE-2017-7822: WebCrypto allows AES-GCM with 0-length IV</p>
<p>CVE-2017-7820: Xray wrapper bypass with new tab and web console</p>
<p>CVE-2017-7811: Memory safety bugs fixed in Firefox 56</p>
<p>CVE-2017-7810: Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-7793</cvename>
<cvename>CVE-2017-7805</cvename>
<cvename>CVE-2017-7810</cvename>
<cvename>CVE-2017-7811</cvename>
<cvename>CVE-2017-7812</cvename>
<cvename>CVE-2017-7813</cvename>
<cvename>CVE-2017-7814</cvename>
<cvename>CVE-2017-7815</cvename>
<cvename>CVE-2017-7816</cvename>
<cvename>CVE-2017-7817</cvename>
<cvename>CVE-2017-7818</cvename>
<cvename>CVE-2017-7819</cvename>
<cvename>CVE-2017-7820</cvename>
<cvename>CVE-2017-7821</cvename>
<cvename>CVE-2017-7822</cvename>
<cvename>CVE-2017-7823</cvename>
<cvename>CVE-2017-7824</cvename>
<cvename>CVE-2017-7825</cvename>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/</url>
</references>
<dates>
<discovery>2017-09-28</discovery>
<entry>2017-09-29</entry>
<modified>2017-10-03</modified>
</dates>
</vuln>
<vuln vid="43a1b8f9-3451-4f3c-b4fc-730c0f5876c1">
<topic>sam2p -- multiple issues</topic>
<affects>
<package>
<name>sam2p</name>
<range><lt>0.49.3,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>sam2p developers report:</p>
<blockquote cite="https://github.com/pts/sam2p/issues/14">
<p>In sam2p 0.49.3, a heap-based buffer overflow exists in the pcxLoadImage24 function of the file in_pcx.cpp.</p>
<p>In sam2p 0.49.3, the in_xpm_reader function in in_xpm.cpp has an integer signedness error, leading to a crash when writing to an out-of-bounds array element.</p>
<p>In sam2p 0.49.3, an integer overflow exists in the pcxLoadImage24 function of the file in_pcx.cpp, leading to an invalid write operation.</p>
<p>In sam2p 0.49.3, the pcxLoadRaster function in in_pcx.cpp has an integer signedness error leading to a heap-based buffer overflow.</p>
<p>Because of an integer overflow in sam2p 0.49.3, a loop executes 0xffffffff times, ending with an invalid read of size 1 in the Image::Indexed::sortPal function in image.cpp. However, this also causes memory corruption because of an attempted write to the invalid d[0xfffffffe] array element.</p>
<p>In sam2p 0.49.3, there is an invalid read of size 2 in the parse_rgb function in in_xpm.cpp. However, this can also cause a write to an illegal address.</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/pts/sam2p/issues/14</url>
<cvename>CVE-2017-14628</cvename>
<cvename>CVE-2017-14629</cvename>
<cvename>CVE-2017-14630</cvename>
<cvename>CVE-2017-14631</cvename>
<cvename>CVE-2017-14636</cvename>
<cvename>CVE-2017-14637</cvename>
</references>
<dates>
<discovery>2017-09-21</discovery>
<entry>2017-09-28</entry>
</dates>
</vuln>
<vuln vid="02bee9ae-c5d1-409b-8a79-983a88861509">
<topic>libraw -- Out-of-bounds Read</topic>
<affects>
<package>
<name>libraw</name>
<range><le>0.18.4</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>libraw developers report:</p>
<blockquote cite="https://github.com/LibRaw/LibRaw/commit/d13e8f6d1e987b7491182040a188c16a395f1d21">
<p>In LibRaw through 0.18.4, an out of bounds read flaw related to kodak_65000_load_raw has been reported in dcraw/dcraw.c and internal/dcraw_common.cpp. An attacker could possibly exploit this flaw to disclose potentially sensitive memory or cause an application crash.</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/LibRaw/LibRaw/commit/d13e8f6d1e987b7491182040a188c16a395f1d21</url>
<url>https://github.com/LibRaw/LibRaw/issues/101</url>
<cvename>CVE-2017-14608</cvename>
</references>
<dates>
<discovery>2017-09-20</discovery>
<entry>2017-09-28</entry>
</dates>
</vuln>
<vuln vid="3dd6ccf4-a3c6-11e7-a52e-0800279f2ff8">
<topic>OpenVPN -- out-of-bounds write in legacy key-method 1</topic>
<affects>
<package>
<name>openvpn-polarssl</name>
<range><lt>2.3.18</lt></range>
</package>
<package>
<name>openvpn-mbedtls</name>
<range><ge>2.4.0</ge><lt>2.4.4</lt></range>
</package>
<package>
<name>openvpn</name>
<range><ge>2.4.0</ge><lt>2.4.4</lt></range>
<range><lt>2.3.18</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Steffan Karger reports:</p>
<blockquote cite="https://community.openvpn.net/openvpn/wiki/CVE-2017-12166">
<p>The bounds check in read_key() was performed after using the value,
instead of before. If 'key-method 1' is used, this allowed an
attacker to send a malformed packet to trigger a stack buffer
overflow. [...]</p>
<p>Note that 'key-method 1' has been replaced by 'key method 2' as the
default in OpenVPN 2.0 (released on 2005-04-17), and explicitly
deprecated in 2.4 and marked for removal in 2.5. This should limit
the amount of users impacted by this issue.</p>
</blockquote>
</body>
</description>
<references>
<url>https://community.openvpn.net/openvpn/wiki/CVE-2017-12166</url>
<url>https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15492.html</url>
<cvename>CVE-2017-12166</cvename>
</references>
<dates>
<discovery>2017-09-21</discovery>
<entry>2017-09-27</entry>
</dates>
</vuln>
<vuln vid="16fb4f83-a2ab-11e7-9c14-009c02a2ab30">
<topic>ImageMagick -- denial of service via a crafted font file</topic>
<affects>
<package>
<name>ImageMagick7</name>
<range><lt>7.0.7.4</lt></range>
</package>
<package>
<name>ImageMagick7-nox11</name>
<range><lt>7.0.7.4</lt></range>
</package>
<package>
<name>ImageMagick</name>
<range><le>6.9.8.9_1</le></range>
</package>
<package>
<name>ImageMagick-nox11</name>
<range><le>6.9.8.9_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14741">
<p>The ReadCAPTIONImage function in coders/caption.c in ImageMagick allows remote attackers to cause a denial of service (infinite loop) via a crafted font file.</p>
</blockquote>
</body>
</description>
<references>
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14741</url>
<url>https://github.com/ImageMagick/ImageMagick/issues/771</url>
<url>https://github.com/ImageMagick/ImageMagick/commit/7d8e14899c562157c7760a77fc91625a27cb596f</url>
<url>https://github.com/ImageMagick/ImageMagick/commit/bb11d07139efe0f5e4ce0e4afda32abdbe82fa9d</url>
<cvename>CVE-2017-14741</cvename>
</references>
<dates>
<discovery>2017-09-21</discovery>
<entry>2017-09-26</entry>
</dates>
</vuln>
<vuln vid="58fafead-cd13-472f-a9bd-d0173ba1b04c">
<topic>libofx -- exploitable buffer overflow</topic>
<affects>
<package>
<name>libofx</name>
<range><le>0.9.11_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Talos developers report:</p>
<blockquote cite="http://www.securityfocus.com/bid/100828">
<p>An exploitable buffer overflow vulnerability exists in the tag parsing functionality of LibOFX 0.9.11. A specially crafted OFX file can cause a write out of bounds resulting in a buffer overflow on the stack. An attacker can construct a malicious OFX file to trigger this vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.securityfocus.com/bid/100828</url>
<url>https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0317</url>
<cvename>CVE-2017-2816</cvename>
</references>
<dates>
<discovery>2017-09-13</discovery>
<entry>2017-09-27</entry>
</dates>
</vuln>
<vuln vid="3b776502-f601-44e0-87cd-b63f1b9ae42a">
<topic>sugarcrm -- multiple vulnerabilities</topic>
<affects>
<package>
<name>sugarcrm</name>
<range><le>6.5.26</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>sugarcrm developers report:</p>
<blockquote cite="https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/">
<p>An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). Several areas have been identified in the Documents and Emails module that could allow an authenticated user to perform SQL injection, as demonstrated by a backslash character at the end of a bean_id to modules/Emails/DetailView.php. An attacker could exploit these vulnerabilities by sending a crafted SQL request to the affected areas. An exploit could allow the attacker to modify the SQL database. Proper SQL escaping has been added to prevent such exploits.</p>
<p>An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). A remote file inclusion has been identified in the Connectors module allowing authenticated users to include remotely accessible system files via a query string. Proper input validation has been added to mitigate this issue.</p>
<p>An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). The WebToLeadCapture functionality is found vulnerable to unauthenticated cross-site scripting (XSS) attacks. This attack vector is mitigated by proper validating the redirect URL values being passed along.</p>
</blockquote>
</body>
</description>
<references>
<url>https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/</url>
<url>https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-006/</url>
<url>https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/</url>
<url>https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-007/</url>
<url>https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/</url>
<url>https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-008/</url>
<cvename>CVE-2017-14508</cvename>
<cvename>CVE-2017-14509</cvename>
<cvename>CVE-2017-14510</cvename>
</references>
<dates>
<discovery>2017-09-17</discovery>
<entry>2017-09-26</entry>
</dates>
</vuln>
<vuln vid="b2952517-07e5-4d19-8850-21c5b7e0623f">
<topic>libzip -- denial of service</topic>
<affects>
<package>
<name>libzip</name>
<range><lt>1.1.13_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>libzip developers report:</p>
<blockquote cite="https://blogs.gentoo.org/ago/2017/09/01/libzip-memory-allocation-failure-in-_zip_cdir_grow-zip_dirent-c/">
<p>The _zip_read_eocd64 function in zip_open.c in libzip before 1.3.0 mishandles EOCD records, which allows remote attackers to cause a denial of service (memory allocation failure in _zip_cdir_grow in zip_dirent.c) via a crafted ZIP archive.</p>
</blockquote>
</body>
</description>
<references>
<url>https://blogs.gentoo.org/ago/2017/09/01/libzip-memory-allocation-failure-in-_zip_cdir_grow-zip_dirent-c/</url>
<url>https://github.com/nih-at/libzip/commit/9b46957ec98d85a572e9ef98301247f39338a3b5</url>
<cvename>CVE-2017-14107</cvename>
</references>
<dates>
<discovery>2017-09-01</discovery>
<entry>2017-09-27</entry>
</dates>
</vuln>
<vuln vid="10214bda-0902-4e3b-a2f9-9a68ef206a73">
<topic>libbson -- Denial of Service</topic>
<affects>
<package>
<name>libbson</name>
<range><lt>1.8.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>mongodb developers report:</p>
<blockquote cite="http://www.securityfocus.com/bid/100825">
<p>In MongoDB libbson 1.7.0, the bson_iter_codewscope function in bson-iter.c miscalculates a bson_utf8_validate length argument, which allows remote attackers to cause a denial of service (heap-based buffer over-read in the bson_utf8_validate function in bson-utf8.c), as demonstrated by bson-to-json.c.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.securityfocus.com/bid/100825</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1489355</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1489356</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1489362</url>
<cvename>CVE-2017-14227</cvename>
</references>
<dates>
<discovery>2017-09-09</discovery>
<entry>2017-09-26</entry>
</dates>
</vuln>
<vuln vid="eb03d642-6724-472d-b038-f2bf074e1fc8">
<topic>tcpdump -- multiple vulnerabilities</topic>
<affects>
<package>
<name>tcpdump</name>
<range><lt>4.9.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>tcpdump developers report:</p>
<blockquote cite="http://www.tcpdump.org/tcpdump-changes.txt">
<p>Too many issues to detail, see CVE references for details.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-11541</cvename>
<cvename>CVE-2017-11542</cvename>
<cvename>CVE-2017-11543</cvename>
<cvename>CVE-2017-12893</cvename>
<cvename>CVE-2017-12894</cvename>
<cvename>CVE-2017-12895</cvename>
<cvename>CVE-2017-12896</cvename>
<cvename>CVE-2017-12897</cvename>
<cvename>CVE-2017-12898</cvename>
<cvename>CVE-2017-12899</cvename>
<cvename>CVE-2017-12900</cvename>
<cvename>CVE-2017-12901</cvename>
<cvename>CVE-2017-12902</cvename>
<cvename>CVE-2017-12985</cvename>
<cvename>CVE-2017-12986</cvename>
<cvename>CVE-2017-12987</cvename>
<cvename>CVE-2017-12988</cvename>
<cvename>CVE-2017-12989</cvename>
<cvename>CVE-2017-12990</cvename>
<cvename>CVE-2017-12991</cvename>
<cvename>CVE-2017-12992</cvename>
<cvename>CVE-2017-12993</cvename>
<cvename>CVE-2017-12994</cvename>
<cvename>CVE-2017-12995</cvename>
<cvename>CVE-2017-12996</cvename>
<cvename>CVE-2017-12997</cvename>
<cvename>CVE-2017-12998</cvename>
<cvename>CVE-2017-12999</cvename>
<cvename>CVE-2017-13000</cvename>
<cvename>CVE-2017-13001</cvename>
<cvename>CVE-2017-13002</cvename>
<cvename>CVE-2017-13003</cvename>
<cvename>CVE-2017-13004</cvename>
<cvename>CVE-2017-13005</cvename>
<cvename>CVE-2017-13006</cvename>
<cvename>CVE-2017-13007</cvename>
<cvename>CVE-2017-13008</cvename>
<cvename>CVE-2017-13009</cvename>
<cvename>CVE-2017-13010</cvename>
<cvename>CVE-2017-13011</cvename>
<cvename>CVE-2017-13012</cvename>
<cvename>CVE-2017-13013</cvename>
<cvename>CVE-2017-13014</cvename>
<cvename>CVE-2017-13015</cvename>
<cvename>CVE-2017-13016</cvename>
<cvename>CVE-2017-13017</cvename>
<cvename>CVE-2017-13018</cvename>
<cvename>CVE-2017-13019</cvename>
<cvename>CVE-2017-13020</cvename>
<cvename>CVE-2017-13021</cvename>
<cvename>CVE-2017-13022</cvename>
<cvename>CVE-2017-13023</cvename>
<cvename>CVE-2017-13024</cvename>
<cvename>CVE-2017-13025</cvename>
<cvename>CVE-2017-13026</cvename>
<cvename>CVE-2017-13027</cvename>
<cvename>CVE-2017-13028</cvename>
<cvename>CVE-2017-13029</cvename>
<cvename>CVE-2017-13030</cvename>
<cvename>CVE-2017-13031</cvename>
<cvename>CVE-2017-13032</cvename>
<cvename>CVE-2017-13033</cvename>
<cvename>CVE-2017-13034</cvename>
<cvename>CVE-2017-13035</cvename>
<cvename>CVE-2017-13036</cvename>
<cvename>CVE-2017-13037</cvename>
<cvename>CVE-2017-13038</cvename>
<cvename>CVE-2017-13039</cvename>
<cvename>CVE-2017-13040</cvename>
<cvename>CVE-2017-13041</cvename>
<cvename>CVE-2017-13042</cvename>
<cvename>CVE-2017-13043</cvename>
<cvename>CVE-2017-13044</cvename>
<cvename>CVE-2017-13045</cvename>
<cvename>CVE-2017-13046</cvename>
<cvename>CVE-2017-13047</cvename>
<cvename>CVE-2017-13048</cvename>
<cvename>CVE-2017-13049</cvename>
<cvename>CVE-2017-13050</cvename>
<cvename>CVE-2017-13051</cvename>
<cvename>CVE-2017-13052</cvename>
<cvename>CVE-2017-13053</cvename>
<cvename>CVE-2017-13054</cvename>
<cvename>CVE-2017-13055</cvename>
<cvename>CVE-2017-13687</cvename>
<cvename>CVE-2017-13688</cvename>
<cvename>CVE-2017-13689</cvename>
<cvename>CVE-2017-13690</cvename>
<cvename>CVE-2017-13725</cvename>
</references>
<dates>
<discovery>2017-07-22</discovery>
<entry>2017-09-26</entry>
</dates>
</vuln>
<vuln vid="d9f96741-47bd-4426-9aba-8736c0971b24">
<topic>libraw -- buffer overflow</topic>
<affects>
<package>
<name>libraw</name>
<range><lt>0.18.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>libraw developers report:</p>
<blockquote cite="http://www.securityfocus.com/bid/100866">
<p>LibRaw before 0.18.4 has a heap-based Buffer Overflow in the processCanonCameraInfo function via a crafted file.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.securityfocus.com/bid/100866</url>
<url>https://github.com/LibRaw/LibRaw/issues/100</url>
<cvename>CVE-2017-14348</cvename>
</references>
<dates>
<discovery>2017-09-12</discovery>
<entry>2017-09-26</entry>
</dates>
</vuln>
<vuln vid="4cd857d9-26d2-4417-b765-69701938f9e0">
<topic>libraw -- denial of service and remote code execution</topic>
<affects>
<package>
<name>libraw</name>
<range><lt>0.18.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>libraw developers report:</p>
<blockquote cite="https://github.com/LibRaw/LibRaw/issues/99">
<p>A Stack-based Buffer Overflow was discovered in xtrans_interpolate in internal/dcraw_common.cpp in LibRaw before 0.18.3. It could allow a remote denial of service or code execution attack.</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/LibRaw/LibRaw/issues/99</url>
<cvename>CVE-2017-14265</cvename>
</references>
<dates>
<discovery>2017-09-11</discovery>
<entry>2017-09-26</entry>
</dates>
</vuln>
<vuln vid="a60a2e95-acba-4b11-bc32-ffb47364e07d">
<topic>libgd -- Denial of servica via double free</topic>
<affects>
<package>
<name>libgd</name>
<range><lt>2.2.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>libgd developers report:</p>
<blockquote cite="http://www.debian.org/security/2017/dsa-3961">
<p>Double free vulnerability in the gdImagePngPtr function in libgd2 before 2.2.5 allows remote attackers to cause a denial of service via vectors related to a palette with no colors.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.debian.org/security/2017/dsa-3961</url>
<url>https://github.com/libgd/libgd/issues/381</url>
<url>https://github.com/libgd/libgd/releases/tag/gd-2.2.5</url>
<url>https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N2BLXX7KNRE7ZVQAKGTHHWS33CUCXVUP/</url>
<cvename>CVE-2017-6362</cvename>
</references>
<dates>
<discovery>2017-09-07</discovery>
<entry>2017-09-26</entry>
</dates>
</vuln>
<vuln vid="5033e2fc-98ec-4ef5-8e0b-87cfbbc73081">
<topic>php-gd and gd -- Buffer over-read into uninitialized memory</topic>
<affects>
<package>
<name>libgd</name>
<range><lt>2.2.5</lt></range>
</package>
<package>
<name>php70-gd</name>
<range><lt>7.0.21</lt></range>
</package>
<package>
<name>php71-gd</name>
<range><lt>7.1.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PHP developers report:</p>
<blockquote cite="https://bugs.php.net/bug.php?id=74435">
<p>The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.31 and 7.x before 7.1.7, does not zero colorMap arrays before use. A specially crafted GIF image could use the uninitialized tables to read ~700 bytes from the top of the stack, potentially disclosing sensitive information.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugs.php.net/bug.php?id=74435</url>
<cvename>CVE-2017-7890</cvename>
</references>
<dates>
<discovery>2017-08-02</discovery>
<entry>2017-09-26</entry>
</dates>
</vuln>
<vuln vid="d843a984-7f22-484f-ba81-483ddbe30dc3">
<topic>ledger -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ledger</name>
<range><le>3.1.1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Talos reports:</p>
<blockquote cite="http://www.securityfocus.com/bid/100543">
<p>An exploitable buffer overflow vulnerability exists in the tag parsing functionality of Ledger-CLI 3.1.1. A specially crafted journal file can cause an integer underflow resulting in code execution. An attacker can construct a malicious journal file to trigger this vulnerability.</p>
<p>An exploitable use-after-free vulnerability exists in the account parsing component of the Ledger-CLI 3.1.1. A specially crafted ledger file can cause a use-after-free vulnerability resulting in arbitrary code execution. An attacker can convince a user to load a journal file to trigger this vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.securityfocus.com/bid/100543</url>
<url>https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0303</url>
<url>http://www.securityfocus.com/bid/100546</url>
<url>https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0304</url>
<cvename>CVE-2017-2808</cvename>
<cvename>CVE-2017-2807</cvename>
</references>
<dates>
<discovery>2017-09-05</discovery>
<entry>2017-09-26</entry>
</dates>
</vuln>
<vuln vid="7801b1e1-99b4-42ac-ab22-7646235e7c16">
<topic>aacplusenc -- denial of service</topic>
<affects>
<package>
<name>aacplusenc</name>
<range><le>0.17.5_2</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gentoo developers report:</p>
<blockquote cite="https://blogs.gentoo.org/ago/2017/09/07/aacplusenc-null-pointer-dereference-in-deletebitbuffer-bitbuffer-c/">
<p>DeleteBitBuffer in libbitbuf/bitbuffer.c in mp4tools aacplusenc 0.17.5 allows remote attackers to cause a denial of service (invalid memory write, SEGV on unknown address 0x000000000030, and application crash) or possibly have unspecified other impact via a crafted .wav file, aka a NULL pointer dereference.</p>
</blockquote>
</body>
</description>
<references>
<url>https://blogs.gentoo.org/ago/2017/09/07/aacplusenc-null-pointer-dereference-in-deletebitbuffer-bitbuffer-c/</url>
<url>https://github.com/teknoraver/aacplusenc/issues/1</url>
<cvename>CVE-2017-14181</cvename>
</references>
<dates>
<discovery>2017-09-07</discovery>
<entry>2017-09-25</entry>
</dates>
</vuln>
<vuln vid="478d4102-2319-4026-b3b2-a57c48f159ac">
<topic>ansible -- information disclosure flaw</topic>
<affects>
<package>
<name>ansible</name>
<range><le>2.2.3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ansible developers report:</p>
<blockquote cite="https://github.com/ansible/ansible/issues/22505">
<p>Ansible versions 2.2.3 and earlier are vulnerable to an information disclosure flaw due to the interaction of call back plugins and the no_log directive where the information may not be sanitized properly.</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/ansible/ansible/issues/22505</url>
<cvename>CVE-2017-7473</cvename>
</references>
<dates>
<discovery>2017-07-21</discovery>
<entry>2017-09-25</entry>
</dates>
</vuln>
<vuln vid="b63421b6-a1e0-11e7-ac58-b499baebfeaf">
<topic>weechat -- crash in logger plugin</topic>
<affects>
<package>
<name>weechat</name>
<range><lt>1.9.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>WeeChat reports:</p>
<blockquote cite="https://weechat.org/news/98/20170923-Version-1.9.1-security-release/">
<p>security problem: a crash can happen in logger plugin when
converting date/time specifiers in file mask.</p>
</blockquote>
</body>
</description>
<references>
<url>https://weechat.org/news/98/20170923-Version-1.9.1-security-release/</url>
<cvename>CVE-2017-14727</cvename>
</references>
<dates>
<discovery>2017-09-23</discovery>
<entry>2017-09-25</entry>
</dates>
</vuln>
<vuln vid="d9e82328-a129-11e7-987e-4f174049b30a">
<topic>perl -- multiple vulnerabilities</topic>
<affects>
<package>
<name>perl5</name>
<range><ge>5.24.0</ge><lt>5.24.3</lt></range>
<range><ge>5.26.0</ge><lt>5.26.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SO-AND-SO reports:</p>
<blockquote cite="https://metacpan.org/changes/release/SHAY/perl-5.26.1#Security">
<p>CVE-2017-12814: $ENV{$key} stack buffer overflow on Windows</p>
<p>A possible stack buffer overflow in the %ENV code on Windows has been
fixed by removing the buffer completely since it was superfluous anyway.</p>
<p>CVE-2017-12837: Heap buffer overflow in regular expression compiler</p>
<p>Compiling certain regular expression patterns with the case-insensitive
modifier could cause a heap buffer overflow and crash perl. This has now
been fixed.</p>
<p>CVE-2017-12883: Buffer over-read in regular expression parser</p>
<p>For certain types of syntax error in a regular expression pattern, the
error message could either contain the contents of a random, possibly
large, chunk of memory, or could crash perl. This has now been fixed.</p>
</blockquote>
</body>
</description>
<references>
<url>https://metacpan.org/changes/release/SHAY/perl-5.24.3</url>
<url>https://metacpan.org/changes/release/SHAY/perl-5.26.1</url>
<cvename>CVE-2017-12814</cvename>
<cvename>CVE-2017-12837</cvename>
<cvename>CVE-2017-12883</cvename>
</references>
<dates>
<discovery>2017-09-19</discovery>
<entry>2017-09-24</entry>
</dates>
</vuln>
<vuln vid="917e5519-9fdd-11e7-8b58-e8e0b747a45a">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>61.0.3163.100</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2017/09/stable-channel-update-for-desktop_21.html">
<p>3 security fixes in this release, including:</p>
<ul>
<li>[765433] High CVE-2017-5121: Out-of-bounds access in V8. Reported by
Jordan Rabet, Microsoft Offensive Security Research and Microsoft
ChakraCore team on 2017-09-14</li>
<li>[752423] High CVE-2017-5122: Out-of-bounds access in V8. Reported by
Choongwoo Han of Naver Corporation on 2017-08-04</li>
<li>[767508] Various fixes from internal audits, fuzzing and other initiatives</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-5121</cvename>
<cvename>CVE-2017-5122</cvename>
<url>https://chromereleases.googleblog.com/2017/09/stable-channel-update-for-desktop_21.html</url>
</references>
<dates>
<discovery>2017-09-21</discovery>
<entry>2017-09-22</entry>
</dates>
</vuln>
<vuln vid="c2ea3b31-9d75-11e7-bb13-001999f8d30b">
<topic>asterisk -- RTP/RTCP information leak</topic>
<affects>
<package>
<name>asterisk11</name>
<range><lt>11.25.3</lt></range>
</package>
<package>
<name>asterisk13</name>
<range><lt>13.17.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="http://www.asterisk.org/downloads/security-advisories">
<p>This is a follow up advisory to AST-2017-005.</p>
<p>Insufficient RTCP packet validation could allow reading
stale buffer contents and when combined with the "nat"
and "symmetric_rtp" options allow redirecting where
Asterisk sends the next RTCP report.</p>
<p>The RTP stream qualification to learn the source address
of media always accepted the first RTP packet as the new
source and allowed what AST-2017-005 was mitigating. The
intent was to qualify a series of packets before accepting
the new source address.</p>
<p>The RTP/RTCP stack will now validate RTCP packets before processing them.</p>
</blockquote>
</body>
</description>
<references>
<url>https://downloads.asterisk.org/pub/security/AST-2017-008.html</url>
<cvename>CVE-2017-14099</cvename>
</references>
<dates>
<discovery>2017-09-01</discovery>
<entry>2017-09-19</entry>
</dates>
</vuln>
<vuln vid="95b01379-9d52-11e7-a25c-471bafc3262f">
<topic>ruby -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ruby</name>
<range><ge>2.2.0</ge><lt>2.2.8</lt></range>
<range><ge>2.3.0</ge><lt>2.3.5</lt></range>
<range><ge>2.4.0</ge><lt>2.4.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ruby blog:</p>
<blockquote cite="https://www.ruby-lang.org/en/security/">
<p>CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf</p>
<p>If a malicious format string which contains a precious specifier (*)
is passed and a huge minus value is also passed to the specifier,
buffer underrun may be caused. In such situation, the result may
contains heap, or the Ruby interpreter may crash.</p>
<p>CVE-2017-10784: Escape sequence injection vulnerability in the Basic
authentication of WEBrick</p>
<p>When using the Basic authentication of WEBrick, clients can pass an
arbitrary string as the user name. WEBrick outputs the passed user name
intact to its log, then an attacker can inject malicious escape
sequences to the log and dangerous control characters may be executed
on a victim’s terminal emulator.</p>
<p>This vulnerability is similar to a vulnerability already fixed, but
it had not been fixed in the Basic authentication.</p>
<p>CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode</p>
<p>If a malicious string is passed to the decode method of OpenSSL::ASN1,
buffer underrun may be caused and the Ruby interpreter may crash.</p>
<p>CVE-2017-14064: Heap exposure vulnerability in generating JSON</p>
<p>The generate method of JSON module optionally accepts an instance of
JSON::Ext::Generator::State class. If a malicious instance is passed,
the result may include contents of heap.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.ruby-lang.org/en/security/</url>
<url>https://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-2017-0898/</url>
<url>https://www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784/</url>
<url>https://www.ruby-lang.org/en/news/2017/09/14/openssl-asn1-buffer-underrun-cve-2017-14033/</url>
<url>https://www.ruby-lang.org/en/news/2017/09/14/json-heap-exposure-cve-2017-14064/</url>
<cvename>CVE-2017-0898</cvename>
<cvename>CVE-2017-10784</cvename>
<cvename>CVE-2017-14033</cvename>
<cvename>CVE-2017-14064</cvename>
</references>
<dates>
<discovery>2017-09-14</discovery>
<entry>2017-09-19</entry>
</dates>
</vuln>
<vuln vid="2bffdf2f-9d45-11e7-a25c-471bafc3262f">
<topic>rubygem-geminabox -- XSS & CSRF vulnerabilities</topic>
<affects>
<package>
<name>rubygem-geminabox</name>
<range><lt>0.13.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gem in a box XSS vulenrability - CVE-2017-14506:</p>
<blockquote cite="https://baraktawily.blogspot.com/2017/09/gem-in-box-xss-vulenrability-cve-2017.html">
<p>Malicious attacker create GEM file with crafted homepage value
(gem.homepage in .gemspec file) includes XSS payload.</p>
<p>The attacker access geminabox system and uploads the gem file
(or uses CSRF/SSRF attack to do so).</p>
<p>From now on, any user access Geminabox web server, executes the
malicious XSS payload, that will delete any gems on the server,
and won't let users use the geminabox anymore. (make victim's
browser crash or redirect them to other hosts).</p>
</blockquote>
</body>
</description>
<references>
<url>https://baraktawily.blogspot.com/2017/09/gem-in-box-xss-vulenrability-cve-2017.html</url>
<cvename>CVE-2017-14506</cvename>
<cvename>CVE-2017-14683</cvename>
</references>
<dates>
<discovery>2017-09-18</discovery>
<entry>2017-09-19</entry>
<modified>2017-09-27</modified>
</dates>
</vuln>
<vuln vid="76b085e2-9d33-11e7-9260-000c292ee6b8">
<topic>Apache -- HTTP OPTIONS method can leak server memory</topic>
<affects>
<package>
<name>apache24</name>
<range><lt>2.4.27_1</lt></range>
</package>
<package>
<name>apache22</name>
<range><lt>2.2.34_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Fuzzing Project reports:</p>
<blockquote cite="https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html">
<p>Apache httpd allows remote attackers to read secret data from
process memory if the Limit directive can be set in a user's
.htaccess file, or if httpd.conf has certain misconfigurations,
aka Optionsbleed. This affects the Apache HTTP Server through
2.2.34 and 2.4.x through 2.4.27. The attacker sends an
unauthenticated OPTIONS HTTP request when attempting to read
secret data. This is a use-after-free issue and thus secret data
is not always sent, and the specific data depends on many factors
including configuration. Exploitation with .htaccess can be
blocked with a patch to the ap_limit_section function in
server/core.c.</p>
</blockquote>
</body>
</description>
<references>
<url>https://nvd.nist.gov/vuln/detail/CVE-2017-9798</url>
<cvename>CVE-2017-9798</cvename>
</references>
<dates>
<discovery>2017-09-18</discovery>
<entry>2017-09-19</entry>
</dates>
</vuln>
<vuln vid="6a177c87-9933-11e7-93f7-d43d7e971a1b">
<topic>GitLab -- multiple vulnerabilities</topic>
<affects>
<package>
<name>gitlab</name>
<range><ge>1.0.0</ge><le>9.3.10</le></range>
<range><ge>9.4.0</ge><le>9.4.5</le></range>
<range><ge>9.5.0</ge><le>9.5.3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GitLab reports:</p>
<blockquote cite="https://about.gitlab.com/2017/09/07/gitlab-9-dot-5-dot-4-security-release/">
<p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
<references>
<url>https://about.gitlab.com/2017/09/07/gitlab-9-dot-5-dot-4-security-release/</url>
<cvename>CVE-2017-5029</cvename>
<cvename>CVE-2016-4738</cvename>
</references>
<dates>
<discovery>2017-09-07</discovery>
<entry>2017-09-14</entry>
</dates>
</vuln>
<vuln vid="531aae08-97f0-11e7-aadd-6451062f0f7a">
<topic>Flash Player -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-flashplayer</name>
<range><lt>27.0.0.130</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb17-28.html">
<ul>
<li>These updates resolve memory corruption vulnerabilities that
could lead to remote code execution (CVE-2017-11281,
CVE-2017-11282).</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-11281</cvename>
<cvename>CVE-2017-11282</cvename>
<url>https://helpx.adobe.com/security/products/flash-player/apsb17-28.html</url>
</references>
<dates>
<discovery>2017-09-12</discovery>
<entry>2017-09-12</entry>
</dates>
</vuln>
<vuln vid="47e2e52c-975c-11e7-942d-5404a68a61a2">
<topic>emacs -- enriched text remote code execution vulnerability</topic>
<affects>
<package>
<name>emacs25</name>
<name>emacs-nox11</name>
<range><lt>25.3,3</lt></range>
</package>
<package>
<name>emacs-devel</name>
<range><lt>26.0.50.20170912,2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Paul Eggert reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2017/q3/422">
<p>Charles A. Roelli has found a security flaw in the enriched mode in GNU Emacs.</p>
<p>When Emacs renders MIME text/enriched data (Internet RFC 1896), it
is vulnerable to arbitrary code execution. Since Emacs-based mail
clients decode "Content-Type: text/enriched", this code is exploitable
remotely. This bug affects GNU Emacs versions 19.29 through 25.2.</p>
</blockquote>
</body>
</description>
<references>
<url>http://seclists.org/oss-sec/2017/q3/422</url>
<url>https://bugs.gnu.org/28350</url>
</references>
<dates>
<discovery>2017-09-04</discovery>
<entry>2017-09-12</entry>
<modified>2017-09-13</modified>
</dates>
</vuln>
<vuln vid="f9f76a50-9642-11e7-ab09-080027b00c2e">
<topic>cyrus-imapd -- broken "other users" behaviour</topic>
<affects>
<package>
<name>cyrus-imapd30</name>
<range><ge>3.0.0</ge><lt>3.0.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Cyrus IMAP 3.0.4 Release Notes states:</p>
<blockquote cite="https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.4.html">
<p>Fixed Issue #2132: Broken "Other Users" behaviour</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-14230</cvename>
<url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14230</url>
</references>
<dates>
<discovery>2017-09-07</discovery>
<entry>2017-09-10</entry>
</dates>
</vuln>
<vuln vid="aaab03be-932d-11e7-92d8-4b26fc968492">
<topic>Django -- possible XSS in traceback section of technical 500 debug page</topic>
<affects>
<package>
<name>py27-django110</name>
<name>py34-django110</name>
<name>py35-django110</name>
<name>py36-django110</name>
<range><lt>1.10.8</lt></range>
</package>
<package>
<name>py27-django111</name>
<name>py34-django111</name>
<name>py35-django111</name>
<name>py36-django111</name>
<range><lt>1.11.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Django blog:</p>
<blockquote cite="https://www.djangoproject.com/weblog/2017/sep/05/security-releases/">
<p>In older versions, HTML autoescaping was disabled in a portion of the template
for the technical 500 debug page. Given the right circumstances, this allowed a
cross-site scripting attack. This vulnerability shouldn't affect most production
sites since you shouldn't run with DEBUG = True (which makes this page accessible)
in your production settings.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-12794</cvename>
<url>https://www.djangoproject.com/weblog/2017/sep/05/security-releases/</url>
</references>
<dates>
<discovery>2017-09-05</discovery>
<entry>2017-09-06</entry>
</dates>
</vuln>
<vuln vid="e1100e63-92f7-11e7-bd95-e8e0b747a45a">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>61.0.3163.79</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2017/09/stable-channel-update-for-desktop.html">
<p>22 security fixes in this release, including:</p>
<ul>
<li>[737023] High CVE-2017-5111: Use after free in PDFium. Reported by
Luat Nguyen on KeenLab, Tencent on 2017-06-27</li>
<li>[740603] High CVE-2017-5112: Heap buffer overflow in WebGL. Reported by
Tobias Klein on 2017-07-10</li>
<li>[747043] High CVE-2017-5113: Heap buffer overflow in Skia. Reported by
Anonymous on 2017-07-20</li>
<li>[752829] High CVE-2017-5114: Memory lifecycle issue in PDFium. Reported by
Ke Liu of Tencent's Xuanwu LAB on 2017-08-07</li>
<li>[744584] High CVE-2017-5115: Type confusion in V8. Reported by
Marco Giovannini on 2017-07-17</li>
<li>[759624] High CVE-2017-5116: Type confusion in V8. Reported by
Anonymous on 2017-08-28</li>
<li>[739190] Medium CVE-2017-5117: Use of uninitialized value in Skia. Reported by
Tobias Klein on 2017-07-04</li>
<li>[747847] Medium CVE-2017-5118: Bypass of Content Security Policy in Blink. Reported by
WenXu Wu of Tencent's Xuanwu Lab on 2017-07-24</li>
<li>[725127] Medium CVE-2017-5119: Use of uninitialized value in Skia. Reported by
Anonymous on 2017-05-22</li>
<li>[718676] Low CVE-2017-5120: Potential HTTPS downgrade during redirect navigation. Reported by
Xiaoyin Liu on 2017-05-05</li>
<li>[762099] Various fixes from internal audits, fuzzing and other initiatives</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-5111</cvename>
<cvename>CVE-2017-5112</cvename>
<cvename>CVE-2017-5113</cvename>
<cvename>CVE-2017-5114</cvename>
<cvename>CVE-2017-5115</cvename>
<cvename>CVE-2017-5116</cvename>
<cvename>CVE-2017-5117</cvename>
<cvename>CVE-2017-5118</cvename>
<cvename>CVE-2017-5119</cvename>
<cvename>CVE-2017-5120</cvename>
<url>https://chromereleases.googleblog.com/2017/09/stable-channel-update-for-desktop.html</url>
</references>
<dates>
<discovery>2017-09-05</discovery>
<entry>2017-09-06</entry>
</dates>
</vuln>
<vuln vid="44101b31-8ffd-11e7-b5af-a4badb2f4699">
<cancelled/>
</vuln>
<vuln vid="5a1f1a86-8f4c-11e7-b5af-a4badb2f4699">
<topic>gdk-pixbuf -- multiple vulnerabilities</topic>
<affects>
<package>
<name>gtk-pixbuf2</name>
<range><lt>2.36.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>TALOS reports:</p>
<blockquote cite="http://blog.talosintelligence.com/2017/08/vuln-spotlight-multiple-gdk.html">
<ul>
<li><p>An exploitable integer overflow vulnerability exists in
the tiff_image_parse functionality.</p></li>
<li><p>An exploitable heap-overflow vulnerability exists in
the gdk_pixbuf__jpeg_image_load_increment functionality.</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://blog.talosintelligence.com/2017/08/vuln-spotlight-multiple-gdk.html</url>
<cvename>CVE-2017-2862</cvename>
<cvename>CVE-2017-2870</cvename>
</references>
<dates>
<discovery>2017-08-30</discovery>
<entry>2017-09-01</entry>
</dates>
</vuln>
<vuln vid="ec1df2a1-8ee6-11e7-8be8-001999f8d30b">
<topic>asterisk -- Remote Crash Vulerability in res_pjsip</topic>
<affects>
<package>
<name>asterisk13</name>
<range><lt>13.17.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="http://www.asterisk.org/downloads/security-advisories">
<p>A carefully crafted URI in a From, To or Contact header could cause Asterisk to crash.</p>
</blockquote>
</body>
</description>
<references>
<url>https://downloads.asterisk.org/pub/security/AST-2017-007.html</url>
<cvename>CVE-2017-14098</cvename>
</references>
<dates>
<discovery>2017-08-31</discovery>
<entry>2017-09-01</entry>
</dates>
</vuln>
<vuln vid="c599f95c-8ee5-11e7-8be8-001999f8d30b">
<topic>asterisk -- Unauthorized data disclosure and shell access command injection in app_minivm</topic>
<affects>
<package>
<name>asterisk11</name>
<range><lt>11.25.2</lt></range>
</package>
<package>
<name>asterisk13</name>
<range><lt>13.17.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="http://www.asterisk.org/downloads/security-advisories">
<p>AST-2017-005 - A change was made to the strict RTP
support in the RTP stack to better tolerate late media
when a reinvite occurs. When combined with the symmetric
RTP support this introduced an avenue where media could
be hijacked. Instead of only learning a new address when
expected the new code allowed a new source address to be
learned at all times.</p>
<p>AST-2017-006 - The app_minivm module has an "externnotify"
program configuration option that is executed by the
MinivmNotify dialplan application. The application uses
the caller-id name and number as part of a built string
passed to the OS shell for interpretation and execution.
Since the caller-id name and number can come from an
untrusted source, a crafted caller-id name or number
allows an arbitrary shell command injection.</p>
</blockquote>
</body>
</description>
<references>
<url>https://downloads.asterisk.org/pub/security/AST-2017-005.html</url>
<cvename>CVE-2017-14099</cvename>
<url>https://downloads.asterisk.org/pub/security/AST-2017-006.html</url>
<cvename>CVE-2017-14100</cvename>
</references>
<dates>
<discovery>2017-08-31</discovery>
<entry>2017-09-01</entry>
</dates>
</vuln>
<vuln vid="22f28bb3-8d98-11e7-8c37-e8e0b747a45a">
<topic>libgcrypt -- side-channel attack vulnerability</topic>
<affects>
<package>
<name>libgcrypt</name>
<range><lt>1.8.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GnuPG reports:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0379">
<p>Mitigate a local side-channel attack on Curve25519 dubbed "May the Fourth Be With You".</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-0379</cvename>
<url>https://eprint.iacr.org/2017/806</url>
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0379</url>
</references>
<dates>
<discovery>2017-08-27</discovery>
<entry>2017-08-30</entry>
</dates>
</vuln>
<vuln vid="3f6de636-8cdb-11e7-9c71-f0def1fd7ea2">
<topic>rubygems -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ruby22-gems</name>
<name>ruby23-gems</name>
<name>ruby24-gems</name>
<range><lt>2.6.13</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Official blog of RubyGems reports:</p>
<blockquote cite="https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/">
<p>The following vulnerabilities have been reported: a DNS request
hijacking vulnerability, an ANSI escape sequence vulnerability, a DoS
vulnerability in the query command, and a vulnerability in the gem
installer that allowed a malicious gem to overwrite arbitrary
files.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/</url>
</references>
<dates>
<discovery>2017-08-29</discovery>
<entry>2017-08-29</entry>
</dates>
</vuln>
<vuln vid="7d7e05fb-64da-435a-84fb-4061493b89b9">
<topic>kanboard -- multiple privilege escalation vulnerabilities</topic>
<affects>
<package>
<name>kanboard</name>
<range><lt>1.0.46</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>chbi reports:</p>
<blockquote cite="https://kanboard.net/news/version-1.0.46">
<p>an authenticated standard user could reset the password of another
user (including admin) by altering form data.</p>
</blockquote>
</body>
</description>
<references>
<url>https://kanboard.net/news/version-1.0.46</url>
<cvename>CVE-2017-12850</cvename>
<cvename>CVE-2017-12851</cvename>
</references>
<dates>
<discovery>2017-08-15</discovery>
<entry>2017-08-26</entry>
</dates>
</vuln>
<vuln vid="eca2d861-76f4-42ed-89d2-23a2cb396c87">
<topic>poppler -- multiple denial of service issues</topic>
<affects>
<package>
<name>poppler</name>
<range><lt>0.56.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Poppler developers report:</p>
<blockquote cite="http://www.securityfocus.com/bid/99241/discuss">
<p>Poppler is prone to a stack-based buffer-overflow
vulnerability.</p>
<p>Successful exploits may allow attackers to crash the affected
application, resulting in denial-of-service condition. Due to the
nature of this issue, arbitrary code execution may be possible but
this has not been confirmed.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.securityfocus.com/bid/99241/discuss</url>
<cvename>CVE-2017-9865</cvename>
<cvename>CVE-2017-9775</cvename>
</references>
<dates>
<discovery>2017-06-21</discovery>
<entry>2017-08-24</entry>
</dates>
</vuln>
<vuln vid="c5d79773-8801-11e7-93f7-d43d7e971a1b">
<topic>phpmailer -- XSS in code example and default exeception handler</topic>
<affects>
<package>
<name>phpmailer</name>
<range><lt>5.2.24</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PHPMailer reports:</p>
<blockquote cite="https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.24">
<p>Fix XSS vulnerability in one of the code examples, CVE-2017-11503. The
code_generator.phps example did not filter user input prior to output. This
file is distributed with a .phps extension, so it it not normally executable
unless it is explicitly renamed, so it is safe by default. There was also an
undisclosed potential XSS vulnerability in the default exception handler
(unused by default). Patches for both issues kindly provided by Patrick
Monnerat of the Fedora Project.</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.24</url>
<cvename>CVE-2017-11503</cvename>
</references>
<dates>
<discovery>2017-07-27</discovery>
<entry>2017-08-23</entry>
</dates>
</vuln>
<vuln vid="3531141d-a708-477c-954a-2a0549e49ca9">
<topic>salt -- Maliciously crafted minion IDs can cause unwanted directory traversals on the Salt-master</topic>
<affects>
<package>
<name>py27-salt</name>
<name>py32-salt</name>
<name>py33-salt</name>
<name>py34-salt</name>
<name>py35-salt</name>
<name>py36-salt</name>
<range><lt>2016.11.7</lt></range>
<range><ge>2017.7.0</ge><lt>2017.7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SaltStack reports:</p>
<blockquote cite="https://docs.saltstack.com/en/latest/topics/releases/2017.7.1.html">
<p>Correct a flaw in minion id validation which could allow certain
minions to authenticate to a master despite not having the correct
credentials. To exploit the vulnerability, an attacker must create a
salt-minion with an ID containing characters that will cause a
directory traversal.
Credit for discovering the security flaw goes to: Vernhk@qq.com</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-12791</cvename>
<url>https://docs.saltstack.com/en/latest/topics/releases/2017.7.1.html</url>
<url>https://docs.saltstack.com/en/latest/topics/releases/2016.11.7.html</url>
</references>
<dates>
<discovery>2017-08-16</discovery>
<entry>2017-08-22</entry>
</dates>
</vuln>
<vuln vid="198d82f3-8777-11e7-950a-e8e0b747a45a">
<topic>dnsdist -- multiple vulnerabilities</topic>
<affects>
<package>
<name>dnsdist</name>
<range><lt>1.2.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PowerDNS Security Advisory reports:</p>
<blockquote cite="https://dnsdist.org/security-advisories/index.html">
<p>The first issue can lead to a denial of service on 32-bit if a backend
sends crafted answers, and the second to an alteration of dnsdist's ACL
if the API is enabled, writable and an authenticated user is tricked
into visiting a crafted website.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-7069</cvename>
<cvename>CVE-2017-7557</cvename>
<url>https://dnsdist.org/security-advisories/index.html</url>
</references>
<dates>
<discovery>2017-08-21</discovery>
<entry>2017-08-22</entry>
</dates>
</vuln>
<vuln vid="01a197ca-67f1-11e7-a266-28924a333806">
<topic>evince and atril -- command injection vulnerability in CBT handler</topic>
<affects>
<package>
<name>evince</name>
<range><le>3.24.0</le></range>
</package>
<package>
<name>evince-lite</name>
<range><le>3.24.0</le></range>
</package>
<package>
<name>atril</name>
<range><lt>1.18.1</lt></range>
<range><ge>1.19.0</ge><lt>1.19.1</lt></range>
</package>
<package>
<name>atril-lite</name>
<range><lt>1.18.1</lt></range>
<range><ge>1.19.0</ge><lt>1.19.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GNOME reports:</p>
<blockquote cite="https://bugzilla.gnome.org/show_bug.cgi?id=784630">
<p>The comic book backend in evince 3.24.0 (and earlier) is vulnerable to a command injection bug that can be used to execute arbitrary commands when a CBT file is opened.</p>
<p>The same vulnerability affects atril, the Evince fork.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugzilla.gnome.org/show_bug.cgi?id=784630</url>
<url>https://github.com/mate-desktop/atril/issues/257</url>
<cvename>CVE-2017-1000083</cvename>
</references>
<dates>
<discovery>2017-07-06</discovery>
<entry>2017-07-13</entry>
</dates>
</vuln>
<vuln vid="e1de77e8-c45e-48d7-8866-5a6f943046de">
<topic>SquirrelMail -- post-authentication remote code execution</topic>
<affects>
<package>
<name>squirrelmail</name>
<range><lt>20170705</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SquirrelMail developers report:</p>
<blockquote cite="http://seclists.org/fulldisclosure/2017/Apr/81">
<p>SquirrelMail 1.4.22 (and other versions before 20170427_0200-SVN)
allows post-authentication remote code execution via a sendmail.cf
file that is mishandled in a popen call. It's possible to exploit this
vulnerability to execute arbitrary shell commands on the remote
server.</p>
</blockquote>
</body>
</description>
<references>
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7692</url>
</references>
<dates>
<discovery>2017-04-19</discovery>
<entry>2017-08-22</entry>
</dates>
</vuln>
<vuln vid="6876b163-8708-11e7-8568-e8e0b747a45a">
<topic>pspp -- multiple vulnerabilities</topic>
<affects>
<package>
<name>pspp</name>
<range><lt>1.0.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CVE Details reports:</p>
<blockquote cite="https://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-38732/year-2017/GNU-Pspp.html">
<ul>
<li>There is an Integer overflow in the hash_int function of the libpspp library
in GNU PSPP 0.10.5-pre2 (CVE-2017-10791).</li>
<li>There is a NULL Pointer Dereference in the function ll_insert() of the libpspp
library in GNU PSPP 0.10.5-pre2 (CVE-2017-10792).</li>
<li>There is an illegal address access in the function output_hex() in data/data-out.c
of the libpspp library in GNU PSPP 0.11.0 that will lead to remote denial of service (CVE-2017-12958).</li>
<li>There is a reachable assertion abort in the function dict_add_mrset() in data/dictionary.c
of the libpspp library in GNU PSPP 0.11.0 that will lead to a remote denial of service attack (CVE-2017-12959).</li>
<li>There is a reachable assertion abort in the function dict_rename_var() in data/dictionary.c
of the libpspp library in GNU PSPP 0.11.0 that will lead to remote denial of service (CVE-2017-12960).</li>
<li>There is an assertion abort in the function parse_attributes() in data/sys-file-reader.c
of the libpspp library in GNU PSPP 0.11.0 that will lead to remote denial of service (CVE-2017-12961).</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-10791</cvename>
<cvename>CVE-2017-10792</cvename>
<cvename>CVE-2017-12958</cvename>
<cvename>CVE-2017-12959</cvename>
<cvename>CVE-2017-12960</cvename>
<cvename>CVE-2017-12961</cvename>
<url>https://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-38732/year-2017/GNU-Pspp.html</url>
</references>
<dates>
<discovery>2017-08-18</discovery>
<entry>2017-08-22</entry>
<modified>2017-08-30</modified>
</dates>
</vuln>
<vuln vid="473b6a9e-8493-11e7-b24b-6cf0497db129">
<topic>drupal -- Drupal Core - Multiple Vulnerabilities</topic>
<affects>
<package>
<name>drupal8</name>
<range><lt>8.3.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal Security Team:</p>
<blockquote cite="https://www.drupal.org/SA-CORE-2017-004">
<p>CVE-2017-6923: Views - Access Bypass - Moderately Critical</p>
<p>CVE-2017-6924: REST API can bypass comment approval - Access Bypass - Moderately Critica</p>
<p>CVE-2017-6925: Entity access bypass for entities that do not have UUIDs or have protected revisions - Access Bypass - Critical</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-6923</cvename>
<cvename>CVE-2017-6924</cvename>
<cvename>CVE-2017-6925</cvename>
</references>
<dates>
<discovery>2017-08-16</discovery>
<entry>2017-08-19</entry>
</dates>
</vuln>
<vuln vid="8e7bbddd-8338-11e7-867f-b499baebfeaf">
<topic>libsoup -- stack based buffer overflow</topic>
<affects>
<package>
<name>libsoup</name>
<range><lt>2.52.2_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Tobias Mueller reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2017/q3/304">
<p>libsoup is susceptible to a stack based buffer overflow
attack when using chunked encoding. Regardless of libsoup
being used as a server or client.</p>
</blockquote>
</body>
</description>
<references>
<url>http://seclists.org/oss-sec/2017/q3/304</url>
<cvename>CVE-2017-2885</cvename>
</references>
<dates>
<discovery>2017-08-17</discovery>
<entry>2017-08-17</entry>
<modified>2017-08-20</modified>
</dates>
</vuln>
<vuln vid="5df8bd95-8290-11e7-93af-005056925db4">
<topic>Zabbix -- Remote code execution</topic>
<affects>
<package>
<name>zabbix2-server</name>
<name>zabbix2-proxy</name>
<range><le>2.0.20</le></range>
</package>
<package>
<name>zabbix22-server</name>
<name>zabbix22-proxy</name>
<range><lt>2.2.19</lt></range>
</package>
<package>
<name>zabbix3-server</name>
<name>zabbix3-proxy</name>
<range><lt>3.0.10</lt></range>
</package>
<package>
<name>zabbix32-server</name>
<name>zabbix32-proxy</name>
<range><lt>3.2.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>mitre reports:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2824">
<p>An exploitable code execution vulnerability exists in the trapper command
functionality of Zabbix Server 2.4.X. A specially crafted set of packets
can cause a command injection resulting in remote code execution. An attacker
can make requests from an active Zabbix Proxy to trigger this vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-2824</cvename>
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2824</url>
<url>https://support.zabbix.com/browse/ZBX-12349</url>
</references>
<dates>
<discovery>2017-07-05</discovery>
<entry>2017-08-16</entry>
</dates>
</vuln>
<vuln vid="c9460380-81e3-11e7-93af-005056925db4">
<topic>Supervisord -- An authenticated client can run arbitrary shell commands via malicious XML-RPC requests</topic>
<affects>
<package>
<name>py27-supervisor</name>
<range><lt>3.3.3,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>mnaberez reports:</p>
<blockquote cite="https://github.com/Supervisor/supervisor/issues/964#issuecomment-317551606">
<p>supervisord can be configured to run an HTTP server on a TCP socket and/or a Unix domain socket.
The HTTP server is how supervisorctl communicates with supervisord. If an HTTP server has been
enabled, it will always serve both HTML pages and an XML-RPC interface. A vulnerability has been
found where an authenticated client can send a malicious XML-RPC request to supervisord that
will run arbitrary shell commands on the server. The commands will be run as the same user as
supervisord. Depending on how supervisord has been configured, this may be root.</p>
<p>This vulnerability can only be exploited by an authenticated client or if supervisord has been
configured to run an HTTP server without authentication. If authentication has not been enabled,
supervisord will log a message at the critical level every time it starts.</p>
</blockquote>
</body>
</description>
<references>
<url>http://supervisord.org/changes.html</url>
<url>https://github.com/Supervisor/supervisor/issues/964#issuecomment-317551606</url>
<cvename>CVE-2017-11610</cvename>
</references>
<dates>
<discovery>2017-07-24</discovery>
<entry>2017-08-15</entry>
</dates>
</vuln>
<vuln vid="79bbec7e-8141-11e7-b5af-a4badb2f4699">
<topic>FreeRadius -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>freeradius3</name>
<range><lt>3.0.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Guido Vranken reports:</p>
<blockquote cite="http://freeradius.org/security/fuzzer-2017.html">
<p>Multiple vulnerabilities found via fuzzing:
FR-GV-201 (v2,v3) Read / write overflow in make_secret()
FR-GV-202 (v2) Write overflow in rad_coalesce()
FR-GV-203 (v2) DHCP - Memory leak in decode_tlv()
FR-GV-204 (v2) DHCP - Memory leak in fr_dhcp_decode()
FR-GV-205 (v2) DHCP - Buffer over-read in fr_dhcp_decode_options()
FR-GV-206 (v2,v3) DHCP - Read overflow when decoding option 63
FR-GV-207 (v2) Zero-length malloc in data2vp()
FR-GV-301 (v3) Write overflow in data2vp_wimax()
FR-GV-302 (v3) Infinite loop and memory exhaustion with 'concat' attributes
FR-GV-303 (v3) DHCP - Infinite read in dhcp_attr2vp()
FR-GV-304 (v3) DHCP - Buffer over-read in fr_dhcp_decode_suboptions()
FR-GV-305 (v3) Decode 'signed' attributes correctly
FR-AD-001 (v2,v3) Use strncmp() instead of memcmp() for string data
FR-AD-002 (v3) String lifetime issues in rlm_python
FR-AD-003 (v3) Incorrect statement length passed into sqlite3_prepare</p>
</blockquote>
</body>
</description>
<references>
<url>http://freeradius.org/security/fuzzer-2017.html</url>
</references>
<dates>
<discovery>2017-06-17</discovery>
<entry>2017-08-14</entry>
</dates>
</vuln>
<vuln vid="1d33cdee-7f6b-11e7-a9b5-3debb10a6871">
<topic>Mercurial -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mercurial</name>
<range><lt>4.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mercurial Release Notes:</p>
<blockquote cite="https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.3_.2F_4.3.1_.282017-08-10.29">
<p>CVE-2017-1000115</p>
<p>Mercurial's symlink auditing was incomplete prior to 4.3, and could be
abused to write to files outside the repository.</p>
<p>CVE-2017-1000116</p>
<p>Mercurial was not sanitizing hostnames passed to ssh, allowing shell
injection attacks on clients by specifying a hostname starting with
-oProxyCommand. This is also present in Git (CVE-2017-1000117) and
Subversion (CVE-2017-9800), so please patch those tools as well if you
have them installed.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.3_.2F_4.3.1_.282017-08-10.29</url>
<cvename>CVE-2017-1000115</cvename>
<cvename>CVE-2017-1000116</cvename>
</references>
<dates>
<discovery>2017-08-10</discovery>
<entry>2017-08-12</entry>
</dates>
</vuln>
<vuln vid="6e80bd9b-7e9b-11e7-abfe-90e2baa3bafc">
<topic>subversion -- Arbitrary code execution vulnerability</topic>
<affects>
<package>
<name>subversion</name>
<range><ge>1.9.0</ge><le>1.9.6</le></range>
</package>
<package>
<name>subversion18</name>
<range><ge>1.0.0</ge><le>1.8.18</le></range>
</package>
<package>
<name>subversion-static</name>
<range><ge>1.0.0</ge><le>1.8.18</le></range>
<range><ge>1.9.0</ge><le>1.9.6</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>subversion team reports:</p>
<blockquote cite="http://subversion.apache.org/security/CVE-2017-9800-advisory.txt">
<p>A Subversion client sometimes connects to URLs provided by the repository.
This happens in two primary cases: during 'checkout', 'export', 'update', and
'switch', when the tree being downloaded contains svn:externals properties;
and when using 'svnsync sync' with one URL argument.</p>
<p>A maliciously constructed svn+ssh:// URL would cause Subversion clients to
run an arbitrary shell command. Such a URL could be generated by a malicious
server, by a malicious user committing to a honest server (to attack another
user of that server's repositories), or by a proxy server.</p>
<p>The vulnerability affects all clients, including those that use file://,
http://, and plain (untunneled) svn://.</p>
<p>An exploit has been tested.</p>
</blockquote>
</body>
</description>
<references>
<url>http://subversion.apache.org/security/CVE-2017-9800-advisory.txt</url>
</references>
<dates>
<discovery>2017-08-10</discovery>
<entry>2017-08-11</entry>
</dates>
</vuln>
<vuln vid="abcc5ad3-7e6a-11e7-93f7-d43d7e971a1b">
<topic>GitLab -- two vulnerabilities</topic>
<affects>
<package>
<name>gitlab</name>
<range><ge>7.9.0</ge><le>8.17.8</le></range>
<range><ge>9.0.0</ge><le>9.0.12</le></range>
<range><ge>9.1.0</ge><le>9.1.9</le></range>
<range><ge>9.2.0</ge><le>9.2.9</le></range>
<range><ge>9.3.0</ge><le>9.3.9</le></range>
<range><ge>9.4.0</ge><le>9.4.3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GitLab reports:</p>
<blockquote cite="https://about.gitlab.com/2017/08/10/gitlab-9-dot-4-dot-4-released/">
<h1>Remote Command Execution in git client</h1>
<p>An external code review performed by Recurity-Labs identified a remote
command execution vulnerability in git that could be exploited via the "Repo
by URL" import option in GitLab. The command line git client was not
properly escaping command line arguments in URLs using the SSH protocol
before invoking the SSH client. A specially crafted URL could be used to
execute arbitrary shell commands on the GitLab server.<br/>
To fully patch this vulnerability two fixes were needed. The Omnibus
versions of GitLab contain a patched git client. For source users who may
still be running an older version of git, GitLab now also blocks import URLs
containing invalid host and usernames.<br/>
This issue has been assigned CVE-2017-12426.</p>
<h1>Improper sanitization of GitLab export files on import</h1>
<p>GitLab versions 8.13.3, 8.12.8, 8.11.10, 8.10.13, and 8.9.12 contained a
patch for a critical directory traversal vulnerability in the GitLab export
feature that could be exploited by including symlinks in the export file and
then re-importing it to a GitLab instance. This vulnerability was patched by
checking for and removing symlinks in these files on import.<br/>
Recurity-Labs also determined that this fix did not properly remove symlinks for
hidden files. Though not as dangerous as the original vulnerability hidden file
symlinks could still be used to steal copies of git repositories belonging to
other users if the path to the git repository was known by the attacker. An
updated fix has been included in these releases that properly removes all
symlinks.<br/>
This import option was not made available to non-admin users until GitLab
8.13.0.</p>
</blockquote>
</body>
</description>
<references>
<url>https://about.gitlab.com/2017/08/10/gitlab-9-dot-4-dot-4-released/</url>
<cvename>CVE-2017-12426</cvename>
</references>
<dates>
<discovery>2017-08-10</discovery>
<entry>2017-08-11</entry>
</dates>
</vuln>
<vuln vid="982872f1-7dd3-11e7-9736-6cc21735f730">
<topic>PostgreSQL vulnerabilities</topic>
<affects>
<package>
<name>postgresql92-server</name>
<range><ge>9.2.0</ge><lt>9.2.22</lt></range>
</package>
<package>
<name>postgresql93-server</name>
<range><ge>9.3.0</ge><lt>9.3.18</lt></range>
</package>
<package>
<name>postgresql94-server</name>
<range><ge>9.4.0</ge><lt>9.4.13</lt></range>
</package>
<package>
<name>postgresql95-server</name>
<range><ge>9.5.0</ge><lt>9.5.8</lt></range>
</package>
<package>
<name>postgresql96-server</name>
<range><ge>9.6.0</ge><lt>9.6.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PostgreSQL project reports:</p>
<blockquote cite="https://www.postgresql.org/about/news/1772/">
<ul>
<li>CVE-2017-7546: Empty password accepted in some authentication
methods</li>
<li>CVE-2017-7547: The "pg_user_mappings" catalog view discloses passwords
to users lacking server privileges</li>
<li>CVE-2017-7548: lo_put() function ignores ACLs</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-7546</cvename>
<cvename>CVE-2017-7547</cvename>
<cvename>CVE-2017-7548</cvename>
</references>
<dates>
<discovery>2017-08-10</discovery>
<entry>2017-08-10</entry>
</dates>
</vuln>
<vuln vid="7e3d3e9a-7d8f-11e7-a02b-d43d7ef03aa6">
<topic>Flash Player -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-flashplayer</name>
<range><lt>26.0.0.151</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb17-23.html">
<ul>
<li>These updates resolve security bypass vulnerability that
could lead to information disclosure (CVE-2017-3085).</li>
<li>These updates resolve type confusion vulnerability that
could lead to remote code execution (CVE-2017-3106).</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-3085</cvename>
<cvename>CVE-2017-3106</cvename>
<url>https://helpx.adobe.com/security/products/flash-player/apsb17-23.html</url>
</references>
<dates>
<discovery>2017-08-08</discovery>
<entry>2017-08-10</entry>
</dates>
</vuln>
<vuln vid="69cfa386-7cd0-11e7-867f-b499baebfeaf">
<topic>cURL -- multiple vulnerabilities</topic>
<affects>
<package>
<name>curl</name>
<range><lt>7.55.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The cURL project reports:</p>
<blockquote cite="https://curl.haxx.se/docs/security.html">
<ul>
<li>FILE buffer read out of bounds</li>
<li>TFTP sends more than buffer size</li>
<li>URL globbing out of bounds read</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://curl.haxx.se/docs/security.html</url>
<cvename>CVE-2017-1000099</cvename>
<cvename>CVE-2017-1000100</cvename>
<cvename>CVE-2017-1000101</cvename>
</references>
<dates>
<discovery>2017-08-09</discovery>
<entry>2017-08-09</entry>
</dates>
</vuln>
<vuln vid="c1265e85-7c95-11e7-93af-005056925db4">
<topic>Axis2 -- Security vulnerability on dependency Apache Commons FileUpload</topic>
<affects>
<package>
<name>axis2</name>
<range><lt>1.7.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Apache Axis2 reports:</p>
<blockquote cite="http://axis.apache.org/axis2/java/core/release-notes/1.7.6.html">
<p>The commons-fileupload dependency has been updated to a version that fixes
CVE-2016-1000031 (AXIS2-5853).</p>
</blockquote>
</body>
</description>
<references>
<url>http://axis.apache.org/axis2/java/core/release-notes/1.7.6.html</url>
<url>https://issues.apache.org/jira/browse/AXIS2-5853</url>
<url>https://issues.apache.org/jira/browse/FILEUPLOAD-279</url>
<cvename>CVE-2016-1000031</cvename>
</references>
<dates>
<discovery>2016-11-14</discovery>
<entry>2017-08-09</entry>
</dates>
</vuln>
<vuln vid="555b244e-6b20-4546-851f-d8eb7d6c1ffa">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>55.0,1</lt></range>
</package>
<package>
<name>seamonkey</name>
<name>linux-seamonkey</name>
<range><lt>2.49.1</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><lt>52.3.0,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>52.3.0,2</lt></range>
</package>
<package>
<name>libxul</name>
<name>thunderbird</name>
<name>linux-thunderbird</name>
<range><lt>52.3.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/">
<p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-7753</cvename>
<cvename>CVE-2017-7779</cvename>
<cvename>CVE-2017-7780</cvename>
<cvename>CVE-2017-7781</cvename>
<cvename>CVE-2017-7782</cvename>
<cvename>CVE-2017-7783</cvename>
<cvename>CVE-2017-7784</cvename>
<cvename>CVE-2017-7785</cvename>
<cvename>CVE-2017-7786</cvename>
<cvename>CVE-2017-7787</cvename>
<cvename>CVE-2017-7788</cvename>
<cvename>CVE-2017-7789</cvename>
<cvename>CVE-2017-7790</cvename>
<cvename>CVE-2017-7791</cvename>
<cvename>CVE-2017-7792</cvename>
<cvename>CVE-2017-7794</cvename>
<cvename>CVE-2017-7796</cvename>
<cvename>CVE-2017-7797</cvename>
<cvename>CVE-2017-7798</cvename>
<cvename>CVE-2017-7799</cvename>
<cvename>CVE-2017-7800</cvename>
<cvename>CVE-2017-7801</cvename>
<cvename>CVE-2017-7802</cvename>
<cvename>CVE-2017-7803</cvename>
<cvename>CVE-2017-7804</cvename>
<cvename>CVE-2017-7806</cvename>
<cvename>CVE-2017-7807</cvename>
<cvename>CVE-2017-7808</cvename>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/</url>
</references>
<dates>
<discovery>2017-08-08</discovery>
<entry>2017-08-08</entry>
</dates>
</vuln>
<vuln vid="9245681c-7c3c-11e7-b5af-a4badb2f4699">
<topic>sqlite3 -- heap-buffer overflow</topic>
<affects>
<package>
<name>sqlite3</name>
<range><lt>3.20.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google reports:</p>
<blockquote cite="https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937">
<p>A heap-buffer overflow (sometimes a crash) can arise when
running a SQL request on malformed sqlite3 databases.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937</url>
<cvename>CVE-2017-10989</cvename>
</references>
<dates>
<discovery>2017-08-08</discovery>
<entry>2017-08-08</entry>
<modified>2017-09-19</modified>
</dates>
</vuln>
<vuln vid="88a77ad8-77b1-11e7-b5af-a4badb2f4699">
<topic>Varnish -- Denial of service vulnerability</topic>
<affects>
<package>
<name>varnish4</name>
<range><ge>4.0.1</ge><lt>4.0.5</lt></range>
<range><ge>4.1.0</ge><lt>4.1.8</lt></range>
</package>
<package>
<name>varnish5</name>
<range><lt>5.0.1</lt></range>
<range><ge>5.1.0</ge><lt>5.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>phk reports:</p>
<blockquote cite="https://varnish-cache.org/security/VSV00001.html">
<p>A wrong if statement in the varnishd source code means that
particular invalid requests from the client can trigger an assert.</p>
</blockquote>
</body>
</description>
<references>
<url>https://varnish-cache.org/security/VSV00001.html</url>
</references>
<dates>
<discovery>2017-08-02</discovery>
<entry>2017-08-02</entry>
</dates>
</vuln>
<vuln vid="7d138476-7710-11e7-88a1-e8e0b747a45a">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<name>chromium-pulse</name>
<range><lt>60.0.3112.78</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html">
<p>40 security fixes in this release</p>
<p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-5091</cvename>
<cvename>CVE-2017-5092</cvename>
<cvename>CVE-2017-5093</cvename>
<cvename>CVE-2017-5094</cvename>
<cvename>CVE-2017-5095</cvename>
<cvename>CVE-2017-5096</cvename>
<cvename>CVE-2017-5097</cvename>
<cvename>CVE-2017-5098</cvename>
<cvename>CVE-2017-5099</cvename>
<cvename>CVE-2017-5100</cvename>
<cvename>CVE-2017-5101</cvename>
<cvename>CVE-2017-5102</cvename>
<cvename>CVE-2017-5103</cvename>
<cvename>CVE-2017-5104</cvename>
<cvename>CVE-2017-7000</cvename>
<cvename>CVE-2017-5105</cvename>
<cvename>CVE-2017-5106</cvename>
<cvename>CVE-2017-5107</cvename>
<cvename>CVE-2017-5108</cvename>
<cvename>CVE-2017-5109</cvename>
<cvename>CVE-2017-5110</cvename>
<url>https://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html</url>
</references>
<dates>
<discovery>2017-07-25</discovery>
<entry>2017-08-01</entry>
</dates>
</vuln>
<vuln vid="f86d0e5d-7467-11e7-93af-005056925db4">
<topic>Cacti -- Cross-site scripting (XSS) vulnerability in auth_profile.php</topic>
<affects>
<package>
<name>cacti</name>
<range><eq>1.1.13</eq></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>kimiizhang reports:</p>
<blockquote cite="https://github.com/Cacti/cacti/issues/867">
<p>Cross-site scripting (XSS) vulnerability in auth_profile.php in Cacti
1.1.13 allows remote authenticated users to inject arbitrary web script
or HTML via specially crafted HTTP Referer headers.</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/Cacti/cacti/issues/867</url>
<url>https://www.cacti.net/release_notes.php?version=1.1.14</url>
<cvename>CVE-2017-11691</cvename>
</references>
<dates>
<discovery>2017-07-20</discovery>
<entry>2017-07-29</entry>
</dates>
</vuln>
<vuln vid="770d7e91-72af-11e7-998a-08606e47f965">
<topic>proftpd -- user chroot escape vulnerability</topic>
<affects>
<package>
<name>proftpd</name>
<range><lt>1.3.5e</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NVD reports:</p>
<blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7418">
<p>ProFTPD ... controls whether the home directory of a user could
contain a symbolic link through the AllowChrootSymlinks
configuration option, but checks only the last path component when
enforcing AllowChrootSymlinks. Attackers with local access could
bypass the AllowChrootSymlinks control by replacing a path
component (other than the last one) with a symbolic link.</p>
</blockquote>
</body>
</description>
<references>
<url>http://bugs.proftpd.org/show_bug.cgi?id=4295</url>
<cvename>CVE-2017-7418</cvename>
</references>
<dates>
<discovery>2017-03-06</discovery>
<entry>2017-07-27</entry>
</dates>
</vuln>
<vuln vid="76d80b33-7211-11e7-998a-08606e47f965">
<topic>jabberd -- authentication bypass vulnerability</topic>
<affects>
<package>
<name>jabberd</name>
<range><lt>2.6.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SecurityFocus reports:</p>
<blockquote cite="http://www.securityfocus.com/bid/99511/discuss">
<p>JabberD is prone to an authentication-bypass vulnerability.
An attacker can exploit this issue to bypass the authentication
mechanism and perform unauthorized actions. This may lead to
further attacks.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867032</url>
<url>http://www.securityfocus.com/bid/99511</url>
<cvename>CVE-2017-10807</cvename>
</references>
<dates>
<discovery>2017-07-03</discovery>
<entry>2017-07-26</entry>
</dates>
</vuln>
<vuln vid="0f66b901-715c-11e7-ad1f-bcaec565249c">
<topic>webkit2-gtk3 -- multiple vulnerabilities</topic>
<affects>
<package>
<name>webkit2-gtk3</name>
<range><lt>2.16.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Webkit gtk team reports:</p>
<blockquote cite="https://webkitgtk.org/security/WSA-2017-0006.html">
<p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
<references>
<url>https://webkitgtk.org/security/WSA-2017-0006.html</url>
<cvename>CVE-2017-7006</cvename>
<cvename>CVE-2017-7011</cvename>
<cvename>CVE-2017-7012</cvename>
<cvename>CVE-2017-7018</cvename>
<cvename>CVE-2017-7019</cvename>
<cvename>CVE-2017-7020</cvename>
<cvename>CVE-2017-7030</cvename>
<cvename>CVE-2017-7034</cvename>
<cvename>CVE-2017-7037</cvename>
<cvename>CVE-2017-7038</cvename>
<cvename>CVE-2017-7039</cvename>
<cvename>CVE-2017-7040</cvename>
<cvename>CVE-2017-7041</cvename>
<cvename>CVE-2017-7042</cvename>
<cvename>CVE-2017-7043</cvename>
<cvename>CVE-2017-7046</cvename>
<cvename>CVE-2017-7048</cvename>
<cvename>CVE-2017-7049</cvename>
<cvename>CVE-2017-7052</cvename>
<cvename>CVE-2017-7055</cvename>
<cvename>CVE-2017-7056</cvename>
<cvename>CVE-2017-7059</cvename>
<cvename>CVE-2017-7061</cvename>
<cvename>CVE-2017-7064</cvename>
</references>
<dates>
<discovery>2017-07-24</discovery>
<entry>2017-07-25</entry>
<modified>2018-03-28</modified>
</dates>
</vuln>
<vuln vid="8745c67e-7dd1-4165-96e2-fcf9da2dc5b5">
<topic>gsoap -- remote code execution via via overflow</topic>
<affects>
<package>
<name>gsoap</name>
<range><lt>2.8.47</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Senrio reports:</p>
<blockquote cite="http://www.securityfocus.com/bid/99868/discuss">
<p>Genivia gSOAP is prone to a stack-based buffer-overflow
vulnerability because it fails to properly bounds check user-supplied
data before copying it into an insufficiently sized buffer.</p>
<p>A remote attacker may exploit this issue to execute arbitrary code
in the context of the affected device. Failed attempts will likely
cause a denial-of-service condition.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.securityfocus.com/bid/99868/discuss</url>
<url>http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions</url>
<url>http://blog.senr.io/devilsivy.html</url>
<url>https://www.genivia.com/advisory.html#Security_advisory:_CVE-2017-9765_bug_in_certain_versions_of_gSOAP_2.7_up_to_2.8.47_%28June_21,_2017%29</url>
<url>https://www.genivia.com/changelog.html#Version_2.8.48_upd_%2806/21/2017%29</url>
<cvename>CVE-2017-9765</cvename>
</references>
<dates>
<discovery>2017-07-18</discovery>
<entry>2017-07-25</entry>
</dates>
</vuln>
<vuln vid="92f4191a-6d25-11e7-93f7-d43d7e971a1b">
<topic>GitLab -- Various security issues</topic>
<affects>
<package>
<name>gitlab</name>
<range><ge>8.0.0</ge><le>8.17.6</le></range>
<range><ge>9.0.0</ge><le>9.0.10</le></range>
<range><ge>9.1.0</ge><le>9.1.7</le></range>
<range><ge>9.2.0</ge><le>9.2.7</le></range>
<range><ge>9.3.0</ge><le>9.3.7</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GitLab reports:</p>
<blockquote cite="https://about.gitlab.com/2017/07/19/gitlab-9-dot-3-dot-8-released/">
<p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
<references>
<url>https://about.gitlab.com/2017/07/19/gitlab-9-dot-3-dot-8-released/</url>
<cvename>CVE-2017-11438</cvename>
</references>
<dates>
<discovery>2017-07-20</discovery>
<entry>2017-07-20</entry>
<modified>2017-08-15</modified>
</dates>
</vuln>
<vuln vid="cda2f3c2-6c8b-11e7-867f-b499baebfeaf">
<topic>MySQL -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mariadb55-server</name>
<range><lt>5.5.57</lt></range>
</package>
<package>
<name>mariadb100-server</name>
<range><lt>10.0.32</lt></range>
</package>
<package>
<name>mariadb101-server</name>
<range><lt>10.1.26</lt></range>
</package>
<package>
<name>mariadb102-server</name>
<range><lt>10.2.6</lt></range>
</package>
<package>
<name>mysql55-server</name>
<range><lt>5.5.57</lt></range>
</package>
<package>
<name>mysql56-server</name>
<range><lt>5.6.37</lt></range>
</package>
<package>
<name>mysql57-server</name>
<range><lt>5.7.19</lt></range>
</package>
<package>
<name>percona55-server</name>
<range><lt>5.5.57</lt></range>
</package>
<package>
<name>percona56-server</name>
<range><lt>5.6.37</lt></range>
</package>
<package>
<name>percona57-server</name>
<range><lt>5.7.19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Oracle reports:</p>
<blockquote cite="http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html#AppendixMSQL">
<p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html#AppendixMSQL</url>
<cvename>CVE-2017-3529</cvename>
<cvename>CVE-2017-3633</cvename>
<cvename>CVE-2017-3634</cvename>
<cvename>CVE-2017-3635</cvename>
<cvename>CVE-2017-3636</cvename>
<cvename>CVE-2017-3637</cvename>
<cvename>CVE-2017-3638</cvename>
<cvename>CVE-2017-3639</cvename>
<cvename>CVE-2017-3640</cvename>
<cvename>CVE-2017-3641</cvename>
<cvename>CVE-2017-3642</cvename>
<cvename>CVE-2017-3643</cvename>
<cvename>CVE-2017-3644</cvename>
<cvename>CVE-2017-3645</cvename>
<cvename>CVE-2017-3646</cvename>
<cvename>CVE-2017-3647</cvename>
<cvename>CVE-2017-3648</cvename>
<cvename>CVE-2017-3649</cvename>
<cvename>CVE-2017-3650</cvename>
<cvename>CVE-2017-3651</cvename>
<cvename>CVE-2017-3652</cvename>
<cvename>CVE-2017-3653</cvename>
</references>
<dates>
<discovery>2017-07-19</discovery>
<entry>2017-07-19</entry>
<modified>2017-08-12</modified>
</dates>
</vuln>
<vuln vid="08a2df48-6c6a-11e7-9b01-2047478f2f70">
<topic>collectd5 -- Denial of service by sending a signed network packet to a server which is not set up to check signatures</topic>
<affects>
<package>
<name>collectd5</name>
<range><lt>5.7.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>marcinguy reports:</p>
<blockquote cite="https://github.com/collectd/collectd/issues/2174">
<p>After sending this payload, collectd seems to be entering endless while()
loop in packet_parse consuming high CPU resources, possibly crash/gets killed after a while.</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/collectd/collectd/issues/2174</url>
<cvename>CVE-2017-7401</cvename>
</references>
<dates>
<discovery>2017-02-13</discovery>
<entry>2017-07-19</entry>
</dates>
</vuln>
<vuln vid="e6ccaf8a-6c63-11e7-9b01-2047478f2f70">
<topic>strongswan -- multiple vulnerabilities</topic>
<affects>
<package>
<name>strongswan</name>
<range><ge>4.4.0</ge><le>5.5.2</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>strongSwan security team reports:</p>
<blockquote cite="https://www.strongswan.org/blog/2017/05/30/strongswan-5.5.3-released.html">
<ul>
<li>RSA public keys passed to the gmp plugin aren't validated sufficiently
before attempting signature verification, so that invalid input might
lead to a floating point exception. [CVE-2017-9022]</li>
<li>ASN.1 CHOICE types are not correctly handled by the ASN.1 parser when
parsing X.509 certificates with extensions that use such types. This
could lead to infinite looping of the thread parsing a specifically crafted certificate.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://www.strongswan.org/blog/2017/05/30/strongswan-vulnerability-(cve-2017-9022).html</url>
<cvename>CVE-2017-9022</cvename>
<url>https://www.strongswan.org/blog/2017/05/30/strongswan-vulnerability-(cve-2017-9023).html</url>
<cvename>CVE-2017-9023</cvename>
</references>
<dates>
<discovery>2017-05-30</discovery>
<entry>2017-07-19</entry>
</dates>
</vuln>
<vuln vid="c7e8e955-6c61-11e7-9b01-2047478f2f70">
<cancelled superseded="e6ccaf8a-6c63-11e7-9b01-2047478f2f70"/>
</vuln>
<vuln vid="dc3c66e8-6a18-11e7-93af-005056925db4">
<topic>Cacti -- Cross-site scripting (XSS) vulnerability in link.php</topic>
<affects>
<package>
<name>cacti</name>
<range><ge>1.0.0</ge><lt>1.1.13</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>kimiizhang reports:</p>
<blockquote cite="https://github.com/Cacti/cacti/issues/838">
<p>Cross-site scripting (XSS) vulnerability in link.php in Cacti<br/>
1.1.12 allows remote anonymous users to inject arbitrary web<br/>
script or HTML via the id parameter.</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/Cacti/cacti/issues/838</url>
<url>https://www.cacti.net/release_notes.php?version=1.1.13</url>
<cvename>CVE-2017-10970</cvename>
</references>
<dates>
<discovery>2017-07-05</discovery>
<entry>2017-07-17</entry>
</dates>
</vuln>
<vuln vid="457ce015-67fa-11e7-867f-b499baebfeaf">
<topic>Apache httpd -- multiple vulnerabilities</topic>
<affects>
<package>
<name>apache24</name>
<range><lt>2.4.27</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache httpd project reports:</p>
<blockquote cite="https://httpd.apache.org/security/vulnerabilities_24.html">
<p>important: Read after free in mod_http2 (CVE-2017-9789)<br/>
When under stress, closing many connections, the HTTP/2 handling
code would sometimes access memory after it has been freed,
resulting in potentially erratic behaviour.</p>
<p>important: Uninitialized memory reflection in mod_auth_digest
(CVE-2017-9788)<br/>The value placeholder in [Proxy-]Authorization
headers of type 'Digest' was not initialized or reset before or
between successive key=value assignments. by mod_auth_digest.<br/>
Providing an initial key with no '=' assignment could reflect
the stale value of uninitialized pool memory used by the prior
request, leading to leakage of potentially confidential
information, and a segfault.</p>
</blockquote>
</body>
</description>
<references>
<url>https://httpd.apache.org/security/vulnerabilities_24.html</url>
<cvename>CVE-2017-9789</cvename>
<cvename>CVE-2017-9788</cvename>
</references>
<dates>
<discovery>2017-07-11</discovery>
<entry>2017-07-13</entry>
</dates>
</vuln>
<vuln vid="a03e043a-67f1-11e7-beff-6451062f0f7a">
<topic>Flash Player -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-flashplayer</name>
<range><lt>26.0.0.137</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb17-21.html">
<ul>
<li>These updates resolve security bypass vulnerability that
could lead to information disclosure (CVE-2017-3080).</li>
<li>These updates resolve memory corruption vulnerability that
could lead to remote code execution (CVE-2017-3099).</li>
<li>These updates resolve memory corruption vulnerability that
could lead to memory address disclosure (CVE-2017-3100).</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-3080</cvename>
<cvename>CVE-2017-3099</cvename>
<cvename>CVE-2017-3100</cvename>
<url>https://helpx.adobe.com/security/products/flash-player/apsb17-21.html</url>
</references>
<dates>
<discovery>2017-07-11</discovery>
<entry>2017-07-13</entry>
</dates>
</vuln>
<vuln vid="85851e4f-67d9-11e7-bc37-00505689d4ae">
<topic>samba -- Orpheus Lyre mutual authentication validation bypass</topic>
<affects>
<package>
<name>samba42</name>
<range><lt>4.2.15</lt></range>
</package>
<package>
<name>samba43</name>
<range><lt>4.3.14</lt></range>
</package>
<package>
<name>samba44</name>
<range><lt>4.4.15</lt></range>
</package>
<package>
<name>samba45</name>
<range><lt>4.5.12</lt></range>
</package>
<package>
<name>samba46</name>
<range><lt>4.6.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The samba project reports:</p>
<blockquote cite="https://www.samba.org/samba/security/CVE-2017-11103.html">
<p>A MITM attacker may impersonate a trusted server and thus gain elevated access to the domain by
returning malicious replication or authorization data.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.samba.org/samba/security/CVE-2017-11103.html</url>
<cvename>CVE-2017-11103</cvename>
</references>
<dates>
<discovery>2017-07-12</discovery>
<entry>2017-07-12</entry>
</dates>
</vuln>
<vuln vid="3eff66c5-66c9-11e7-aa1d-3d2e663cef42">
<topic>node.js -- multiple vulnerabilities</topic>
<affects>
<package>
<name>node</name>
<range><lt>8.1.4</lt></range>
</package>
<package>
<name>node4</name>
<range><lt>4.8.4</lt></range>
</package>
<package>
<name>node6</name>
<range><lt>6.11.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Updates are now available for all active Node.js release lines as
well as the 7.x line. These include the fix for the high severity
vulnerability identified in the initial announcement, one additional
lower priority Node.js vulnerability in the 4.x release line, as well
as some lower priority fixes for Node.js dependencies across the
current release lines.</p>
<blockquote cite="https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/">
<h2>Constant Hashtable Seeds (CVE pending)</h2>
<p>Node.js was susceptible to hash flooding remote DoS attacks as the
HashTable seed was constant across a given released version of
Node.js. This was a result of building with V8 snapshots enabled by
default which caused the initially randomized seed to be overwritten
on startup. Thanks to Jann Horn of Google Project Zero for reporting
this vulnerability.</p>
<p>This is a high severity vulnerability and applies to all active
release lines (4.x, 6.x, 8.x) as well as the 7.x line.</p>
<h2>http.get with numeric authorization options creates uninitialized
buffers</h2>
<p>Application code that allows the auth field of the options object
used with http.get() to be set to a number can result in an
uninitialized buffer being created/used as the authentication
string.</p>
<p>This is a low severity defect and only applies to the 4.x release
line.</p>
</blockquote>
</body>
</description>
<references>
<url>https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/</url>
</references>
<dates>
<discovery>2017-06-27</discovery>
<entry>2017-07-12</entry>
</dates>
</vuln>
<vuln vid="b28adc5b-6693-11e7-ad43-f0def16c5c1b">
<topic>nginx -- a specially crafted request might result in an integer overflow</topic>
<affects>
<package>
<name>nginx</name>
<range><ge>0.5.6</ge><lt>1.12.1,2</lt></range>
</package>
<package>
<name>nginx-devel</name>
<range><ge>0.5.6</ge><lt>1.13.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Maxim Dounin reports:</p>
<blockquote cite="http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html">
<p>A security issue was identified in nginx range filter. A specially
crafted request might result in an integer overflow and incorrect
processing of ranges, potentially resulting in sensitive information
leak (CVE-2017-7529).</p>
</blockquote>
</body>
</description>
<references>
<url>http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html</url>
<cvename>CVE-2017-7529</cvename>
</references>
<dates>
<discovery>2017-07-11</discovery>
<entry>2017-07-11</entry>
</dates>
</vuln>
<vuln vid="aaedf196-6436-11e7-8b49-002590263bf5">
<topic>codeigniter -- input validation bypass</topic>
<affects>
<package>
<name>codeigniter</name>
<range><lt>3.1.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The CodeIgniter changelog reports:</p>
<blockquote cite="https://www.codeigniter.com/user_guide/changelog.html">
<p>Form Validation Library rule valid_email could be bypassed if
idn_to_ascii() is available.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.codeigniter.com/user_guide/changelog.html</url>
</references>
<dates>
<discovery>2017-06-19</discovery>
<entry>2017-07-08</entry>
</dates>
</vuln>
<vuln vid="31001c6b-63e7-11e7-85aa-a4badb2f4699">
<topic>irssi -- multiple vulnerabilities</topic>
<affects>
<package>
<name>irssi</name>
<range><lt>1.0.4,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>irssi reports:</p>
<blockquote cite="https://irssi.org/security/irssi_sa_2017_07.txt">
<p>When receiving messages with invalid time stamps, Irssi
would try to dereference a NULL pointer.</p>
<p>While updating the internal nick list, Irssi may
incorrectly use the GHashTable interface and free the nick while
updating it. This will then result in use-after-free conditions on each
access of the hash table.</p>
</blockquote>
</body>
</description>
<references>
<url>https://irssi.org/security/irssi_sa_2017_07.txt</url>
<cvename>CVE-2017-10965</cvename>
<cvename>CVE-2017-10966</cvename>
<freebsdpr>ports/220544</freebsdpr>
</references>
<dates>
<discovery>2017-07-05</discovery>
<entry>2017-07-08</entry>
</dates>
</vuln>
<vuln vid="b396cf6c-62e6-11e7-9def-b499baebfeaf">
<topic>oniguruma -- multiple vulnerabilities</topic>
<affects>
<package>
<name>libevhtp</name>
<range><lt>1.2.14</lt></range>
</package>
<package>
<name>oniguruma4</name>
<range><lt>4.7.2</lt></range>
</package>
<package>
<name>oniguruma5</name>
<range><lt>5.9.7</lt></range>
</package>
<package>
<name>oniguruma6</name>
<range><lt>6.4.0</lt></range>
</package>
<package>
<name>php56-mbstring</name>
<range><lt>5.6.31</lt></range>
</package>
<package>
<name>php70-mbstring</name>
<range><lt>7.0.21</lt></range>
</package>
<package>
<name>php71-mbstring</name>
<range><lt>7.1.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>the PHP project reports:</p>
<blockquote cite="http://php.net/ChangeLog-7.php">
<ul>
<li>A stack out-of-bounds read occurs in match_at() during regular
expression searching. A logical error involving order of validation
and access in match_at() could result in an out-of-bounds read from
a stack buffer (CVE-2017-9224).</li>
<li>A heap out-of-bounds write or read occurs in next_state_val()
during regular expression compilation. Octal numbers larger than 0xff
are not handled correctly in fetch_token() and fetch_token_in_cc().
A malformed regular expression containing an octal number in the form
of '\700' would produce an invalid code point value larger than 0xff
in next_state_val(), resulting in an out-of-bounds write memory
corruption (CVE-2017-9226).</li>
<li>A stack out-of-bounds read occurs in mbc_enc_len() during regular
expression searching. Invalid handling of reg->dmin in
forward_search_range() could result in an invalid pointer dereference,
as an out-of-bounds read from a stack buffer (CVE-2017-9227).</li>
<li>A heap out-of-bounds write occurs in bitset_set_range() during
regular expression compilation due to an uninitialized variable from
an incorrect state transition. An incorrect state transition in
parse_char_class() could create an execution path that leaves a
critical local variable uninitialized until it's used as an index,
resulting in an out-of-bounds write memory corruption (CVE-2017-9228).</li>
<li>A SIGSEGV occurs in left_adjust_char_head() during regular expression
compilation. Invalid handling of reg->dmax in forward_search_range() could
result in an invalid pointer dereference, normally as an immediate
denial-of-service condition (CVE-2017-9228).</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://php.net/ChangeLog-7.php</url>
<cvename>CVE-2017-9224</cvename>
<cvename>CVE-2017-9226</cvename>
<cvename>CVE-2017-9227</cvename>
<cvename>CVE-2017-9228</cvename>
<cvename>CVE-2017-9228</cvename>
</references>
<dates>
<discovery>2017-07-06</discovery>
<entry>2017-07-07</entry>
<modified>2018-01-04</modified>
</dates>
</vuln>
<vuln vid="4fc2df49-6279-11e7-be0f-6cf0497db129">
<topic>drupal -- Drupal Core - Multiple Vulnerabilities</topic>
<affects>
<package>
<name>drupal7</name>
<range><lt>7.56</lt></range>
</package>
<package>
<name>drupal8</name>
<range><lt>8.3.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal Security Team Reports:</p>
<blockquote cite="https://www.drupal.org/SA-CORE-2017-003">
<p>CVE-2017-6920: PECL YAML parser unsafe object handling.</p>
<p>CVE-2017-6921: File REST resource does not properly validate</p>
<p>CVE-2017-6922: Files uploaded by anonymous users into a private
file system can be accessed by other anonymous users.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-6920</cvename>
<cvename>CVE-2017-6921</cvename>
<cvename>CVE-2017-6922</cvename>
</references>
<dates>
<discovery>2017-06-21</discovery>
<entry>2017-07-06</entry>
</dates>
</vuln>
<vuln vid="60931f98-55a7-11e7-8514-589cfc0654e1">
<topic>Dropbear -- two vulnerabilities</topic>
<affects>
<package>
<name>dropbear</name>
<range><lt>2017.75</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Matt Johnston reports:</p>
<blockquote cite="https://matt.ucc.asn.au/dropbear/CHANGES">
<p>Fix double-free in server TCP listener cleanup A double-free in
the server could be triggered by an authenticated user if dropbear
is running with -a (Allow connections to forwarded ports from any
host) This could potentially allow arbitrary code execution as root
by an authenticated user.</p>
<p>Fix information disclosure with ~/.ssh/authorized_keys symlink.
Dropbear parsed authorized_keys as root, even if it were a symlink.
The fix is to switch to user permissions when opening authorized_keys.
</p>
</blockquote>
</body>
</description>
<references>
<url>https://matt.ucc.asn.au/dropbear/CHANGES</url>
<cvename>CVE-2017-9078</cvename>
<cvename>CVE-2017-9079</cvename>
</references>
<dates>
<discovery>2017-05-18</discovery>
<entry>2017-07-03</entry>
</dates>
</vuln>
<vuln vid="6e4e35c3-5fd1-11e7-9def-b499baebfeaf">
<topic>smarty3 -- shell injection in math</topic>
<affects>
<package>
<name>smarty3</name>
<range><lt>3.1.30</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The smarty project reports:</p>
<blockquote cite="https://github.com/smarty-php/smarty/blob/v3.1.30/change_log.txt">
<p>bugfix {math} shell injection vulnerability</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/smarty-php/smarty/blob/v3.1.30/change_log.txt</url>
</references>
<dates>
<discovery>2016-07-19</discovery>
<entry>2017-07-03</entry>
</dates>
</vuln>
<vuln vid="ed3bf433-5d92-11e7-aa14-e8e0b747a45a">
<topic>libgcrypt -- side-channel attack on RSA secret keys</topic>
<affects>
<package>
<name>libgcrypt</name>
<range><lt>1.7.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GnuPG reports:</p>
<blockquote cite="https://lists.gnupg.org/pipermail/gnupg-announce/2017q2/000408.html">
<p>Mitigate a flush+reload side-channel attack on RSA secret keys dubbed "Sliding right into disaster".</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-7526</cvename>
<url>https://lists.gnupg.org/pipermail/gnupg-announce/2017q2/000408.html</url>
</references>
<dates>
<discovery>2017-06-29</discovery>
<entry>2017-06-30</entry>
</dates>
</vuln>
<vuln vid="85ebfa0c-5d8d-11e7-93f7-d43d7e971a1b">
<topic>GitLab -- Various security issues</topic>
<affects>
<package>
<name>gitlab</name>
<range><ge>4.0.0</ge><le>9.0.9</le></range>
<range><ge>9.1.0</ge><le>9.1.6</le></range>
<range><ge>9.2.0</ge><le>9.2.4</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GitLab reports:</p>
<blockquote cite="https://about.gitlab.com/2017/06/07/gitlab-9-dot-2-dot-5-security-release/">
<p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
<references>
<url>https://about.gitlab.com/2017/06/07/gitlab-9-dot-2-dot-5-security-release/</url>
</references>
<dates>
<discovery>2017-06-07</discovery>
<entry>2017-06-30</entry>
</dates>
</vuln>
<vuln vid="0b9f4b5e-5d82-11e7-85df-14dae9d5a9d2">
<topic>tor -- security regression</topic>
<affects>
<package>
<name>tor</name>
<range><lt>0.3.0.9</lt></range>
</package>
<package>
<name>tor-devel</name>
<range><lt>0.3.1.4.a</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Tor Project reports:</p>
<blockquote cite="https://lists.torproject.org/pipermail/tor-announce/2017-June/000133.html">
<p>Tor 0.3.0.9 fixes a path selection bug that would allow a client
to use a guard that was in the same network family as a chosen exit
relay. This is a security regression; all clients running earlier
versions of 0.3.0.x or 0.3.1.x should upgrade to 0.3.0.9 or
0.3.1.4-alpha.</p>
</blockquote>
</body>
</description>
<references>
<url>https://blog.torproject.org/blog/tor-0309-released-security-update-clients</url>
<url>https://blog.torproject.org/blog/tor-0314-alpha-released-security-update-clients</url>
<url>https://lists.torproject.org/pipermail/tor-announce/2017-June/000133.html</url>
<cvename>CVE-2017-0377</cvename>
</references>
<dates>
<discovery>2017-06-29</discovery>
<entry>2017-06-30</entry>
</dates>
</vuln>
<vuln vid="8c1a271d-56cf-11e7-b9fe-c13eb7bcbf4f">
<topic>exim -- Privilege escalation via multiple memory leaks</topic>
<affects>
<package>
<name>exim</name>
<range><lt>4.89_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Qualsys reports:</p>
<blockquote cite="https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt">
<p>
Exim supports the use of multiple "-p" command line arguments which are malloc()'ed and never free()'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note that at this time upstream has released a patch (commit 65e061b76867a9ea7aeeb535341b790b90ae6c21), but it is not known if a new point release is available that addresses this issue at this time.
</p>
</blockquote>
</body>
</description>
<references>
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000369</url>
</references>
<dates>
<discovery>2017-06-19</discovery>
<entry>2017-06-21</entry>
</dates>
</vuln>
<vuln vid="00e4050b-56c1-11e7-8e66-08606e46faad">
<topic>pear-Horde_Image -- DoS vulnerability</topic>
<affects>
<package>
<name>pear-Horde_Image</name>
<range><gt>2.3.0</gt><lt>2.5.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Michael J Rubinsky reports:</p>
<blockquote cite="https://lists.horde.org/archives/announce/2017/001234.html">
<p>The second vulnerability (CVE-2017-9773) is a DOS vulnerability.
This only affects Horde installations that do not have a configured image
handling backend, and thus use the "Null" image driver. It is exploitable by
a logged in user clicking on a maliciously crafted URL.</p>
</blockquote>
</body>
</description>
<references>
<url>https://lists.horde.org/archives/announce/2017/001234.html</url>
<cvename>CVE-2017-9773</cvename>
</references>
<dates>
<discovery>2017-06-21</discovery>
<entry>2017-06-21</entry>
</dates>
</vuln>
<vuln vid="a7003121-56bf-11e7-8e66-08606e46faad">
<topic>pear-Horde_Image -- remote code execution vulnerability</topic>
<affects>
<package>
<name>pear-Horde_Image</name>
<range><ge>2.0.0</ge><lt>2.5.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Michael J Rubinsky reports:</p>
<blockquote cite="https://lists.horde.org/archives/announce/2017/001234.html">
<p>The fist vulnerability (CVE-2017-9774) is a Remote Code Execution
vulnerability and is exploitable by a logged in user sending a
maliciously crafted GET request to the Horde server.</p>
</blockquote>
</body>
</description>
<references>
<url>https://lists.horde.org/archives/announce/2017/001234.html</url>
<cvename>CVE-2017-9774</cvename>
</references>
<dates>
<discovery>2017-06-21</discovery>
<entry>2017-06-21</entry>
</dates>
</vuln>
<vuln vid="9f65d382-56a4-11e7-83e3-080027ef73ec">
<topic>OpenVPN -- several vulnerabilities</topic>
<affects>
<package>
<name>openvpn</name>
<range><lt>2.3.17</lt></range>
<range><ge>2.4.0</ge><lt>2.4.3</lt></range>
</package>
<package>
<name>openvpn-mbedtls</name>
<range><lt>2.4.3</lt></range>
</package>
<package>
<name>openvpn-polarssl</name>
<range><lt>2.3.17</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Samuli Seppänen reports:</p>
<blockquote cite="https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243">
<p>In May/June 2017 Guido Vranken threw a fuzzer at OpenVPN 2.4.2. In
the process he found several vulnerabilities and reported them to
the OpenVPN project. [...] The first releases to have these fixes are OpenVPN 2.4.3 and 2.3.17.</p>
<p>This is a list of fixed important vulnerabilities:</p>
<ul>
<li>Remotely-triggerable ASSERT() on malformed IPv6 packet</li>
<li>Pre-authentication remote crash/information disclosure for clients</li>
<li>Potential double-free in --x509-alt-username</li>
<li>Remote-triggerable memory leaks</li>
<li>Post-authentication remote DoS when using the --x509-track option</li>
<li>Null-pointer dereference in establish_http_proxy_passthru()</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243</url>
<cvename>CVE-2017-7508</cvename>
<cvename>CVE-2017-7512</cvename>
<cvename>CVE-2017-7520</cvename>
<cvename>CVE-2017-7521</cvename>
<cvename>CVE-2017-7522</cvename>
</references>
<dates>
<discovery>2017-05-19</discovery>
<entry>2017-06-21</entry>
</dates>
</vuln>
<vuln vid="0c2db2aa-5584-11e7-9a7d-b499baebfeaf">
<topic>Apache httpd -- several vulnerabilities</topic>
<affects>
<package>
<name>apache22</name>
<range><lt>2.2.33</lt></range>
</package>
<package>
<name>apache24</name>
<range><lt>2.4.26</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache httpd project reports:</p>
<blockquote cite="http://httpd.apache.org/security/vulnerabilities_24.html">
<ul>
<li>ap_get_basic_auth_pw() Authentication Bypass (CVE-2017-3167):<br/>
Use of the ap_get_basic_auth_pw() by third-party modules outside
of the authentication phase may lead to authentication requirements
being bypassed.</li>
<li>mod_ssl Null Pointer Dereference (CVE-2017-3169):<br/>mod_ssl may
dereference a NULL pointer when third-party modules
call ap_hook_process_connection() during an HTTP request to an HTTPS
port.</li>
<li>mod_http2 Null Pointer Dereference (CVE-2017-7659):<br/> A maliciously
constructed HTTP/2 request could cause mod_http2 to dereference a NULL
pointer and crash the server process.</li>
<li>ap_find_token() Buffer Overread (CVE-2017-7668):<br/>The HTTP strict
parsing changes added in 2.2.32 and 2.4.24 introduced a bug in token
list parsing, which allows ap_find_token() to search past the end of its
input string. By maliciously crafting a sequence of request headers, an
attacker may be able to cause a segmentation fault, or to force
ap_find_token() to return an incorrect value.</li>
<li>mod_mime Buffer Overread (CVE-2017-7679):<br/>mod_mime can read one
byte past the end of a buffer when sending a malicious Content-Type
response header.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://httpd.apache.org/security/vulnerabilities_24.html</url>
<url>https://httpd.apache.org/security/vulnerabilities_22.html</url>
<cvename>CVE-2017-3167</cvename>
<cvename>CVE-2017-3169</cvename>
<cvename>CVE-2017-7659</cvename>
<cvename>CVE-2017-7668</cvename>
<cvename>CVE-2017-7679</cvename>
</references>
<dates>
<discovery>2017-06-20</discovery>
<entry>2017-06-20</entry>
</dates>
</vuln>
<vuln vid="f53dd5cc-527f-11e7-a772-e8e0b747a45a">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<name>chromium-pulse</name>
<range><lt>59.0.3071.104</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2017/06/stable-channel-update-for-desktop_15.html">
<p>5 security fixes in this release, including:</p>
<ul>
<li>[725032] High CVE-2017-5087: Sandbox Escape in IndexedDB. Reported by
Ned Williamson on 2017-05-22</li>
<li>[729991] High CVE-2017-5088: Out of bounds read in V8. Reported by
Xiling Gong of Tencent Security Platform Department on 2017-06-06</li>
<li>[714196] Medium CVE-2017-5089: Domain spoofing in Omnibox. Reported by
Michal Bentkowski on 2017-04-21</li>
<li>[732498] Various fixes from internal audits, fuzzing and other initiatives</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-5087</cvename>
<cvename>CVE-2017-5088</cvename>
<cvename>CVE-2017-5089</cvename>
<url>https://chromereleases.googleblog.com/2017/06/stable-channel-update-for-desktop_15.html</url>
</references>
<dates>
<discovery>2017-06-15</discovery>
<entry>2017-06-16</entry>
</dates>
</vuln>
<vuln vid="9314058e-5204-11e7-b712-b1a44a034d72">
<topic>cURL -- URL file scheme drive letter buffer overflow</topic>
<affects>
<package>
<name>curl</name>
<range><ge>7.53.0</ge><lt>7.54.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>cURL security advisory:</p>
<blockquote cite="https://curl.haxx.se/docs/adv_20170614.html">
<p>When libcurl is given either</p>
<p>1. a file: URL that doesn't use two slashes following the colon, or</p>
<p>2. is told that file is the default scheme to use for URLs without scheme</p>
<p>... and the given path starts with a drive letter and libcurl is built for
Windows or DOS, then libcurl would copy the path with a wrong offset, so that
the end of the given path would write beyond the malloc buffer. Up to seven
bytes too much.</p>
<p>We are not aware of any exploit of this flaw.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-9502</cvename>
<url>https://curl.haxx.se/docs/adv_20170614.html</url>
</references>
<dates>
<discovery>2017-06-14</discovery>
<entry>2017-06-15</entry>
</dates>
</vuln>
<vuln vid="7a92e958-5207-11e7-8d7c-6805ca0b3d42">
<topic>rt and dependent modules -- multiple security vulnerabilities</topic>
<affects>
<package>
<name>rt42</name>
<range><ge>4.2.0</ge><lt>4.2.13_1</lt></range>
</package>
<package>
<name>rt44</name>
<range><ge>4.4.0</ge><lt>4.4.1_1</lt></range>
</package>
<package>
<name>p5-RT-Authen-ExternalAuth</name>
<range><ge>0.9</ge><lt>0.27</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>BestPractical reports:</p>
<blockquote cite="http://lists.bestpractical.com/pipermail/rt-announce/2017-June/000297.html">
<p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
<references>
<url>http://lists.bestpractical.com/pipermail/rt-announce/2017-June/000297.html</url>
<cvename>CVE-2015-7686</cvename>
<cvename>CVE-2016-6127</cvename>
<cvename>CVE-2017-5361</cvename>
<cvename>CVE-2017-5943</cvename>
<cvename>CVE-2017-5944</cvename>
</references>
<dates>
<discovery>2017-06-15</discovery>
<entry>2017-06-15</entry>
</dates>
</vuln>
<vuln vid="cd944b3f-51f6-11e7-b7b2-001c25e46b1d">
<topic>Flash Player -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-flashplayer</name>
<range><lt>26.0.0.126</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb17-17.html">
<ul>
<li>These updates resolve use-after-free vulnerabilities that
could lead to code execution (CVE-2017-3075, CVE-2017-3081,
CVE-2017-3083, CVE-2017-3084).</li>
<li>These updates resolve memory corruption vulnerabilities that
could lead to code execution (CVE-2017-3076, CVE-2017-3077,
CVE-2017-3078, CVE-2017-3079, CVE-2017-3082).</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-3075</cvename>
<cvename>CVE-2017-3076</cvename>
<cvename>CVE-2017-3077</cvename>
<cvename>CVE-2017-3078</cvename>
<cvename>CVE-2017-3079</cvename>
<cvename>CVE-2017-3081</cvename>
<cvename>CVE-2017-3082</cvename>
<cvename>CVE-2017-3083</cvename>
<cvename>CVE-2017-3084</cvename>
<url>https://helpx.adobe.com/security/products/flash-player/apsb17-17.html</url>
</references>
<dates>
<discovery>2017-06-13</discovery>
<entry>2017-06-15</entry>
</dates>
</vuln>
<vuln vid="6cec1b0a-da15-467d-8691-1dea392d4c8d">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>54.0,1</lt></range>
</package>
<package>
<name>seamonkey</name>
<name>linux-seamonkey</name>
<range><lt>2.49.1</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><lt>52.2.0,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>52.2.0,2</lt></range>
</package>
<package>
<name>libxul</name>
<name>thunderbird</name>
<name>linux-thunderbird</name>
<range><lt>52.2.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/">
<p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-5470</cvename>
<cvename>CVE-2017-5471</cvename>
<cvename>CVE-2017-5472</cvename>
<cvename>CVE-2017-7749</cvename>
<cvename>CVE-2017-7750</cvename>
<cvename>CVE-2017-7751</cvename>
<cvename>CVE-2017-7752</cvename>
<cvename>CVE-2017-7754</cvename>
<cvename>CVE-2017-7755</cvename>
<cvename>CVE-2017-7756</cvename>
<cvename>CVE-2017-7757</cvename>
<cvename>CVE-2017-7758</cvename>
<cvename>CVE-2017-7759</cvename>
<cvename>CVE-2017-7760</cvename>
<cvename>CVE-2017-7761</cvename>
<cvename>CVE-2017-7762</cvename>
<cvename>CVE-2017-7763</cvename>
<cvename>CVE-2017-7764</cvename>
<cvename>CVE-2017-7765</cvename>
<cvename>CVE-2017-7766</cvename>
<cvename>CVE-2017-7767</cvename>
<cvename>CVE-2017-7768</cvename>
<cvename>CVE-2017-7778</cvename>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/</url>
</references>
<dates>
<discovery>2017-06-13</discovery>
<entry>2017-06-13</entry>
<modified>2017-09-19</modified>
</dates>
</vuln>
<vuln vid="bce47c89-4d3f-11e7-8080-a4badb2f4699">
<topic>roundcube -- arbitrary password resets</topic>
<affects>
<package>
<name>roundcube</name>
<range><lt>1.2.5,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Roundcube reports:</p>
<blockquote cite="https://roundcube.net/news/2017/04/28/security-updates-1.2.5-1.1.9-and-1.0.11">
<p>Roundcube Webmail allows arbitrary password resets by
authenticated users. The problem is caused by an improperly restricted
exec call in the virtualmin and sasl drivers of the password plugin.</p>
</blockquote>
</body>
</description>
<references>
<url>https://roundcube.net/news/2017/04/28/security-updates-1.2.5-1.1.9-and-1.0.11</url>
<cvename>CVE-2017-8114</cvename>
</references>
<dates>
<discovery>2017-04-28</discovery>
<entry>2017-06-09</entry>
</dates>
</vuln>
<vuln vid="b33fb1e0-4c37-11e7-afeb-0011d823eebd">
<topic>GnuTLS -- Denial of service vulnerability</topic>
<affects>
<package>
<name>gnutls</name>
<range><lt>3.5.13</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The GnuTLS project reports:</p>
<blockquote cite="https://gnutls.org/security.html#GNUTLS-SA-2017-4">
<p>It was found using the TLS fuzzer tools that decoding a status
response TLS extension with valid contents could lead to a crash
due to a null pointer dereference. The issue affects GnuTLS server
applications.</p>
</blockquote>
</body>
</description>
<references>
<url>https://gnutls.org/security.html#GNUTLS-SA-2017-4</url>
</references>
<dates>
<discovery>2017-06-07</discovery>
<entry>2017-06-08</entry>
</dates>
</vuln>
<vuln vid="165e8951-4be0-11e7-a539-0050569f7e80">
<topic>irssi -- remote DoS</topic>
<affects>
<package>
<name>irssi</name>
<range><lt>1.0.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Joseph Bisch reports:</p>
<blockquote cite="https://irssi.org/security/irssi_sa_2017_06.txt">
<p>When receiving a DCC message without source nick/host, Irssi would
attempt to dereference a NULL pointer.</p>
<p>When receiving certain incorrectly quoted DCC files, Irssi would
try to find the terminating quote one byte before the allocated
memory.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-9468</cvename>
<cvename>CVE-2017-9469</cvename>
<url>https://irssi.org/security/irssi_sa_2017_06.txt</url>
</references>
<dates>
<discovery>2017-06-06</discovery>
<entry>2017-06-08</entry>
</dates>
</vuln>
<vuln vid="52f4b48b-4ac3-11e7-99aa-e8e0b747a45a">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<name>chromium-pulse</name>
<range><lt>59.0.3071.86</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2017/06/stable-channel-update-for-desktop.html">
<p>30 security fixes in this release</p>
<p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-5070</cvename>
<cvename>CVE-2017-5071</cvename>
<cvename>CVE-2017-5072</cvename>
<cvename>CVE-2017-5073</cvename>
<cvename>CVE-2017-5074</cvename>
<cvename>CVE-2017-5075</cvename>
<cvename>CVE-2017-5086</cvename>
<cvename>CVE-2017-5076</cvename>
<cvename>CVE-2017-5077</cvename>
<cvename>CVE-2017-5078</cvename>
<cvename>CVE-2017-5079</cvename>
<cvename>CVE-2017-5080</cvename>
<cvename>CVE-2017-5081</cvename>
<cvename>CVE-2017-5082</cvename>
<cvename>CVE-2017-5083</cvename>
<cvename>CVE-2017-5085</cvename>
<url>https://chromereleases.googleblog.com/2017/06/stable-channel-update-for-desktop.html</url>
</references>
<dates>
<discovery>2017-06-05</discovery>
<entry>2017-06-06</entry>
</dates>
</vuln>
<vuln vid="15a04b9f-47cb-11e7-a853-001fbc0f280f">
<topic>ansible -- Input validation flaw in jinja2 templating system</topic>
<affects>
<package>
<name>ansible</name>
<range><lt>2.3.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>RedHat security team reports:</p>
<blockquote cite="https://access.redhat.com/security/cve/cve-2017-7481">
<p>An input validation flaw was found in Ansible, where it fails to
properly mark lookup-plugin results as unsafe. If an attacker could
control the results of lookup() calls, they could inject Unicode
strings to be parsed by the jinja2 templating system, result in
code execution.</p>
</blockquote>
</body>
</description>
<references>
<url>https://access.redhat.com/security/cve/cve-2017-7481</url>
<url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7481</url>
</references>
<dates>
<discovery>2017-05-09</discovery>
<entry>2017-06-02</entry>
</dates>
</vuln>
<vuln vid="738e8ae1-46dd-11e7-a539-0050569f7e80">
<topic>duo -- Two-factor authentication bypass</topic>
<affects>
<package>
<name>duo</name>
<range><lt>1.9.21</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The duo security team reports:</p>
<blockquote cite="https://duo.com/labs/psa/duo-psa-2017-002">
<p>An untrusted user may be able to set the http_proxy variable to
an invalid address. If this happens, this will trigger the
configured 'failmode' behavior, which defaults to safe. Safe
mode causes the authentication to report a success.</p>
</blockquote>
</body>
</description>
<references>
<url>https://duo.com/labs/psa/duo-psa-2017-002</url>
</references>
<dates>
<discovery>2017-05-19</discovery>
<entry>2017-06-01</entry>
</dates>
</vuln>
<vuln vid="673dce46-46d0-11e7-a539-0050569f7e80">
<topic>FreeRADIUS -- TLS resumption authentication bypass</topic>
<affects>
<package>
<name>freeradius</name>
<name>freeradius2</name>
<name>freeradius3</name>
<range><lt>3.0.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Stefan Winter reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2017/q2/342">
<p>The TLS session cache in FreeRADIUS before 3.0.14 fails to
reliably prevent resumption of an unauthenticated session, which
allows remote attackers (such as malicious 802.1X supplicants) to
bypass authentication via PEAP or TTLS.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-9148</cvename>
<url>http://freeradius.org/security.html</url>
<url>http://seclists.org/oss-sec/2017/q2/342</url>
<url>http://www.securityfocus.com/bid/98734</url>
</references>
<dates>
<discovery>2017-02-03</discovery>
<entry>2017-06-01</entry>
</dates>
</vuln>
<vuln vid="40a8d798-4615-11e7-8080-a4badb2f4699">
<topic>heimdal -- bypass of capath policy</topic>
<affects>
<package>
<name>heimdal</name>
<range><lt>7.1.0_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Viktor Dukhovni reports:</p>
<blockquote cite="https://www.h5l.org/advisories.html?show=2017-04-13">
<p>Commit f469fc6 (2010-10-02) inadvertently caused the
previous hop realm to not be added to the transit path of issued
tickets. This may, in some cases, enable bypass of capath policy in
Heimdal versions 1.5 through 7.2. Note, this may break sites that rely
on the bug. With the bug some incomplete [capaths] worked, that should
not have. These may now break authentication in some cross-realm
configurations. (CVE-2017-6594)</p>
</blockquote>
</body>
</description>
<references>
<url>CVE-2017-6594</url>
<freebsdpr>ports/219657</freebsdpr>
</references>
<dates>
<discovery>2017-04-13</discovery>
<entry>2017-05-31</entry>
</dates>
</vuln>
<vuln vid="51d1282d-420e-11e7-82c5-14dae9d210b8">
<topic>FreeBSD -- ipfilter(4) fragment handling panic</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>11.0</ge><lt>11.0_10</lt></range>
<range><ge>10.3</ge><lt>10.3_19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>ipfilter(4), capable of stateful packet inspection, using
the "keep state" or "keep frags" rule options, will not
only maintain the state of connections, such as TCP streams
or UDP communication, it also maintains the state of
fragmented packets. When a packet fragments are received
they are cached in a hash table (and linked list). When a
fragment is received it is compared with fragments already
cached in the hash table for a match. If it does not match
the new entry is used to create a new entry in the hash
table. If on the other hand it does match, unfortunately
the wrong entry is freed, the entry in the hash table. This
results in use after free panic (and for a brief moment
prior to the panic a memory leak due to the wrong entry
being freed).</p>
<h1>Impact:</h1>
<p>Carefully feeding fragments that are allowed to pass by
an ipfilter(4) firewall can be used to cause a panic followed
by reboot loop denial of service attack.</p>
</body>
</description>
<references>
<cvename>CVE-2017-1081</cvename>
<freebsdsa>SA-17:04.ipfilter</freebsdsa>
</references>
<dates>
<discovery>2017-04-27</discovery>
<entry>2017-05-26</entry>
</dates>
</vuln>
<vuln vid="3c0237f5-420e-11e7-82c5-14dae9d210b8">
<topic>FreeBSD -- Multiple vulnerabilities of ntp</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>11.0</ge><lt>11.0_9</lt></range>
<range><ge>10.3</ge><lt>10.3_18</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>A vulnerability was discovered in the NTP server's parsing
of configuration directives. [CVE-2017-6464]</p>
<p>A vulnerability was found in NTP, in the parsing of
packets from the DPTS Clock. [CVE-2017-6462]</p>
<p>A vulnerability was discovered in the NTP server's parsing
of configuration directives. [CVE-2017-6463]</p>
<p>A vulnerability was found in NTP, affecting the origin
timestamp check function. [CVE-2016-9042]</p>
<h1>Impact:</h1>
<p>A remote, authenticated attacker could cause ntpd to
crash by sending a crafted message. [CVE-2017-6463,
CVE-2017-6464]</p>
<p>A malicious device could send crafted messages, causing
ntpd to crash. [CVE-2017-6462]</p>
<p>An attacker able to spoof messages from all of the
configured peers could send crafted packets to ntpd, causing
later replies from those peers to be discarded, resulting
in denial of service. [CVE-2016-9042]</p>
</body>
</description>
<references>
<cvename>CVE-2016-9042</cvename>
<cvename>CVE-2017-6462</cvename>
<cvename>CVE-2017-6463</cvename>
<cvename>CVE-2017-6464</cvename>
<freebsdsa>SA-17:03.ntp</freebsdsa>
</references>
<dates>
<discovery>2017-04-12</discovery>
<entry>2017-05-26</entry>
</dates>
</vuln>
<vuln vid="ec6aeb8e-41e4-11e7-aa00-5404a68ad561">
<topic>vlc -- remote code execution via crafted subtitles</topic>
<affects>
<package>
<name>vlc</name>
<range><lt>2.2.6,4</lt></range>
</package>
<package>
<name>vlc-qt4</name>
<range><lt>2.2.6,4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Check Point research team reports:</p>
<blockquote cite="http://blog.checkpoint.com/2017/05/23/hacked-in-translation/">
<p>Remote code execution via crafted subtitles</p>
</blockquote>
</body>
</description>
<references>
<url>http://blog.checkpoint.com/2017/05/23/hacked-in-translation/</url>
</references>
<dates>
<discovery>2017-05-23</discovery>
<entry>2017-05-26</entry>
</dates>
</vuln>
<vuln vid="803879e9-4195-11e7-9b08-080027ef73ec">
<topic>OpenEXR -- multiple remote code execution and denial of service vulnerabilities</topic>
<affects>
<package>
<name>OpenEXR</name>
<range><lt>2.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Brandon Perry reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2017/05/12/5">
<p>[There] is a zip file of EXR images that cause segmentation faults in the OpenEXR library (tested against 2.2.0).</p>
<ul>
<li>CVE-2017-9110
In OpenEXR 2.2.0, an invalid read of size 2 in the hufDecode function in ImfHuf.cpp could cause the application to crash.</li>
<li>CVE-2017-9111
In OpenEXR 2.2.0, an invalid write of size 8 in the storeSSE function in ImfOptimizedPixelReading.h could cause the application to crash or execute arbitrary code.</li>
<li>CVE-2017-9112
In OpenEXR 2.2.0, an invalid read of size 1 in the getBits function in ImfHuf.cpp could cause the application to crash.</li>
<li>CVE-2017-9113
In OpenEXR 2.2.0, an invalid write of size 1 in the bufferedReadPixels function in ImfInputFile.cpp could cause the application to crash or execute arbitrary code.</li>
<li>CVE-2017-9114
In OpenEXR 2.2.0, an invalid read of size 1 in the refill function in ImfFastHuf.cpp could cause the application to crash.</li>
<li>CVE-2017-9115
In OpenEXR 2.2.0, an invalid write of size 2 in the = operator function in half.h could cause the application to crash or execute arbitrary code.</li>
<li>CVE-2017-9116
In OpenEXR 2.2.0, an invalid read of size 1 in the uncompress function in ImfZip.cpp could cause the application to crash.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://www.openwall.com/lists/oss-security/2017/05/12/5</url>
<cvename>CVE-2017-9110</cvename>
<cvename>CVE-2017-9111</cvename>
<cvename>CVE-2017-9112</cvename>
<cvename>CVE-2017-9113</cvename>
<cvename>CVE-2017-9114</cvename>
<cvename>CVE-2017-9115</cvename>
<cvename>CVE-2017-9116</cvename>
<url>https://github.com/openexr/openexr/issues/232</url>
</references>
<dates>
<discovery>2017-01-12</discovery>
<entry>2017-05-25</entry>
</dates>
</vuln>
<vuln vid="50776801-4183-11e7-b291-b499baebfeaf">
<topic>ImageMagick -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ImageMagick</name>
<name>ImageMagick-nox11</name>
<range><lt>6.9.6.4_2,1</lt></range>
<range><ge>6.9.7.0,1</ge><lt>6.9.8.8,1</lt></range>
</package>
<package>
<name>ImageMagick7</name>
<name>ImageMagick7-nox11</name>
<range><lt>7.0.5.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="https://nvd.nist.gov/vuln/search/results?query=ImageMagick">
<p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
<references>
<url>https://nvd.nist.gov/vuln/search/results?query=ImageMagick</url>
<cvename>CVE-2017-5506</cvename>
<cvename>CVE-2017-5507</cvename>
<cvename>CVE-2017-5508</cvename>
<cvename>CVE-2017-5509</cvename>
<cvename>CVE-2017-5510</cvename>
<cvename>CVE-2017-5511</cvename>
<cvename>CVE-2017-6497</cvename>
<cvename>CVE-2017-6498</cvename>
<cvename>CVE-2017-6499</cvename>
<cvename>CVE-2017-6500</cvename>
<cvename>CVE-2017-6501</cvename>
<cvename>CVE-2017-6502</cvename>
<cvename>CVE-2017-7275</cvename>
<cvename>CVE-2017-7606</cvename>
<cvename>CVE-2017-7619</cvename>
<cvename>CVE-2017-7941</cvename>
<cvename>CVE-2017-7942</cvename>
<cvename>CVE-2017-7943</cvename>
<cvename>CVE-2017-8343</cvename>
<cvename>CVE-2017-8344</cvename>
<cvename>CVE-2017-8345</cvename>
<cvename>CVE-2017-8346</cvename>
<cvename>CVE-2017-8347</cvename>
<cvename>CVE-2017-8348</cvename>
<cvename>CVE-2017-8349</cvename>
<cvename>CVE-2017-8350</cvename>
<cvename>CVE-2017-8351</cvename>
<cvename>CVE-2017-8352</cvename>
<cvename>CVE-2017-8353</cvename>
<cvename>CVE-2017-8354</cvename>
<cvename>CVE-2017-8355</cvename>
<cvename>CVE-2017-8356</cvename>
<cvename>CVE-2017-8357</cvename>
<cvename>CVE-2017-8765</cvename>
<cvename>CVE-2017-8830</cvename>
<cvename>CVE-2017-9141</cvename>
<cvename>CVE-2017-9142</cvename>
<cvename>CVE-2017-9143</cvename>
<cvename>CVE-2017-9144</cvename>
</references>
<dates>
<discovery>2017-03-05</discovery>
<entry>2017-05-25</entry>
<modified>2017-05-29</modified>
</dates>
</vuln>
<vuln vid="6f4d96c0-4062-11e7-b291-b499baebfeaf">
<topic>samba -- remote code execution vulnerability</topic>
<affects>
<package>
<name>samba42</name>
<range><lt>4.2.15</lt></range>
</package>
<package>
<name>samba43</name>
<range><lt>4.3.14</lt></range>
</package>
<package>
<name>samba44</name>
<range><lt>4.4.14</lt></range>
</package>
<package>
<name>samba45</name>
<range><lt>4.5.10</lt></range>
</package>
<package>
<name>samba46</name>
<range><lt>4.6.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The samba project reports:</p>
<blockquote cite="https://www.samba.org/samba/security/CVE-2017-7494.html">
<p>Remote code execution from a writable share.</p>
<p>All versions of Samba from 3.5.0 onwards are vulnerable to a remote
code execution vulnerability, allowing a malicious client to upload
a shared library to a writable share, and then cause the server to
load and execute it.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.samba.org/samba/security/CVE-2017-7494.html</url>
<cvename>CVE-2017-7494</cvename>
</references>
<dates>
<discovery>2017-05-24</discovery>
<entry>2017-05-24</entry>
</dates>
</vuln>
<vuln vid="f52e3a8d-3f7e-11e7-97a9-a0d3c19bfa21">
<topic>NVIDIA UNIX driver -- multiple vulnerabilities in the kernel mode layer handler</topic>
<affects>
<package>
<name>nvidia-driver</name>
<range><lt>375.66</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NVIDIA Unix security team reports:</p>
<blockquote cite="http://nvidia.custhelp.com/app/answers/detail/a_id/4462">
<p>NVIDIA GPU Display Driver contains vulnerabilities in the
kernel mode layer handler where not correctly validated user
input, NULL pointer dereference, and incorrect access control
may lead to denial of service or potential escalation of
privileges.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-0350</cvename>
<cvename>CVE-2017-0351</cvename>
<cvename>CVE-2017-0352</cvename>
<url>http://nvidia.custhelp.com/app/answers/detail/a_id/4462</url>
</references>
<dates>
<discovery>2017-05-15</discovery>
<entry>2017-05-23</entry>
</dates>
</vuln>
<vuln vid="da1d5d2e-3eca-11e7-8861-0018fe623f2b">
<topic>miniupnpc -- integer signedness error</topic>
<affects>
<package>
<name>miniupnpc</name>
<range><lt>2.0.20170509</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Tintinweb reports:</p>
<blockquote cite="https://github.com/tintinweb/pub/tree/master/pocs/cve-2017-8798">
<p>An integer signedness error was found in miniupnp's miniwget
allowing an unauthenticated remote entity typically located on the
local network segment to trigger a heap corruption or an access
violation in miniupnp's http response parser when processing a
specially crafted chunked-encoded response to a request for the
xml root description url.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-8798</cvename>
<url>https://github.com/tintinweb/pub/tree/master/pocs/cve-2017-8798</url>
</references>
<dates>
<discovery>2017-05-09</discovery>
<entry>2017-05-22</entry>
</dates>
</vuln>
<vuln vid="a5bb7ea0-3e58-11e7-94a2-00e04c1ea73d">
<topic>Wordpress -- multiple vulnerabilities</topic>
<affects>
<package>
<name>wordpress</name>
<name>fr-wordpress</name>
<range><lt>4.7.5,1</lt></range>
</package>
<package>
<name>de-wordpress</name>
<name>ja-wordpress</name>
<name>ru-wordpress</name>
<name>zh-wordpress-zh_CN</name>
<name>zh-wordpress-zh_TW</name>
<range><lt>4.7.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="https://wordpress.org/news/2017/05/wordpress-4-7-5/">
<p>WordPress versions 4.7.4 and earlier are affected by six security issues</p>
<ul>
<li>Insufficient redirect validation in the HTTP class.</li>
<li>Improper handling of post meta data values in the XML-RPC API.</li>
<li>Lack of capability checks for post meta data in the XML-RPC API.</li>
<li>A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog.</li>
<li>A cross-site scripting (XSS) vulnerability was discovered related to the Customizer.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://wordpress.org/news/2017/05/wordpress-4-7-5/</url>
</references>
<dates>
<discovery>2017-05-16</discovery>
<entry>2017-05-21</entry>
</dates>
</vuln>
<vuln vid="fab87bff-3ce5-11e7-bf9d-001999f8d30b">
<topic>asterisk -- Memory exhaustion on short SCCP packets</topic>
<affects>
<package>
<name>asterisk13</name>
<range><lt>13.15.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="http://www.asterisk.org/downloads/security-advisories">
<p>A remote memory exhaustion can be triggered by sending
an SCCP packet to Asterisk system with "chan_skinny"
enabled that is larger than the length of the SCCP header
but smaller than the packet length specified in the header.
The loop that reads the rest of the packet doesn't detect
that the call to read() returned end-of-file before the
expected number of bytes and continues infinitely. The
"partial data" message logging in that tight loop causes
Asterisk to exhaust all available memory.</p>
</blockquote>
</body>
</description>
<references>
<url>http://downloads.asterisk.org/pub/security/AST-2017-004.html</url>
</references>
<dates>
<discovery>2017-04-13</discovery>
<entry>2017-05-19</entry>
</dates>
</vuln>
<vuln vid="0537afa3-3ce0-11e7-bf9d-001999f8d30b">
<topic>asterisk -- Buffer Overrun in PJSIP transaction layer</topic>
<affects>
<package>
<name>asterisk13</name>
<range><lt>13.15.1</lt></range>
</package>
<package>
<name>pjsip</name>
<range><lt>2.6_1</lt></range>
</package>
<package>
<name>pjsip-extsrtp</name>
<range><lt>2.6_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="http://www.asterisk.org/downloads/security-advisories">
<p>A remote crash can be triggered by sending a SIP packet
to Asterisk with a specially crafted CSeq header and a
Via header with no branch parameter. The issue is that
the PJSIP RFC 2543 transaction key generation algorithm
does not allocate a large enough buffer. By overrunning
the buffer, the memory allocation table becomes corrupted,
leading to an eventual crash.</p>
<p>The multi-part body parser in PJSIP contains a logical
error that can make certain multi-part body parts attempt
to read memory from outside the allowed boundaries. A
specially-crafted packet can trigger these invalid reads
and potentially induce a crash.</p>
<p>This issues is in PJSIP, and so the issue can be fixed
without performing an upgrade of Asterisk at all. However,
we are releasing a new version of Asterisk with the bundled
PJProject updated to include the fix.</p>
<p>If you are running Asterisk with chan_sip, this issue
does not affect you.</p>
</blockquote>
</body>
</description>
<references>
<url>http://downloads.asterisk.org/pub/security/AST-2017-002.html</url>
<url>http://downloads.asterisk.org/pub/security/AST-2017-003.html</url>
</references>
<dates>
<discovery>2017-04-12</discovery>
<entry>2017-05-19</entry>
</dates>
</vuln>
<vuln vid="3c2549b3-3bed-11e7-a9f0-a4badb296695">
<topic>Joomla3 -- SQL Injection</topic>
<affects>
<package>
<name>joomla3</name>
<range><eq>3.7.0</eq></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>JSST reports:</p>
<blockquote cite="https://developer.joomla.org/security-centre/692-20170501-core-sql-injection.html">
<p>Inadequate filtering of request data leads to a SQL Injection vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-8917</cvename>
<url>https://developer.joomla.org/security-centre/692-20170501-core-sql-injection.html</url>
</references>
<dates>
<discovery>2017-05-11</discovery>
<entry>2017-05-18</entry>
</dates>
</vuln>
<vuln vid="9704930c-3bb7-11e7-93f7-d43d7e971a1b">
<topic>gitlab -- Various security issues</topic>
<affects>
<package>
<name>gitlab</name>
<range><ge>6.6.0</ge><le>8.17.5</le></range>
<range><ge>9.0.0</ge><le>9.0.6</le></range>
<range><ge>9.1.0</ge><le>9.1.2</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GitLab reports:</p>
<blockquote cite="https://about.gitlab.com/2017/05/08/gitlab-9-dot-1-dot-3-security-release/">
<p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
<references>
<url>https://about.gitlab.com/2017/05/08/gitlab-9-dot-1-dot-3-security-release/</url>
</references>
<dates>
<discovery>2017-05-08</discovery>
<entry>2017-05-18</entry>
<modified>2017-05-30</modified>
</dates>
</vuln>
<vuln vid="5d62950f-3bb5-11e7-93f7-d43d7e971a1b">
<topic>gitlab -- Various security issues</topic>
<affects>
<package>
<name>gitlab</name>
<range><ge>8.7.0</ge><le>8.15.7</le></range>
<range><ge>8.16.0</ge><le>8.16.7</le></range>
<range><ge>8.17.0</ge><le>8.17.3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GitLab reports:</p>
<blockquote cite="https://about.gitlab.com/2017/03/20/gitlab-8-dot-17-dot-4-security-release/">
<h1>Information Disclosure in Issue and Merge Request Trackers</h1>
<p>During an internal code review a critical vulnerability in the GitLab
Issue and Merge Request trackers was discovered. This vulnerability could
allow a user with access to assign ownership of an issue or merge request to
another user to disclose that user's private token, email token, email
address, and encrypted OTP secret. Reporter-level access to a GitLab project
is required to exploit this flaw.</p>
<h1>SSRF when importing a project from a Repo by URL</h1>
<p>GitLab instances that have enabled project imports using "Repo by URL"
were vulnerable to Server-Side Request Forgery attacks. By specifying a
project import URL of localhost an attacker could target services that are
bound to the local interface of the server. These services often do not
require authentication. Depending on the service an attacker might be able
craft an attack using the project import request URL.</p>
<h1>Links in Environments tab vulnerable to tabnabbing</h1>
<p>edio via HackerOne reported that user-configured Environment links
include target=_blank but do not also include rel: noopener
noreferrer. Anyone clicking on these links may therefore be subjected to
tabnabbing attacks where a link back to the requesting page is maintained
and can be manipulated by the target server.</p>
<h1>Accounts with email set to "Do not show on profile" have addresses
exposed in public atom feed</h1>
<p>Several GitLab users reported that even with "Do not show on profile"
configured for their email addresses those addresses were still being leaked
in Atom feeds if they commented on a public project.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-0882</cvename>
<url>https://about.gitlab.com/2017/03/20/gitlab-8-dot-17-dot-4-security-release/</url>
</references>
<dates>
<discovery>2017-03-20</discovery>
<entry>2017-05-18</entry>
<modified>2017-05-30</modified>
</dates>
</vuln>
<vuln vid="4a088d67-3af2-11e7-9d75-c86000169601">
<topic>freetype2 -- buffer overflows</topic>
<affects>
<package>
<name>freetype2</name>
<range><lt>2.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Werner Lemberg reports:</p>
<blockquote cite="http://lists.nongnu.org/archive/html/freetype-announce/2017-05/msg00000.html">
<p>CVE-2017-8105, CVE-2017-8287: Older FreeType versions have
out-of-bounds writes caused by heap-based buffer overflows
related to Type 1 fonts.</p>
</blockquote>
</body>
</description>
<references>
<url>http://lists.nongnu.org/archive/html/freetype-announce/2017-05/msg00000.html</url>
<cvename>CVE-2017-8105</cvename>
<cvename>CVE-2017-8287</cvename>
</references>
<dates>
<discovery>2017-05-17</discovery>
<entry>2017-05-17</entry>
</dates>
</vuln>
<vuln vid="04cc7bd2-3686-11e7-aa64-080027ef73ec">
<topic>OpenVPN -- two remote denial-of-service vulnerabilities</topic>
<affects>
<package>
<name>openvpn</name>
<range><lt>2.3.15</lt></range>
<range><ge>2.4.0</ge><lt>2.4.2</lt></range>
</package>
<package>
<name>openvpn23</name>
<range><lt>2.3.15</lt></range>
</package>
<package>
<name>openvpn-mbedtls</name>
<range><ge>2.4.0</ge><lt>2.4.2</lt></range>
</package>
<package>
<name>openvpn-polarssl</name>
<range><lt>2.3.15</lt></range>
</package>
<package>
<name>openvpn23-polarssl</name>
<range><lt>2.3.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Samuli Seppänen reports:</p>
<blockquote cite="https://openvpn.net/index.php/open-source/downloads.html">
<p>OpenVPN v2.4.0 was audited for security vulnerabilities independently by
Quarkslabs (funded by OSTIF) and Cryptography Engineering (funded by
Private Internet Access) between December 2016 and April 2017. The
primary findings were two remote denial-of-service vulnerabilities.
Fixes to them have been backported to v2.3.15.</p>
<p>An authenticated client can do the 'three way handshake'
(P_HARD_RESET, P_HARD_RESET, P_CONTROL), where the P_CONTROL packet
is the first that is allowed to carry payload. If that payload is
too big, the OpenVPN server process will stop running due to an
ASSERT() exception. That is also the reason why servers using
tls-auth/tls-crypt are protected against this attack - the P_CONTROL
packet is only accepted if it contains the session ID we specified,
with a valid HMAC (challenge-response). (CVE-2017-7478)</p>
<p>An authenticated client can cause the server's the packet-id
counter to roll over, which would lead the server process to hit an
ASSERT() and stop running. To make the server hit the ASSERT(), the
client must first cause the server to send it 2^32 packets (at least
196 GB).</p>
</blockquote>
</body>
</description>
<references>
<url>https://openvpn.net/index.php/open-source/downloads.html</url>
<cvename>CVE-2017-7478</cvename>
<cvename>CVE-2017-7479</cvename>
<url>https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits</url>
<url>https://ostif.org/?p=870&preview=true</url>
<url>https://www.privateinternetaccess.com/blog/2017/05/openvpn-2-4-2-fixes-critical-issues-discovered-openvpn-audit-reports/</url>
</references>
<dates>
<discovery>2017-05-10</discovery>
<entry>2017-05-11</entry>
</dates>
</vuln>
<vuln vid="414c18bf-3653-11e7-9550-6cc21735f730">
<topic>PostgreSQL vulnerabilities</topic>
<affects>
<package>
<name>postgresql92-client</name>
<range><ge>9.2.0</ge><lt>9.2.20</lt></range>
</package>
<package>
<name>postgresql93-client</name>
<range><ge>9.3.0</ge><lt>9.3.16</lt></range>
</package>
<package>
<name>postgresql94-client</name>
<range><ge>9.4.0</ge><lt>9.4.11</lt></range>
</package>
<package>
<name>postgresql95-client</name>
<range><ge>9.5.0</ge><lt>9.5.6</lt></range>
</package>
<package>
<name>postgresql96-client</name>
<range><ge>9.6.0</ge><lt>9.6.2</lt></range>
</package>
<package>
<name>postgresql92-server</name>
<range><ge>9.2.0</ge><lt>9.2.20</lt></range>
</package>
<package>
<name>postgresql93-server</name>
<range><ge>9.3.0</ge><lt>9.3.16</lt></range>
</package>
<package>
<name>postgresql94-server</name>
<range><ge>9.4.0</ge><lt>9.4.11</lt></range>
</package>
<package>
<name>postgresql95-server</name>
<range><ge>9.5.0</ge><lt>9.5.6</lt></range>
</package>
<package>
<name>postgresql96-server</name>
<range><ge>9.6.0</ge><lt>9.6.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PostgreSQL project reports:</p>
<blockquote cite="http://www.postgresql.org/about/news/1746/">
<p>
Security Fixes nested CASE expressions +
database and role names with embedded special characters
</p>
<ul>
<li>CVE-2017-7484: selectivity estimators bypass SELECT privilege
checks.
</li>
<li>CVE-2017-7485: libpq ignores PGREQUIRESSL environment variable
</li>
<li>CVE-2017-7486: pg_user_mappings view discloses foreign server
passwords. This applies to new databases, see the release notes for
the procedure to apply the fix to an existing database.
</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-5423</cvename>
<cvename>CVE-2016-5424</cvename>
</references>
<dates>
<discovery>2017-05-11</discovery>
<entry>2017-05-11</entry>
</dates>
</vuln>
<vuln vid="0baee383-356c-11e7-b9a9-50e549ebab6c">
<topic>kauth: Local privilege escalation</topic>
<affects>
<package>
<name>kdelibs</name>
<range><lt>4.14.30_4</lt></range>
</package>
<package>
<name>kf5-kauth</name>
<range><lt>5.33.0_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Albert Astals Cid reports:</p>
<blockquote cite="https://www.kde.org/info/security/advisory-20170510-1.txt">
<p>KAuth contains a logic flaw in which the service invoking dbus
is not properly checked.
This allows spoofing the identity of the caller and with some
carefully crafted calls can lead to gaining root from an
unprivileged account.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-8422</cvename>
<mlist>http://www.openwall.com/lists/oss-security/2017/05/10/3</mlist>
<url>https://www.kde.org/info/security/advisory-20170510-1.txt</url>
</references>
<dates>
<discovery>2017-05-10</discovery>
<entry>2017-05-10</entry>
</dates>
</vuln>
<vuln vid="57600032-34fe-11e7-8965-bcaec524bf84">
<topic>libetpan -- null dereference vulnerability in MIME parsing component</topic>
<affects>
<package>
<name>libetpan</name>
<range><lt>1.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>rwhitworth reports:</p>
<blockquote cite="https://github.com/dinhviethoa/libetpan/issues/274">
<p>I was using American Fuzzy Lop (afl-fuzz) to fuzz input to the
mime-parse test program. Is fixing these crashes something you're
interested in? The input files can be found here:
https://github.com/rwhitworth/libetpan-fuzz/.
The files can be executed as ./mime-parse id_filename to cause
seg faults.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-8825</cvename>
<url>http://cve.circl.lu/cve/CVE-2017-8825</url>
</references>
<dates>
<discovery>2017-04-29</discovery>
<entry>2017-05-09</entry>
</dates>
</vuln>
<vuln vid="92e345d0-304d-11e7-8359-e8e0b747a45a">
<topic>chromium -- race condition vulnerability</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>58.0.3029.96</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2017/05/stable-channel-update-for-desktop.html">
<p>1 security fix in this release:</p>
</blockquote>
<ul>
<li>[679306] High CVE-2017-5068: Race condition in WebRTC. Credit to
Philipp Hancke</li>
</ul>
</body>
</description>
<references>
<cvename>CVE-2017-5068</cvename>
<url>https://chromereleases.googleblog.com/2017/05/stable-channel-update-for-desktop.html</url>
</references>
<dates>
<discovery>2017-05-02</discovery>
<entry>2017-05-03</entry>
</dates>
</vuln>
<vuln vid="a8c8001b-216c-11e7-80aa-005056925db4">
<topic>dovecot -- Dovecot DoS when passdb dict was used for authentication</topic>
<affects>
<package>
<name>dovecot</name>
<name>dovecot2</name>
<range><gt>2.2.25_6</gt><lt>2.2.29</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Timo Sirainen reports:</p>
<blockquote cite="https://dovecot.org/list/dovecot-news/2017-April/000341.html">
<p>passdb/userdb dict: Don't double-expand %variables in keys. If dict
was used as the authentication passdb, using specially crafted
%variables in the username could be used to cause DoS.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-2669</cvename>
<mlist>https://dovecot.org/list/dovecot-news/2017-April/000341.html</mlist>
<mlist>https://dovecot.org/list/dovecot-news/2017-April/000342.html</mlist>
</references>
<dates>
<discovery>2016-12-01</discovery>
<entry>2017-04-30</entry>
</dates>
</vuln>
<vuln vid="24673ed7-2bf3-11e7-b291-b499baebfeaf">
<topic>LibreSSL -- TLS verification vulnerability</topic>
<affects>
<package>
<name>libressl</name>
<range><ge>2.5.1</ge><lt>2.5.3_1</lt></range>
</package>
<package>
<name>libressl-devel</name>
<range><ge>2.5.1</ge><lt>2.5.3_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p> Jakub Jirutka reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2017/q2/145">
<p>LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if
SSL_get_verify_result is relied upon for a later check of a
verification result, in a use case where a user-provided verification
callback returns 1, as demonstrated by acceptance of invalid
certificates by nginx.
</p>
</blockquote>
</body>
</description>
<references>
<url>http://seclists.org/oss-sec/2017/q2/145</url>
<url>https://github.com/libressl-portable/portable/issues/307</url>
<cvename>CVE-2017-8301</cvename>
</references>
<dates>
<discovery>2017-04-27</discovery>
<entry>2017-04-28</entry>
</dates>
</vuln>
<vuln vid="631c4710-9be5-4a80-9310-eb2847fe24dd">
<topic>jenkins -- multiple vulnerabilities</topic>
<affects>
<package>
<name>jenkins</name>
<range><lt>2.57</lt></range>
</package>
<package>
<name>jenkins-lts</name>
<range><lt>2.46.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jenkins Security Advisory:</p>
<blockquote cite="https://jenkins.io/security/advisory/2017-04-26/">
<h1>Description</h1>
<h5>SECURITY-412 through SECURITY-420 / CVE-2017-1000356</h5>
<p>CSRF: Multiple vulnerabilities</p>
<h5>SECURITY-429 / CVE-2017-1000353</h5>
<p>CLI: Unauthenticated remote code execution</p>
<h5>SECURITY-466 / CVE-2017-1000354</h5>
<p>CLI: Login command allowed impersonating any Jenkins user</p>
<h5>SECURITY-503 / CVE-2017-1000355</h5>
<p>XStream: Java crash when trying to instantiate void/Void</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-1000356</cvename>
<cvename>CVE-2017-1000353</cvename>
<cvename>CVE-2017-1000354</cvename>
<cvename>CVE-2017-1000355</cvename>
<url>https://jenkins.io/security/advisory/2017-04-26/</url>
</references>
<dates>
<discovery>2017-04-26</discovery>
<entry>2017-04-27</entry>
</dates>
</vuln>
<vuln vid="df0144fb-295e-11e7-970f-002590263bf5">
<topic>codeigniter -- multiple vulnerabilities</topic>
<affects>
<package>
<name>codeigniter</name>
<range><lt>3.1.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The CodeIgniter changelog reports:</p>
<blockquote cite="https://www.codeigniter.com/user_guide/changelog.html">
<p>Fixed a header injection vulnerability in common function
set_status_header() under Apache (thanks to Guillermo Caminer from
Flowgate).</p>
<p>Fixed byte-safety issues in Encrypt Library (DEPRECATED) when
mbstring.func_overload is enabled.</p>
<p>Fixed byte-safety issues in Encryption Library when
mbstring.func_overload is enabled.</p>
<p>Fixed byte-safety issues in compatibility functions
password_hash(), hash_pbkdf2() when mbstring.func_overload is
enabled.</p>
<p>Updated Encrypt Library (DEPRECATED) to call mcrypt_create_iv()
with MCRYPT_DEV_URANDOM.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.codeigniter.com/user_guide/changelog.html</url>
</references>
<dates>
<discovery>2017-03-23</discovery>
<entry>2017-04-25</entry>
</dates>
</vuln>
<vuln vid="81433129-2916-11e7-ad3e-00e04c1ea73d">
<topic>weechat -- multiple vulnerabilities</topic>
<affects>
<package>
<name>weechat</name>
<range><lt>1.7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Common Vulnerabilities and Exposures:</p>
<blockquote cite="https://weechat.org/download/security/">
<p>WeeChat before 1.7.1 allows a remote crash by sending a filename via DCC to
the IRC plugin. This occurs in the irc_ctcp_dcc_filename_without_quotes
function during quote removal, with a buffer overflow.</p>
</blockquote>
</body>
</description>
<references>
<url>https://weechat.org/download/security/</url>
<cvename>CVE-2017-8073</cvename>
</references>
<dates>
<discovery>2017-04-23</discovery>
<entry>2017-04-24</entry>
</dates>
</vuln>
<vuln vid="1455c86c-26c2-11e7-9daa-6cf0497db129">
<topic>drupal8 -- Drupal Core - Critical - Access Bypass</topic>
<affects>
<package>
<name>drupal8</name>
<range><lt>8.3.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal Security Team Reports:</p>
<blockquote cite="https://www.drupal.org/SA-CORE-2017-002">
<p>CVE-2017-6919: Access bypass</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-6919</cvename>
</references>
<dates>
<discovery>2017-04-19</discovery>
<entry>2017-04-21</entry>
</dates>
</vuln>
<vuln vid="95a74a48-2691-11e7-9e2d-e8e0b747a45a">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<name>chromium-pulse</name>
<range><lt>58.0.3029.81</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2017/04/stable-channel-update-for-desktop.html">
<p>29 security fixes in this release, including:</p>
<ul>
<li>[695826] High CVE-2017-5057: Type confusion in PDFium. Credit to
Guang Gong of Alpha Team, Qihoo 360</li>
<li>[694382] High CVE-2017-5058: Heap use after free in Print Preview.
Credit to Khalil Zhani</li>
<li>[684684] High CVE-2017-5059: Type confusion in Blink. Credit to
SkyLined working with Trend Micro's Zero Day Initiative</li>
<li>[683314] Medium CVE-2017-5060: URL spoofing in Omnibox. Credit to
Xudong Zheng</li>
<li>[672847] Medium CVE-2017-5061: URL spoofing in Omnibox. Credit to
Haosheng Wang (@gnehsoah)</li>
<li>[702896] Medium CVE-2017-5062: Use after free in Chrome Apps.
Credit to anonymous</li>
<li>[700836] Medium CVE-2017-5063: Heap overflow in Skia. Credit to
Sweetchip</li>
<li>[693974] Medium CVE-2017-5064: Use after free in Blink. Credit to
Wadih Matar</li>
<li>[704560] Medium CVE-2017-5065: Incorrect UI in Blink. Credit to
Khalil Zhani</li>
<li>[690821] Medium CVE-2017-5066: Incorrect signature handing in Networking.
Credit to Prof. Zhenhua Duan, Prof. Cong Tian, and Ph.D candidate Chu Chen
(ICTT, Xidian University)</li>
<li>[648117] Medium CVE-2017-5067: URL spoofing in Omnibox. Credit to
Khalil Zhani</li>
<li>[691726] Low CVE-2017-5069: Cross-origin bypass in Blink. Credit to
Michael Reizelman</li>
<li>[713205] Various fixes from internal audits, fuzzing and other initiatives</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-5057</cvename>
<cvename>CVE-2017-5058</cvename>
<cvename>CVE-2017-5059</cvename>
<cvename>CVE-2017-5060</cvename>
<cvename>CVE-2017-5061</cvename>
<cvename>CVE-2017-5062</cvename>
<cvename>CVE-2017-5063</cvename>
<cvename>CVE-2017-5064</cvename>
<cvename>CVE-2017-5065</cvename>
<cvename>CVE-2017-5066</cvename>
<cvename>CVE-2017-5067</cvename>
<cvename>CVE-2017-5069</cvename>
<url>https://chromereleases.googleblog.com/2017/04/stable-channel-update-for-desktop.html</url>
</references>
<dates>
<discovery>2017-04-19</discovery>
<entry>2017-04-21</entry>
</dates>
</vuln>
<vuln vid="607f8b57-7454-42c6-a88a-8706f327076d">
<topic>icu -- multiple vulnerabilities</topic>
<affects>
<package>
<name>icu</name>
<range><lt>58.2_2,1</lt></range>
</package>
<package>
<name>linux-c6-icu</name>
<name>linux-c7-icu</name>
<range><lt>59.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NVD reports:</p>
<blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7867">
<p>International Components for Unicode (ICU) for C/C++
before 2017-02-13 has an out-of-bounds write caused by a
heap-based buffer overflow related to the utf8TextAccess
function in common/utext.cpp and the utext_setNativeIndex*
function.</p>
</blockquote>
<blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7868">
<p>International Components for Unicode (ICU) for C/C++
before 2017-02-13 has an out-of-bounds write caused by a
heap-based buffer overflow related to the utf8TextAccess
function in common/utext.cpp and the utext_moveIndex32*
function.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-7867</cvename>
<cvename>CVE-2017-7868</cvename>
<url>http://bugs.icu-project.org/trac/changeset/39671</url>
<url>https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=437</url>
</references>
<dates>
<discovery>2017-01-21</discovery>
<entry>2017-04-20</entry>
<modified>2017-05-04</modified>
</dates>
</vuln>
<vuln vid="2a96e498-3234-4950-a9ad-419bc84a839d">
<topic>tiff -- multiple vulnerabilities</topic>
<affects>
<package>
<name>tiff</name>
<name>linux-f8-tiff</name>
<name>linux-f10-tiff</name>
<name>linux-c6-tiff</name>
<name>linux-c7-tiff</name>
<range><lt>4.0.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NVD reports:</p>
<blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-5225">
<p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-5225</cvename>
<cvename>CVE-2017-7592</cvename>
<cvename>CVE-2017-7593</cvename>
<cvename>CVE-2017-7594</cvename>
<cvename>CVE-2017-7595</cvename>
<cvename>CVE-2017-7596</cvename>
<cvename>CVE-2017-7597</cvename>
<cvename>CVE-2017-7598</cvename>
<cvename>CVE-2017-7599</cvename>
<cvename>CVE-2017-7600</cvename>
<cvename>CVE-2017-7601</cvename>
<cvename>CVE-2017-7602</cvename>
<url>https://github.com/vadz/libtiff/commit/5c080298d59e</url>
<url>https://github.com/vadz/libtiff/commit/48780b4fcc42</url>
<url>https://github.com/vadz/libtiff/commit/d60332057b95</url>
<url>https://github.com/vadz/libtiff/commit/2ea32f7372b6</url>
<url>https://github.com/vadz/libtiff/commit/8283e4d1b7e5</url>
<url>https://github.com/vadz/libtiff/commit/47f2fb61a3a6</url>
<url>https://github.com/vadz/libtiff/commit/3cfd62d77c2a</url>
<url>https://github.com/vadz/libtiff/commit/3144e57770c1</url>
<url>https://github.com/vadz/libtiff/commit/0a76a8c765c7</url>
<url>https://github.com/vadz/libtiff/commit/66e7bd595209</url>
</references>
<dates>
<discovery>2017-04-01</discovery>
<entry>2017-04-20</entry>
</dates>
</vuln>
<vuln vid="d44129d6-b22e-4e9c-b200-6a46e8bd3e60">
<topic>libsamplerate -- multiple vulnerabilities</topic>
<affects>
<package>
<name>libsamplerate</name>
<name>linux-c6-libsamplerate</name>
<name>linux-c7-libsamplerate</name>
<range><lt>0.1.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NVD reports:</p>
<blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7697">
<p>In libsamplerate before 0.1.9, a buffer over-read
occurs in the calc_output_single function in src_sinc.c
via a crafted audio file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-7697</cvename>
<url>https://github.com/erikd/libsamplerate/commit/c3b66186656d</url>
</references>
<dates>
<discovery>2017-04-11</discovery>
<entry>2017-04-20</entry>
</dates>
</vuln>
<vuln vid="5a97805e-93ef-4dcb-8d5e-dbcac263bfc2">
<topic>libsndfile -- multiple vulnerabilities</topic>
<affects>
<package>
<name>libsndfile</name>
<name>linux-c6-libsndfile</name>
<name>linux-c7-libsndfile</name>
<range><lt>1.0.28_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NVD reports:</p>
<blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7585">
<p>In libsndfile before 1.0.28, an error in the
"flac_buffer_copy()" function (flac.c) can be exploited to
cause a stack-based buffer overflow via a specially crafted
FLAC file.</p>
</blockquote>
<blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7586">
<p>In libsndfile before 1.0.28, an error in the
"header_read()" function (common.c) when handling ID3 tags
can be exploited to cause a stack-based buffer overflow
via a specially crafted FLAC file.</p>
</blockquote>
<blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7741">
<p>In libsndfile before 1.0.28, an error in the
"flac_buffer_copy()" function (flac.c) can be exploited to
cause a segmentation violation (with write memory access)
via a specially crafted FLAC file during a resample
attempt, a similar issue to CVE-2017-7585.</p>
</blockquote>
<blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7742">
<p>In libsndfile before 1.0.28, an error in the
"flac_buffer_copy()" function (flac.c) can be exploited to
cause a segmentation violation (with read memory access)
via a specially crafted FLAC file during a resample
attempt, a similar issue to CVE-2017-7585.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-7585</cvename>
<cvename>CVE-2017-7586</cvename>
<cvename>CVE-2017-7741</cvename>
<cvename>CVE-2017-7742</cvename>
<url>https://github.com/erikd/libsndfile/commit/60b234301adf</url>
<url>https://github.com/erikd/libsndfile/commit/708e996c87c5</url>
<url>https://github.com/erikd/libsndfile/commit/f457b7b5ecfe</url>
<url>https://github.com/erikd/libsndfile/commit/60b234301adf</url>
</references>
<dates>
<discovery>2017-04-07</discovery>
<entry>2017-04-20</entry>
</dates>
</vuln>
<vuln vid="3e2e9b44-25ce-11e7-a175-939b30e0836d">
<topic>cURL -- TLS session resumption client cert bypass (again)</topic>
<affects>
<package>
<name>curl</name>
<range><ge>7.52.0</ge><lt>7.54.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>cURL security advisory:</p>
<blockquote cite="https://curl.haxx.se/docs/adv_20170419.html">
<p>libcurl would attempt to resume a TLS session even if the client
certificate had changed. That is unacceptable since a server by
specification is allowed to skip the client certificate check on
resume, and may instead use the old identity which was established
by the previous certificate (or no certificate).</p>
<p>libcurl supports by default the use of TLS session id/ticket to
resume previous TLS sessions to speed up subsequent TLS handshakes.
They are used when for any reason an existing TLS connection
couldn't be kept alive to make the next handshake faster.</p>
<p>This flaw is a regression and identical to CVE-2016-5419 reported
on August 3rd 2016, but affecting a different version range.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-7468</cvename>
<url>https://curl.haxx.se/docs/adv_20170419.html</url>
</references>
<dates>
<discovery>2017-04-19</discovery>
<entry>2017-04-20</entry>
</dates>
</vuln>
<vuln vid="cf133acc-82e7-4755-a66a-5ddf90dacbe6">
<topic>graphite2 -- out-of-bounds write with malicious font</topic>
<affects>
<package>
<name>graphite2</name>
<range><lt>1.3.9_1</lt></range>
</package>
<package>
<name>linux-c7-graphite2</name>
<range><lt>1.3.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/">
<p>An out-of-bounds write in the Graphite 2 library
triggered with a maliciously crafted Graphite font. This
results in a potentially exploitable crash. This issue was
fixed in the Graphite 2 library as well as Mozilla
products.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-5436</cvename>
<url>https://github.com/silnrsi/graphite/commit/1ce331d5548b</url>
</references>
<dates>
<discovery>2017-04-19</discovery>
<entry>2017-04-19</entry>
<modified>2017-04-20</modified>
</dates>
</vuln>
<vuln vid="b8ee7a81-a879-4358-9b30-7dd1bd4c14b1">
<topic>libevent -- multiple vulnerabilities</topic>
<affects>
<package>
<name>libevent</name>
<name>libevent2</name>
<name>linux-c6-libevent2</name>
<name>linux-c7-libevent</name>
<range><lt>2.1.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Debian Security reports:</p>
<blockquote cite="https://security-tracker.debian.org/tracker/DSA-3789-1">
<p>CVE-2016-10195: The name_parse function in evdns.c in
libevent before 2.1.6-beta allows remote attackers to have
unspecified impact via vectors involving the label_len
variable, which triggers an out-of-bounds stack read.</p>
<p>CVE-2016-10196: Stack-based buffer overflow in the
evutil_parse_sockaddr_port function in evutil.c in libevent
before 2.1.6-beta allows attackers to cause a denial of
service (segmentation fault) via vectors involving a long
string in brackets in the ip_as_string argument.</p>
<p>CVE-2016-10197: The search_make_new function in evdns.c
in libevent before 2.1.6-beta allows attackers to cause a
denial of service (out-of-bounds read) via an empty
hostname.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-10195</cvename>
<cvename>CVE-2016-10196</cvename>
<cvename>CVE-2016-10197</cvename>
<url>http://www.openwall.com/lists/oss-security/2017/01/31/17</url>
<url>https://github.com/libevent/libevent/issues/317</url>
<url>https://github.com/libevent/libevent/issues/318</url>
<url>https://github.com/libevent/libevent/issues/332</url>
<url>https://github.com/libevent/libevent/issues/335</url>
</references>
<dates>
<discovery>2017-01-31</discovery>
<entry>2017-04-19</entry>
</dates>
</vuln>
<vuln vid="4cb165f0-6e48-423e-8147-92255d35c0f7">
<topic>NSS -- multiple vulnerabilities</topic>
<affects>
<package>
<name>nss</name>
<name>linux-f10-nss</name>
<name>linux-c6-nss</name>
<name>linux-c7-nss</name>
<range><ge>3.30</ge><lt>3.30.1</lt></range>
<range><ge>3.29</ge><lt>3.29.5</lt></range>
<range><ge>3.22</ge><lt>3.28.4</lt></range>
<range><lt>3.21.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/">
<p>An out-of-bounds write during Base64 decoding operation
in the Network Security Services (NSS) library due to
insufficient memory being allocated to the buffer. This
results in a potentially exploitable crash. The NSS library
has been updated to fix this issue to address this issue and
Firefox 53 has been updated with NSS version 3.29.5.</p>
</blockquote>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/">
<p>A flaw in DRBG number generation within the Network
Security Services (NSS) library where the internal state V
does not correctly carry bits over. The NSS library has been
updated to fix this issue to address this issue and Firefox
53 has been updated with NSS version 3.29.5.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-5461</cvename>
<cvename>CVE-2017-5462</cvename>
<url>https://hg.mozilla.org/projects/nss/rev/99a86619eac9</url>
<url>https://hg.mozilla.org/projects/nss/rev/e126381a3c29</url>
</references>
<dates>
<discovery>2017-03-17</discovery>
<entry>2017-04-19</entry>
</dates>
</vuln>
<vuln vid="5e0a038a-ca30-416d-a2f5-38cbf5e7df33">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>53.0_2,1</lt></range>
</package>
<package>
<name>seamonkey</name>
<name>linux-seamonkey</name>
<range><lt>2.49.1</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><ge>46.0,1</ge><lt>52.1.0_2,1</lt></range>
<range><lt>45.9.0,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><ge>46.0,2</ge><lt>52.1.0,2</lt></range>
<range><lt>45.9.0,2</lt></range>
</package>
<package>
<name>libxul</name>
<range><ge>46.0</ge><lt>52.1.0</lt></range>
<range><lt>45.9.0</lt></range>
</package>
<package>
<name>thunderbird</name>
<name>linux-thunderbird</name>
<range><ge>46.0</ge><lt>52.1.0</lt></range>
<range><lt>45.9.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/">
<p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-5433</cvename>
<cvename>CVE-2017-5435</cvename>
<cvename>CVE-2017-5436</cvename>
<cvename>CVE-2017-5461</cvename>
<cvename>CVE-2017-5459</cvename>
<cvename>CVE-2017-5466</cvename>
<cvename>CVE-2017-5434</cvename>
<cvename>CVE-2017-5432</cvename>
<cvename>CVE-2017-5460</cvename>
<cvename>CVE-2017-5438</cvename>
<cvename>CVE-2017-5439</cvename>
<cvename>CVE-2017-5440</cvename>
<cvename>CVE-2017-5441</cvename>
<cvename>CVE-2017-5442</cvename>
<cvename>CVE-2017-5464</cvename>
<cvename>CVE-2017-5443</cvename>
<cvename>CVE-2017-5444</cvename>
<cvename>CVE-2017-5446</cvename>
<cvename>CVE-2017-5447</cvename>
<cvename>CVE-2017-5465</cvename>
<cvename>CVE-2017-5448</cvename>
<cvename>CVE-2017-5437</cvename>
<cvename>CVE-2017-5454</cvename>
<cvename>CVE-2017-5455</cvename>
<cvename>CVE-2017-5456</cvename>
<cvename>CVE-2017-5469</cvename>
<cvename>CVE-2017-5445</cvename>
<cvename>CVE-2017-5449</cvename>
<cvename>CVE-2017-5450</cvename>
<cvename>CVE-2017-5451</cvename>
<cvename>CVE-2017-5462</cvename>
<cvename>CVE-2017-5463</cvename>
<cvename>CVE-2017-5467</cvename>
<cvename>CVE-2017-5452</cvename>
<cvename>CVE-2017-5453</cvename>
<cvename>CVE-2017-5458</cvename>
<cvename>CVE-2017-5468</cvename>
<cvename>CVE-2017-5430</cvename>
<cvename>CVE-2017-5429</cvename>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2017-11/</url>
<url>https://www.mozilla.org/en-US/security/advisories/mfsa2017-12/</url>
</references>
<dates>
<discovery>2017-04-19</discovery>
<entry>2017-04-19</entry>
<modified>2017-09-19</modified>
</dates>
</vuln>
<vuln vid="d9e01c35-2531-11e7-b291-b499baebfeaf">
<topic>MySQL -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mariadb55-server</name>
<range><lt>5.5.55</lt></range>
</package>
<package>
<name>mariadb100-server</name>
<range><lt>10.0.31</lt></range>
</package>
<package>
<name>mariadb101-server</name>
<range><lt>10.1.23</lt></range>
</package>
<package>
<name>mysql55-server</name>
<range><lt>5.5.55</lt></range>
</package>
<package>
<name>mysql56-server</name>
<range><lt>5.6.36</lt></range>
</package>
<package>
<name>mysql57-server</name>
<range><lt>5.7.18</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Oracle reports:</p>
<blockquote cite="http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html">
<p>This Critical Patch Update contains 39 new security fixes for
Oracle MySQL. 11 of these vulnerabilities may be remotely
exploitable without authentication, i.e., may be exploited over a
network without requiring user credentials.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html</url>
<cvename>CVE-2017-3308</cvename>
<cvename>CVE-2017-3309</cvename>
<cvename>CVE-2017-3450</cvename>
<cvename>CVE-2017-3599</cvename>
<cvename>CVE-2017-3329</cvename>
<cvename>CVE-2017-3600</cvename>
<cvename>CVE-2017-3331</cvename>
<cvename>CVE-2017-3453</cvename>
<cvename>CVE-2017-3452</cvename>
<cvename>CVE-2017-3454</cvename>
<cvename>CVE-2017-3455</cvename>
<cvename>CVE-2017-3305</cvename>
<cvename>CVE-2017-3460</cvename>
<cvename>CVE-2017-3456</cvename>
<cvename>CVE-2017-3458</cvename>
<cvename>CVE-2017-3457</cvename>
<cvename>CVE-2017-3459</cvename>
<cvename>CVE-2017-3463</cvename>
<cvename>CVE-2017-3462</cvename>
<cvename>CVE-2017-3461</cvename>
<cvename>CVE-2017-3464</cvename>
<cvename>CVE-2017-3465</cvename>
<cvename>CVE-2017-3467</cvename>
<cvename>CVE-2017-3468</cvename>
</references>
<dates>
<discovery>2017-04-19</discovery>
<entry>2017-04-19</entry>
</dates>
</vuln>
<vuln vid="c6861494-1ffb-11e7-934d-d05099c0ae8c">
<topic>BIND -- multiple vulnerabilities</topic>
<affects>
<package>
<name>bind99</name>
<range><lt>9.9.9P8</lt></range>
</package>
<package>
<name>bind910</name>
<range><lt>9.10.4P8</lt></range>
</package>
<package>
<name>bind911</name>
<range><lt>9.11.0P5</lt></range>
</package>
<package>
<name>bind9-devel</name>
<range><le>9.12.0.a.2017.03.25</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://kb.isc.org/article/AA-01465/0">
<p>A query with a specific set of characteristics could
cause a server using DNS64 to encounter an assertion
failure and terminate.</p>
<p>An attacker could deliberately construct a query,
enabling denial-of-service against a server if it
was configured to use the DNS64 feature and other
preconditions were met.</p>
</blockquote>
<blockquote cite="https://kb.isc.org/article/AA-01466/0">
<p>Mistaken assumptions about the ordering of records in
the answer section of a response containing CNAME or
DNAME resource records could lead to a situation in
which named would exit with an assertion failure when
processing a response in which records occurred in an
unusual order.</p>
</blockquote>
<blockquote cite="https://kb.isc.org/article/AA-01471/0">
<p>named contains a feature which allows operators to
issue commands to a running server by communicating
with the server process over a control channel,
using a utility program such as rndc.</p>
<p>A regression introduced in a recent feature change
has created a situation under which some versions of
named can be caused to exit with a REQUIRE assertion
failure if they are sent a null command string.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-3136</cvename>
<cvename>CVE-2017-3137</cvename>
<cvename>CVE-2017-3138</cvename>
<url>https://kb.isc.org/article/AA-01465/0</url>
<url>https://kb.isc.org/article/AA-01466/0</url>
<url>https://kb.isc.org/article/AA-01471/0</url>
</references>
<dates>
<discovery>2017-04-12</discovery>
<entry>2017-04-13</entry>
<modified>2017-04-13</modified>
</dates>
</vuln>
<vuln vid="e48355d7-1548-11e7-8611-0090f5f2f347">
<topic>id Tech 3 -- remote code execution vulnerability</topic>
<affects>
<package>
<name>ioquake3</name>
<range><lt>1.36_16</lt></range>
</package>
<package>
<name>ioquake3-devel</name>
<range><lt>g2930</lt></range>
</package>
<package>
<name>iourbanterror</name>
<range><lt>4.3.2,1</lt></range>
</package>
<package>
<name>openarena</name>
<range><lt>0.8.8.s1910_3,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The content auto-download of id Tech 3 can be used to deliver
maliciously crafted content, that triggers downloading of
further content and loading and executing it as native code
with user credentials. This affects ioquake3, ioUrbanTerror,
OpenArena, the original Quake 3 Arena and other forks.</p>
</body>
</description>
<references>
<cvename>CVE-2017-6903</cvename>
<url>https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/</url>
</references>
<dates>
<discovery>2017-03-14</discovery>
<entry>2017-04-07</entry>
</dates>
</vuln>
<vuln vid="90becf7c-1acf-11e7-970f-002590263bf5">
<topic>xen-kernel -- broken check in memory_exchange() permits PV guest breakout</topic>
<affects>
<package>
<name>xen-kernel</name>
<range><lt>4.7.2_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-206.html">
<p>The XSA-29 fix introduced an insufficient check on XENMEM_exchange
input, allowing the caller to drive hypervisor memory accesses
outside of the guest provided input/output arrays.</p>
<p>A malicious or buggy 64-bit PV guest may be able to access all of
system memory, allowing for all of privilege escalation, host
crashes, and information leaks.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-7228</cvename>
<url>https://xenbits.xen.org/xsa/advisory-212.html</url>
</references>
<dates>
<discovery>2017-04-04</discovery>
<entry>2017-04-06</entry>
</dates>
</vuln>
<vuln vid="04f29189-1a05-11e7-bc6e-b499baebfeaf">
<topic>cURL -- potential memory disclosure</topic>
<affects>
<package>
<name>curl</name>
<range><ge>6.5</ge><lt>7.53.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The cURL project reports:</p>
<blockquote cite="https://curl.haxx.se/docs/adv_20170403.html">
<p>There were two bugs in curl's parser for the command line option
--write-out (or -w for short) that would skip the end of string
zero byte if the string ended in a % (percent) or \ (backslash),
and it would read beyond that buffer in the heap memory and it
could then potentially output pieces of that memory to the
terminal or the target file etc..</p>
<p>This flaw only exists in the command line tool.</p>
<p>We are not aware of any exploit of this flaw.</p>
</blockquote>
</body>
</description>
<references>
<url>https://curl.haxx.se/docs/adv_20170403.html</url>
<cvename>CVE-2017-7407</cvename>
</references>
<dates>
<discovery>2017-04-03</discovery>
<entry>2017-04-05</entry>
<modified>2017-04-06</modified>
</dates>
</vuln>
<vuln vid="dc880d6c-195d-11e7-8c63-0800277dcc69">
<topic>django -- multiple vulnerabilities</topic>
<affects>
<package>
<name>py27-django</name>
<name>py33-django</name>
<name>py34-django</name>
<name>py35-django</name>
<name>py36-django</name>
<range><lt>1.8.18</lt></range>
</package>
<package>
<name>py27-django18</name>
<name>py33-django18</name>
<name>py34-django18</name>
<name>py35-django18</name>
<name>py36-django18</name>
<range><lt>1.8.18</lt></range>
</package>
<package>
<name>py27-django19</name>
<name>py33-django19</name>
<name>py34-django19</name>
<name>py35-django19</name>
<name>py36-django19</name>
<range><lt>1.9.13</lt></range>
</package>
<package>
<name>py27-django110</name>
<name>py33-django110</name>
<name>py34-django110</name>
<name>py35-django110</name>
<name>py36-django110</name>
<range><lt>1.10.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Django team reports:</p>
<blockquote cite="https://www.djangoproject.com/weblog/2017/apr/04/security-releases/">
<p>These release addresses two security issues detailed below. We
encourage all users of Django to upgrade as soon as possible.</p>
<ul>
<li>Open redirect and possible XSS attack via user-supplied numeric
redirect URLs</li>
<li>Open redirect vulnerability in django.views.static.serve()</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://www.djangoproject.com/weblog/2017/apr/04/security-releases/</url>
<cvename>CVE-2017-7233</cvename>
<cvename>CVE-2017-7234</cvename>
</references>
<dates>
<discovery>2017-04-04</discovery>
<entry>2017-04-04</entry>
</dates>
</vuln>
<vuln vid="356b02e9-1954-11e7-9608-001999f8d30b">
<topic>asterisk -- Buffer overflow in CDR's set user</topic>
<affects>
<package>
<name>asterisk13</name>
<range><lt>13.14.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="http://www.asterisk.org/downloads/security-advisories">
<p>No size checking is done when setting the user field
on a CDR. Thus, it is possible for someone to use an
arbitrarily large string and write past the end of the
user field storage buffer. This allows the possibility
of remote code injection.</p>
</blockquote>
</body>
</description>
<references>
<url>http://downloads.asterisk.org/pub/security/AST-2017-001.html</url>
<url>https://issues.asterisk.org/jira/browse/ASTERISK-26897</url>
</references>
<dates>
<discovery>2017-03-27</discovery>
<entry>2017-04-04</entry>
</dates>
</vuln>
<vuln vid="057e6616-1885-11e7-bb4d-a0d3c19bfa21">
<topic>NVIDIA UNIX driver -- multiple vulnerabilities in the kernel mode layer handler</topic>
<affects>
<package>
<name>nvidia-driver</name>
<range><lt>375.39</lt></range>
</package>
<package>
<name>nvidia-driver-340</name>
<range><lt>340.102</lt></range>
</package>
<package>
<name>nvidia-driver-304</name>
<range><lt>304.135</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NVIDIA Unix security team reports:</p>
<blockquote cite="http://nvidia.custhelp.com/app/answers/detail/a_id/4398">
<p>NVIDIA GPU Display Driver contains vulnerabilities in the
kernel mode layer handler where multiple integer overflows,
improper access control, and improper validation of a user
input may cause a denial of service or potential escalation
of privileges.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-0309</cvename>
<cvename>CVE-2017-0310</cvename>
<cvename>CVE-2017-0311</cvename>
<cvename>CVE-2017-0318</cvename>
<cvename>CVE-2017-0321</cvename>
<url>http://nvidia.custhelp.com/app/answers/detail/a_id/4398</url>
</references>
<dates>
<discovery>2017-02-14</discovery>
<entry>2017-04-04</entry>
</dates>
</vuln>
<vuln vid="7cf058d8-158d-11e7-ba2c-e8e0b747a45a">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>57.0.2987.133</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop_29.html">
<p>5 security fixes in this release, including:</p>
<ul>
<li>[698622] Critical CVE-2017-5055: Use after free in printing. Credit to
Wadih Matar</li>
<li>[699166] High CVE-2017-5054: Heap buffer overflow in V8. Credit to
Nicolas Trippar of Zimperium zLabs</li>
<li>[662767] High CVE-2017-5052: Bad cast in Blink. Credit to
JeongHoon Shin</li>
<li>[705445] High CVE-2017-5056: Use after free in Blink. Credit to
anonymous</li>
<li>[702058] High CVE-2017-5053: Out of bounds memory access in V8. Credit to
Team Sniper (Keen Lab and PC Mgr) reported through ZDI (ZDI-CAN-4587)</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-5055</cvename>
<cvename>CVE-2017-5054</cvename>
<cvename>CVE-2017-5052</cvename>
<cvename>CVE-2017-5056</cvename>
<cvename>CVE-2017-5053</cvename>
<url>https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop_29.html</url>
</references>
<dates>
<discovery>2017-03-29</discovery>
<entry>2017-03-30</entry>
</dates>
</vuln>
<vuln vid="47873d72-14eb-11e7-970f-002590263bf5">
<topic>xen-tools -- xenstore denial of service via repeated update</topic>
<affects>
<package>
<name>xen-tools</name>
<range><lt>4.7.2_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-206.html">
<p>Unprivileged guests may be able to stall progress of the control
domain or driver domain, possibly leading to a Denial of Service
(DoS) of the entire host.</p>
</blockquote>
</body>
</description>
<references>
<url>http://xenbits.xen.org/xsa/advisory-206.html</url>
</references>
<dates>
<discovery>2017-03-28</discovery>
<entry>2017-03-30</entry>
</dates>
</vuln>
<vuln vid="68611303-149e-11e7-b9bb-6805ca0b3d42">
<topic>phpMyAdmin -- bypass 'no password' restriction</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><lt>4.7.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin team reports:</p>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2017-8/">
<h3>Summary</h3>
<p>Bypass $cfg['Servers'][$i]['AllowNoPassword']</p>
<h3>Description</h3>
<p>A vulnerability was discovered where the restrictions
caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are
bypassed under certain PHP versions. This can allow the
login of users who have no password set even if the
administrator has set $cfg['Servers'][$i]['AllowNoPassword']
to false (which is also the default).</p>
<p>This behavior depends on the PHP version used (it seems
PHP 5 is affected, while PHP 7.0 is not).</p>
<h3>Severity</h3>
<p>We consider this vulnerability to be of moderate severity.</p>
<h3>Mitigation factor</h3>
<p>Set a password for all users.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.phpmyadmin.net/security/PMASA-2017-8/</url>
</references>
<dates>
<discovery>2017-03-28</discovery>
<entry>2017-03-29</entry>
</dates>
</vuln>
<vuln vid="04bc4e23-9a70-42cb-9fec-3613632d34bc">
<cancelled superseded="967b852b-1e28-11e6-8dd3-002590263bf5"/>
</vuln>
<vuln vid="2826317b-10ec-11e7-944e-000c292e4fd8">
<topic>samba -- symlink race allows access outside share definition</topic>
<affects>
<package>
<name>samba36</name>
<range><ge>3.6.0</ge><le>3.6.25_4</le></range>
</package>
<package>
<name>samba4</name>
<range><ge>4.0.0</ge><le>4.0.26</le></range>
</package>
<package>
<name>samba41</name>
<range><ge>4.1.0</ge><le>4.1.23</le></range>
</package>
<package>
<name>samba42</name>
<range><ge>4.2.0</ge><le>4.2.14</le></range>
</package>
<package>
<name>samba43</name>
<range><ge>4.3.0</ge><le>4.3.13</le></range>
</package>
<package>
<name>samba44</name>
<range><ge>4.4.0</ge><lt>4.4.12</lt></range>
</package>
<package>
<name>samba45</name>
<range><ge>4.5.0</ge><lt>4.5.7</lt></range>
</package>
<package>
<name>samba46</name>
<range><ge>4.6.0</ge><lt>4.6.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Samba team reports:</p>
<blockquote cite="https://www.samba.org/samba/security/CVE-2017-2619.html">
<p>A time-of-check, time-of-use race condition
can allow clients to access non-exported parts
of the file system via symlinks.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.samba.org/samba/security/CVE-2017-2619.html</url>
<cvename>CVE-2017-2619</cvename>
</references>
<dates>
<discovery>2017-03-23</discovery>
<entry>2017-03-24</entry>
</dates>
</vuln>
<vuln vid="af19ecd0-0f6a-11e7-970f-002590263bf5">
<topic>xen-tools -- Cirrus VGA Heap overflow via display refresh</topic>
<affects>
<package>
<name>xen-tools</name>
<range><lt>4.7.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-211.html">
<p>A privileged user within the guest VM can cause a heap overflow in
the device model process, potentially escalating their privileges to
that of the device model process.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-9603</cvename>
<url>http://xenbits.xen.org/xsa/advisory-211.html</url>
</references>
<dates>
<discovery>2017-03-14</discovery>
<entry>2017-03-23</entry>
</dates>
</vuln>
<vuln vid="06f931c0-0be0-11e7-b4bf-5404a68ad561">
<topic>irssi -- use-after-free potential code execution</topic>
<affects>
<package>
<name>irssi</name>
<range><gt>0.8.21,1</gt><lt>1.0.2,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The irssi project reports:</p>
<blockquote cite="https://irssi.org/security/irssi_sa_2017_03.txt">
<p>Use after free while producing list of netjoins (CWE-416).
This issue was found and reported to us by APic.
This issue usually leads to segmentation faults.
Targeted code execution should be difficult.</p>
</blockquote>
</body>
</description>
<references>
<url>https://irssi.org/security/irssi_sa_2017_03.txt</url>
<cvename>CVE-2017-7191</cvename>
</references>
<dates>
<discovery>2017-03-11</discovery>
<entry>2017-03-18</entry>
</dates>
</vuln>
<vuln vid="7c27192f-0bc3-11e7-9940-b499baebfeaf">
<topic>mysql -- denial of service vulnerability</topic>
<affects>
<package>
<name>mariadb55-client</name>
<range><le>5.5.54</le></range>
</package>
<package>
<name>mariadb100-client</name>
<range><lt>10.0.30</lt></range>
</package>
<package>
<name>mariadb101-client</name>
<range><lt>10.1.22</lt></range>
</package>
<package>
<name>mysql55-client</name>
<range><le>5.5.54</le></range>
</package>
<package>
<name>mysql56-client</name>
<range><lt>5.6.21</lt></range>
</package>
<package>
<name>mysql57-client</name>
<range><lt>5.7.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Openwall reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2017/02/11/11">
<p>C client library for MySQL (libmysqlclient.so) has
use-after-free defect which can cause crash of applications
using that MySQL client.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openwall.com/lists/oss-security/2017/02/11/11</url>
<cvename>CVE-2017-3302</cvename>
</references>
<dates>
<discovery>2017-01-27</discovery>
<entry>2017-03-18</entry>
</dates>
</vuln>
<vuln vid="5f453b69-abab-4e76-b6e5-2ed0bafcaee3">
<topic>firefox -- integer overflow in createImageBitmap()</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>52.0.1,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-08/">
<p>An integer overflow in createImageBitmap() was reported
through the Pwn2Own contest. The fix for this vulnerability
disables the experimental extensions to the
createImageBitmap API. This function runs in the content
sandbox, requiring a second vulnerability to compromise a
user's computer.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-5428</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2017-08/</url>
</references>
<dates>
<discovery>2017-03-17</discovery>
<entry>2017-03-18</entry>
</dates>
</vuln>
<vuln vid="df45b4bd-0b7f-11e7-970f-002590263bf5">
<topic>moodle -- multiple vulnerabilities</topic>
<affects>
<package>
<name>moodle29</name>
<range><le>2.9.9</le></range>
</package>
<package>
<name>moodle30</name>
<range><lt>3.0.9</lt></range>
</package>
<package>
<name>moodle31</name>
<range><lt>3.1.5</lt></range>
</package>
<package>
<name>moodle32</name>
<range><lt>3.2.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Marina Glancy reports:</p>
<blockquote cite="https://moodle.org/news/#p1408104">
<p>In addition to a number of bug fixes and small improvements,
security vulnerabilities have been discovered and fixed. We highly
recommend that you upgrade your sites as soon as possible.
Upgrading should be very straightforward. As per our usual policy,
admins of all registered Moodle sites will be notified of security
issue details directly via email and we'll publish details more
widely in a week.</p>
</blockquote>
</body>
</description>
<references>
<url>https://moodle.org/news/#p1408104</url>
</references>
<dates>
<discovery>2017-03-13</discovery>
<entry>2017-03-18</entry>
</dates>
</vuln>
<vuln vid="f72d98d1-0b7e-11e7-970f-002590263bf5">
<topic>moodle -- multiple vulnerabilities</topic>
<affects>
<package>
<name>moodle29</name>
<range><le>2.9.9</le></range>
</package>
<package>
<name>moodle30</name>
<range><lt>3.0.8</lt></range>
</package>
<package>
<name>moodle31</name>
<range><lt>3.1.4</lt></range>
</package>
<package>
<name>moodle32</name>
<range><lt>3.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Marina Glancy reports:</p>
<blockquote cite="https://moodle.org/security/">
<ul>
<li><p>MSA-17-0001: System file inclusion when adding own preset
file in Boost theme</p></li>
<li><p>MSA-17-0002: Incorrect sanitation of attributes in forums
</p></li>
<li><p>MSA-17-0003: PHPMailer vulnerability in no-reply address
</p></li>
<li><p>MSA-17-0004: XSS in assignment submission page</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-2576</cvename>
<cvename>CVE-2017-2578</cvename>
<cvename>CVE-2016-10045</cvename>
<url>https://moodle.org/security/</url>
</references>
<dates>
<discovery>2017-01-17</discovery>
<entry>2017-03-18</entry>
<modified>2020-06-24</modified>
</dates>
</vuln>
<vuln vid="2730c668-0b1c-11e7-8d52-6cf0497db129">
<topic>drupal8 -- multiple vulnerabilities</topic>
<affects>
<package>
<name>drupal8</name>
<range><lt>8.2.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal Security Team reports:</p>
<blockquote cite="https://www.drupal.org/SA-2017-001">
<p>CVE-2017-6377: Editor module incorrectly checks access to inline private files</p>
<p>CVE-2017-6379: Some admin paths were not protected with a CSRF token</p>
<p>CVE-2017-6381: Remote code execution</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-6377</cvename>
<cvename>CVE-2017-6379</cvename>
<cvename>CVE-2017-6381</cvename>
<url>https://www.drupal.org/SA-2017-001</url>
</references>
<dates>
<discovery>2017-03-15</discovery>
<entry>2017-03-17</entry>
</dates>
</vuln>
<vuln vid="9b973e97-0a99-11e7-ace7-080027ef73ec">
<topic>PuTTY -- integer overflow permits memory overwrite by forwarded ssh-agent connections</topic>
<affects>
<package>
<name>putty</name>
<range><lt>0.68</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Simon G. Tatham reports:</p>
<blockquote cite="http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-agent-fwd-overflow.html">
<p>Many versions of PuTTY prior to 0.68 have a heap-corrupting integer
overflow bug in the ssh_agent_channel_data function which processes
messages sent by remote SSH clients to a forwarded agent connection. [...]</p>
<p>This bug is only exploitable at all if you have enabled SSH
agent forwarding, which is turned off by default. Moreover, an
attacker able to exploit this bug would have to have already be able
to connect to the Unix-domain socket representing the forwarded
agent connection. Since any attacker with that capability would
necessarily already be able to generate signatures with your agent's
stored private keys, you should in normal circumstances be defended
against this vulnerability by the same precautions you and your
operating system were already taking to prevent untrusted people
from accessing your SSH agent.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-agent-fwd-overflow.html</url>
<cvename>CVE-2017-6542</cvename>
</references>
<dates>
<discovery>2017-01-29</discovery>
<entry>2017-03-16</entry>
</dates>
</vuln>
<vuln vid="4ffb633c-0a3b-11e7-a9f2-0011d823eebd">
<topic>Flash Player -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-flashplayer</name>
<range><lt>25.0.0.127</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb17-07.html">
<ul>
<li>These updates resolve a buffer overflow vulnerability that
could lead to code execution (CVE-2017-2997).</li>
<li>These updates resolve memory corruption vulnerabilities that
could lead to code execution (CVE-2017-2998, CVE-2017-2999).</li>
<li>These updates resolve a random number generator vulnerability
used for constant blinding that could lead to information
disclosure (CVE-2017-3000).</li>
<li>These updates resolve use-after-free vulnerabilities that
could lead to code execution (CVE-2017-3001, CVE-2017-3002,
CVE-2017-3003).</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-2997</cvename>
<cvename>CVE-2017-2998</cvename>
<cvename>CVE-2017-2999</cvename>
<cvename>CVE-2017-3000</cvename>
<cvename>CVE-2017-3001</cvename>
<cvename>CVE-2017-3002</cvename>
<cvename>CVE-2017-3003</cvename>
<url>https://helpx.adobe.com/security/products/flash-player/apsb17-07.html</url>
</references>
<dates>
<discovery>2017-03-14</discovery>
<entry>2017-03-16</entry>
</dates>
</vuln>
<vuln vid="f41e3e54-076b-11e7-a9f2-0011d823eebd">
<topic>mbed TLS (PolarSSL) -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mbedtls</name>
<range><lt>2.4.2</lt></range>
</package>
<package>
<name>polarssl13</name>
<range><lt>1.3.19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Janos Follath reports:</p>
<blockquote cite="https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-01">
<ul>
<li>If a malicious peer supplies a certificate with a specially
crafted secp224k1 public key, then an attacker can cause the
server or client to attempt to free block of memory held on
stack. Depending on the platform, this could result in a Denial
of Service (client crash) or potentially could be exploited to
allow remote code execution with the same privileges as the host
application.</li>
<li>If the client and the server both support MD5 and the client
can be tricked to authenticate to a malicious server, then the
malicious server can impersonate the client. To launch this man
in the middle attack, the adversary has to compute a
chosen-prefix MD5 collision in real time. This is very expensive
computationally, but can be practical. Depending on the
platform, this could result in a Denial of Service (client crash)
or potentially could be exploited to allow remote code execution
with the same privileges as the host application.</li>
<li>A bug in the logic of the parsing of a PEM encoded Certificate
Revocation List in mbedtls_x509_crl_parse() can result in an
infinite loop. In versions before 1.3.10 the same bug results in
an infinite recursion stack overflow that usually crashes the
application. Methods and means of acquiring the CRLs is not part
of the TLS handshake and in the strict TLS setting this
vulnerability cannot be triggered remotely. The vulnerability
cannot be triggered unless the application explicitly calls
mbedtls_x509_crl_parse() or mbedtls_x509_crl_parse_file()on a PEM
formatted CRL of untrusted origin. In which case the
vulnerability can be exploited to launch a denial of service
attack against the application.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-01</url>
</references>
<dates>
<discovery>2017-03-11</discovery>
<entry>2017-03-12</entry>
</dates>
</vuln>
<vuln vid="a505d397-0758-11e7-8d8b-e8e0b747a45a">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>57.0.2987.98</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html">
<p>36 security fixes in this release</p>
<p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-5030</cvename>
<cvename>CVE-2017-5031</cvename>
<cvename>CVE-2017-5032</cvename>
<cvename>CVE-2017-5029</cvename>
<cvename>CVE-2017-5034</cvename>
<cvename>CVE-2017-5035</cvename>
<cvename>CVE-2017-5036</cvename>
<cvename>CVE-2017-5037</cvename>
<cvename>CVE-2017-5039</cvename>
<cvename>CVE-2017-5040</cvename>
<cvename>CVE-2017-5041</cvename>
<cvename>CVE-2017-5033</cvename>
<cvename>CVE-2017-5042</cvename>
<cvename>CVE-2017-5038</cvename>
<cvename>CVE-2017-5043</cvename>
<cvename>CVE-2017-5044</cvename>
<cvename>CVE-2017-5045</cvename>
<cvename>CVE-2017-5046</cvename>
<url>https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html</url>
</references>
<dates>
<discovery>2017-03-09</discovery>
<entry>2017-03-12</entry>
</dates>
</vuln>
<vuln vid="89cf8cd2-0698-11e7-aa3f-001b216d295b">
<topic>Several Security Defects in the Bouncy Castle Crypto APIs</topic>
<affects>
<package>
<name>bouncycastle15</name>
<range><ge>1.51</ge><lt>1.56</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Legion of the Bouncy Castle reports:</p>
<blockquote cite="https://www.bouncycastle.org/releasenotes.html">
<p>Release: 1.56</p>
<p>2.1.4 Security Related Changes and CVE's Addressed by this Release: (multiple)</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/215507</freebsdpr>
<url>https://www.bouncycastle.org/releasenotes.html</url>
</references>
<dates>
<discovery>2016-12-23</discovery>
<entry>2017-03-12</entry>
</dates>
</vuln>
<vuln vid="41fe4724-06a2-11e7-8e3e-5453ed2e2b49">
<topic>kde-runtime -- kdesu: displayed command truncated by unicode string terminator</topic>
<affects>
<package>
<name>kde-runtime</name>
<range><lt>4.14.3_5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Albert Aastals Cid reports:</p>
<blockquote cite="https://www.kde.org/info/security/advisory-20160930-1.txt">
<p>A maliciously crafted command line for kdesu can result in the
user only seeing part of the commands that will actually get executed
as super user.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-7787</cvename>
<mlist>http://www.openwall.com/lists/oss-security/2016/09/29/7</mlist>
<url>https://www.kde.org/info/security/advisory-20160930-1.txt</url>
</references>
<dates>
<discovery>2016-09-30</discovery>
<entry>2017-03-11</entry>
</dates>
</vuln>
<vuln vid="e550fc62-069a-11e7-8e3e-5453ed2e2b49">
<topic>kdepimlibs -- directory traversal on KTNEF</topic>
<affects>
<package>
<name>kdepimlibs</name>
<range><lt>4.14.10_7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Albert Aastals Cid reports:</p>
<blockquote cite="https://www.kde.org/info/security/advisory-20170227-1.txt">
<p>A directory traversal issue was found in KTNEF which can be
exploited by tricking a user into opening a malicious winmail.dat
file. The issue allows to write files with the permission of the user
opening the winmail.dat file during extraction.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.kde.org/info/security/advisory-20170227-1.txt</url>
</references>
<dates>
<discovery>2017-02-27</discovery>
<entry>2017-03-11</entry>
</dates>
</vuln>
<vuln vid="f714d8ab-028e-11e7-8042-50e549ebab6c">
<topic>kio: Information Leak when accessing https when using a malicious PAC file</topic>
<affects>
<package>
<name>kdelibs</name>
<range><lt>4.14.29_10</lt></range>
</package>
<package>
<name>kf5-kio</name>
<range><lt>5.31.0_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Albert Astals Cid reports:</p>
<blockquote cite="https://www.kde.org/info/security/advisory-20170228-1.txt">
<p>Using a malicious PAC file, and then using exfiltration methods in the PAC
function FindProxyForURL() enables the attacker to expose full https URLs.</p>
<p>This is a security issue since https URLs may contain sensitive
information in the URL authentication part (user:password@host), and in the
path and the query (e.g. access tokens).</p>
<p>This attack can be carried out remotely (over the LAN) since proxy settings
allow "Detect Proxy Configuration Automatically".
This setting uses WPAD to retrieve the PAC file, and an attacker who has access
to the victim's LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP)
and inject his/her own malicious PAC instead of the legitimate one.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.kde.org/info/security/advisory-20170228-1.txt</url>
</references>
<dates>
<discovery>2017-02-28</discovery>
<entry>2017-03-11</entry>
</dates>
</vuln>
<vuln vid="82752070-0349-11e7-b48d-00e04c1ea73d">
<topic>wordpress -- multiple vulnerabilities</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>4.7.3,1</lt></range>
</package>
<package>
<name>de-wordpress</name>
<name>ja-wordpress</name>
<name>ru-wordpress</name>
<name>zh-wordpress-zh_CN</name>
<name>zh-wordpress-zh_TW</name>
<range><lt>4.7.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/">
<p>WordPress versions 4.7.2 and earlier are affected by six security issues.</p>
<ul>
<li>Cross-site scripting (XSS) via media file metadata.</li>
<li>Control characters can trick redirect URL validation.</li>
<li>Unintended files can be deleted by administrators using the
plugin deletion functionality.</li>
<li>Cross-site scripting (XSS) via video URL in YouTube embeds.</li>
<li>Cross-site scripting (XSS) via taxonomy term names.</li>
<li>Cross-site request forgery (CSRF) in Press This leading to
excessive use of server resources.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://www.openwall.com/lists/oss-security/2017/03/07/3</url>
<url>https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/</url>
</references>
<dates>
<discovery>2017-03-07</discovery>
<entry>2017-03-07</entry>
</dates>
</vuln>
<vuln vid="96eca031-1313-4daf-9be2-9d6e1c4f1eb5">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>52.0_1,1</lt></range>
</package>
<package>
<name>seamonkey</name>
<name>linux-seamonkey</name>
<range><lt>2.49</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><ge>46.0,1</ge><lt>52.0,1</lt></range>
<range><lt>45.8.0_1,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><ge>46.0,2</ge><lt>52.0,2</lt></range>
<range><lt>45.8.0_1,2</lt></range>
</package>
<package>
<name>libxul</name>
<range><ge>46.0</ge><lt>52.0</lt></range>
<range><lt>45.8.0_1</lt></range>
</package>
<package>
<name>thunderbird</name>
<name>linux-thunderbird</name>
<range><ge>46.0</ge><lt>52.0</lt></range>
<range><lt>45.8.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/">
<p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-5400</cvename>
<cvename>CVE-2017-5401</cvename>
<cvename>CVE-2017-5402</cvename>
<cvename>CVE-2017-5403</cvename>
<cvename>CVE-2017-5404</cvename>
<cvename>CVE-2017-5406</cvename>
<cvename>CVE-2017-5407</cvename>
<cvename>CVE-2017-5410</cvename>
<cvename>CVE-2017-5411</cvename>
<cvename>CVE-2017-5409</cvename>
<cvename>CVE-2017-5408</cvename>
<cvename>CVE-2017-5412</cvename>
<cvename>CVE-2017-5413</cvename>
<cvename>CVE-2017-5414</cvename>
<cvename>CVE-2017-5415</cvename>
<cvename>CVE-2017-5416</cvename>
<cvename>CVE-2017-5417</cvename>
<cvename>CVE-2017-5425</cvename>
<cvename>CVE-2017-5426</cvename>
<cvename>CVE-2017-5427</cvename>
<cvename>CVE-2017-5418</cvename>
<cvename>CVE-2017-5419</cvename>
<cvename>CVE-2017-5420</cvename>
<cvename>CVE-2017-5405</cvename>
<cvename>CVE-2017-5421</cvename>
<cvename>CVE-2017-5422</cvename>
<cvename>CVE-2017-5399</cvename>
<cvename>CVE-2017-5398</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2017-05/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2017-06/</url>
</references>
<dates>
<discovery>2017-03-07</discovery>
<entry>2017-03-07</entry>
</dates>
</vuln>
<vuln vid="71ebbc50-01c1-11e7-ae1b-002590263bf5">
<topic>codeigniter -- multiple vulnerabilities</topic>
<affects>
<package>
<name>codeigniter</name>
<range><lt>3.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The CodeIgniter changelog reports:</p>
<blockquote cite="https://www.codeigniter.com/user_guide/changelog.html">
<p>Fixed an XSS vulnerability in Security Library method xss_clean().
</p>
<p>Fixed a possible file inclusion vulnerability in Loader Library
method vars().</p>
<p>Fixed a possible remote code execution vulnerability in the Email
Library when ‘mail’ or ‘sendmail’ are used (thanks to Paul Buonopane
from NamePros).</p>
<p>Added protection against timing side-channel attacks in Security
Library method csrf_verify().</p>
<p>Added protection against BREACH attacks targeting the CSRF token
field generated by Form Helper function form_open().</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.codeigniter.com/user_guide/changelog.html</url>
</references>
<dates>
<discovery>2017-01-09</discovery>
<entry>2017-03-05</entry>
</dates>
</vuln>
<vuln vid="7b35a77a-0151-11e7-ae1b-002590263bf5">
<topic>ikiwiki -- authentication bypass vulnerability</topic>
<affects>
<package>
<name>ikiwiki</name>
<range><lt>3.20170111</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ikiwiki reports:</p>
<blockquote cite="https://ikiwiki.info/security/#index48h2">
<p>The ikiwiki maintainers discovered further flaws similar to
CVE-2016-9646 in the passwordauth plugin's use of
CGI::FormBuilder, with a more serious impact:</p>
<p>An attacker who can log in to a site with a password can log in as
a different and potentially more privileged user.</p>
<p>An attacker who can create a new account can set arbitrary fields
in the user database for that account</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-0356</cvename>
<url>https://ikiwiki.info/security/#index48h2</url>
</references>
<dates>
<discovery>2017-01-11</discovery>
<entry>2017-03-05</entry>
</dates>
</vuln>
<vuln vid="5ed094a0-0150-11e7-ae1b-002590263bf5">
<topic>ikiwiki -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ikiwiki</name>
<range><lt>3.20161229</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mitre reports:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10026">
<p>ikiwiki 3.20161219 does not properly check if a revision changes
the access permissions for a page on sites with the git and
recentchanges plugins and the CGI interface enabled, which allows
remote attackers to revert certain changes by leveraging permissions
to change the page before the revision was made.</p>
</blockquote>
<blockquote cite="https://ikiwiki.info/security/#index47h2">
<p>When CGI::FormBuilder->field("foo") is called in list context
(and in particular in the arguments to a subroutine that takes named
arguments), it can return zero or more values for foo from the CGI
request, rather than the expected single value. This breaks the
usual Perl parsing convention for named arguments, similar to
CVE-2014-1572 in Bugzilla (which was caused by a similar API design
issue in CGI.pm).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-10026</cvename>
<cvename>CVE-2016-9645</cvename>
<cvename>CVE-2016-9646</cvename>
<url>https://ikiwiki.info/security/#index46h2</url>
<url>https://ikiwiki.info/security/#index47h2</url>
</references>
<dates>
<discovery>2016-12-19</discovery>
<entry>2017-03-05</entry>
</dates>
</vuln>
<vuln vid="f4eb9a25-fde0-11e6-9ad0-b8aeed92ecc4">
<topic>potrace -- multiple memory failure</topic>
<affects>
<package>
<name>potrace</name>
<range><lt>1.13</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>potrace reports:</p>
<blockquote cite="https://sourceforge.net/p/potrace/news/2017/02/potrace-114-released/">
<p>CVE-2016-8685: invalid memory access in findnext</p>
<p>CVE-2016-8686: memory allocation failure</p>
</blockquote>
</body>
</description>
<references>
<url>https://sourceforge.net/p/potrace/news/2017/02/potrace-114-released/</url>
<cvename>CVE-2016-8685</cvename>
<cvename>CVE-2016-8686</cvename>
</references>
<dates>
<discovery>2016-10-15</discovery>
<entry>2017-02-28</entry>
</dates>
</vuln>
<vuln vid="765d165b-fbfe-11e6-aae7-5404a68ad561">
<topic>MPD -- buffer overflows in http output</topic>
<affects>
<package>
<name>musicpd</name>
<range><lt>0.20.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MPD project reports:</p>
<blockquote cite="http://git.musicpd.org/cgit/master/mpd.git/plain/NEWS?h=v0.20.5">
<p>httpd: fix two buffer overflows in IcyMetaData length calculation</p>
</blockquote>
</body>
</description>
<references>
<url>http://git.musicpd.org/cgit/master/mpd.git/plain/NEWS?h=v0.20.5</url>
</references>
<dates>
<discovery>2017-02-18</discovery>
<entry>2017-02-26</entry>
</dates>
</vuln>
<vuln vid="311e4b1c-f8ee-11e6-9940-b499baebfeaf">
<topic>cURL -- ocsp status validation error</topic>
<affects>
<package>
<name>curl</name>
<range><ge>7.52.0</ge><lt>7.53.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The cURL project reports:</p>
<blockquote cite="https://curl.haxx.se/docs/adv_20170222.html">
<p>SSL_VERIFYSTATUS ignored<br/>
curl and libcurl support "OCSP stapling", also known as the TLS
Certificate Status Request extension (using the
CURLOPT_SSL_VERIFYSTATUS option). When telling curl to use this
feature, it uses that TLS extension to ask for a fresh proof of
the server's certificate's validity. If the server doesn't support
the extension, or fails to provide said proof, curl is expected to
return an error.<br/>
Due to a coding mistake, the code that checks for a test success or
failure, ends up always thinking there's valid proof, even when
there is none or if the server doesn't support the TLS extension in
question. Contrary to how it used to function and contrary to how
this feature is documented to work.<br/>
This could lead to users not detecting when a server's certificate
goes invalid or otherwise be mislead that the server is in a better
shape than it is in reality.</p>
</blockquote>
</body>
</description>
<references>
<url>https://curl.haxx.se/docs/adv_20170222.html</url>
<cvename>CVE-2017-2629</cvename>
</references>
<dates>
<discovery>2017-02-22</discovery>
<entry>2017-02-22</entry>
</dates>
</vuln>
<vuln vid="8cbd9c08-f8b9-11e6-ae1b-002590263bf5">
<topic>xen-tools -- cirrus_bitblt_cputovideo does not check if memory region is safe</topic>
<affects>
<package>
<name>xen-tools</name>
<range><lt>4.7.1_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-209.html">
<p>In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine
cirrus_bitblt_cputovideo fails to check whether the specified
memory region is safe. A malicious guest administrator can cause
an out of bounds memory write, very likely exploitable as a
privilege escalation.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-2620</cvename>
<url>http://xenbits.xen.org/xsa/advisory-209.html</url>
</references>
<dates>
<discovery>2017-02-21</discovery>
<entry>2017-02-22</entry>
</dates>
</vuln>
<vuln vid="786a7d87-f826-11e6-9436-14dae9d5a9d2">
<topic>fbsdmon -- information disclosure vulnerability</topic>
<affects>
<package>
<name>fbsdmon</name>
<range><ge>0</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Alan Somers reports:</p>
<blockquote cite="https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217099">
<p>The web site used by this port, http://fbsdmon.org, has been taken over by cybersquatters. That means that users are sending their system info to an unknown party.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217099</url>
</references>
<dates>
<discovery>2017-02-14</discovery>
<entry>2017-02-21</entry>
</dates>
</vuln>
<vuln vid="f1075415-f5e9-11e6-a4e2-5404a68ad561">
<topic>wavpack -- multiple invalid memory reads</topic>
<affects>
<package>
<name>wavpack</name>
<range><lt>5.1.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>David Bryant reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2017/01/23/4">
<p>global buffer overread in read_code / read_words.c</p>
<p>heap out of bounds read in WriteCaffHeader / caff.c</p>
<p>heap out of bounds read in unreorder_channels / wvunpack.c</p>
<p>heap oob read in read_new_config_info / open_utils.c</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openwall.com/lists/oss-security/2017/01/23/4</url>
<cvename>CVE-2016-10169</cvename>
<cvename>CVE-2016-10170</cvename>
<cvename>CVE-2016-10171</cvename>
<cvename>CVE-2016-10172</cvename>
<url>https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc</url>
</references>
<dates>
<discovery>2017-01-21</discovery>
<entry>2017-02-18</entry>
</dates>
</vuln>
<vuln vid="8fedf75c-ef2f-11e6-900e-003048f78448">
<topic>optipng -- multiple vulnerabilities</topic>
<affects>
<package>
<name>optipng</name>
<range><lt>0.7.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7802">
<p>ifread.c in gif2png, as used in OptiPNG before 0.7.6, allows remote attackers to cause a denial of service (uninitialized memory read) via a crafted GIF file.</p>
</blockquote>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2191">
<p>The bmp_read_rows function in pngxtern/pngxrbmp.c in OptiPNG before 0.7.6 allows remote attackers to cause a denial of service (invalid memory write and crash) via a series of delta escapes in a crafted BMP image.</p>
</blockquote>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3981">
<p>Heap-based buffer overflow in the bmp_read_rows function in pngxrbmp.c in OptiPNG before 0.7.6 allows remote attackers to cause a denial of service (out-of-bounds read or write access and crash) or possibly execute arbitrary code via a crafted image file.</p>
</blockquote>
<blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3982">
<p>Off-by-one error in the bmp_rle4_fread function in pngxrbmp.c in OptiPNG before 0.7.6 allows remote attackers to cause a denial of service (out-of-bounds read or write access and crash) or possibly execute arbitrary code via a crafted image file, which triggers a heap-based buffer overflow.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-7802</cvename>
<cvename>CVE-2016-2191</cvename>
<cvename>CVE-2016-3981</cvename>
<cvename>CVE-2016-3982</cvename>
</references>
<dates>
<discovery>2015-10-09</discovery>
<entry>2017-02-16</entry>
</dates>
</vuln>
<vuln vid="1a802ba9-f444-11e6-9940-b499baebfeaf">
<topic>openssl -- crash on handshake</topic>
<affects>
<package>
<name>openssl-devel</name>
<range><lt>1.1.0e</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenSSL project reports:</p>
<blockquote cite="https://www.openssl.org/news/secadv/20170216.txt">
<p>Severity: High<br/>
During a renegotiation handshake if the Encrypt-Then-Mac
extension is negotiated where it was not in the original
handshake (or vice-versa) then this can cause OpenSSL to
crash (dependent on ciphersuite). Both clients and servers
are affected.<br/>
This issue does not affect OpenSSL version 1.0.2.
</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.openssl.org/news/secadv/20170216.txt</url>
<cvename>CVE-2017-3733</cvename>
</references>
<dates>
<discovery>2017-02-16</discovery>
<entry>2017-02-16</entry>
</dates>
</vuln>
<vuln vid="077bbadf-f2f4-11e6-92a7-902b34361349">
<topic>diffoscope -- arbitrary file write</topic>
<affects>
<package>
<name>py34-diffoscope</name>
<name>py35-diffoscope</name>
<name>py36-diffoscope</name>
<range><ge>67</ge><lt>76</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ximin Luo reports:</p>
<blockquote cite="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854723">
<p>[v67] introduced a security hole where diffoscope may write to
arbitrary locations on disk depending on the contents of an
untrusted archive.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-0359</cvename>
<url>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854723</url>
</references>
<dates>
<discovery>2017-02-09</discovery>
<entry>2017-02-14</entry>
<modified>2017-02-16</modified>
</dates>
</vuln>
<vuln vid="7f9b696f-f11b-11e6-b50e-5404a68ad561">
<topic>ffmpeg -- heap overflow in lavf/mov.c</topic>
<affects>
<package>
<name>ffmpeg</name>
<range><lt>3.2.4,1</lt></range>
</package>
<package>
<name>mythtv</name>
<name>mythtv-frontend</name>
<!-- mythtv-29.x has ffmpeg-3.2 -->
<range><lt>29.1,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>FFmpeg security reports:</p>
<blockquote cite="https://www.ffmpeg.org/security.html">
<p>FFmpeg 3.2.4 fixes the following vulnerabilities:
CVE-2017-5024, CVE-2017-5025</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-5024</cvename>
<url>https://www.ffmpeg.org/security.html</url>
<url>https://chromereleases.googleblog.com/2017/01/stable-channel-update-for-desktop.html</url>
<cvename>CVE-2017-5025</cvename>
<url>https://www.ffmpeg.org/security.html</url>
<url>https://chromereleases.googleblog.com/2017/01/stable-channel-update-for-desktop.html</url>
</references>
<dates>
<discovery>2017-01-25</discovery>
<entry>2017-02-12</entry>
<modified>2018-03-25</modified>
</dates>
</vuln>
<vuln vid="79bbb8f8-f049-11e6-8a6a-bcaec565249c">
<topic>gtk-vnc -- bounds checking vulnerabilities</topic>
<affects>
<package>
<name>gtk-vnc</name>
<range><lt>0.7.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Daniel P. Berrange reports:</p>
<blockquote cite="https://mail.gnome.org/archives/ftp-release-list/2017-February/msg00015.html">
<p>CVE-2017-5884 - fix bounds checking for RRE, hextile and
copyrect encodings</p>
<p>CVE-2017-5885 - fix color map index bounds checking.</p>
</blockquote>
</body>
</description>
<references>
<url>https://mail.gnome.org/archives/ftp-release-list/2017-February/msg00015.html</url>
<cvename>CVE-2017-5884</cvename>
<cvename>CVE-2017-5885</cvename>
</references>
<dates>
<discovery>2017-02-09</discovery>
<entry>2017-02-11</entry>
</dates>
</vuln>
<vuln vid="a73aba9a-effe-11e6-ae1b-002590263bf5">
<topic>xen-tools -- oob access in cirrus bitblt copy</topic>
<affects>
<package>
<name>xen-tools</name>
<range><lt>4.7.1_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Xen Project reports:</p>
<blockquote cite="http://xenbits.xen.org/xsa/advisory-208.html">
<p>When doing bitblt copy backwards, qemu should negate the blit
width. This avoids an oob access before the start of video
memory.</p>
<p>A malicious guest administrator can cause an out of bounds memory
access, possibly leading to information disclosure or privilege
escalation.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-2615</cvename>
<url>http://xenbits.xen.org/xsa/advisory-208.html</url>
</references>
<dates>
<discovery>2017-02-10</discovery>
<entry>2017-02-11</entry>
</dates>
</vuln>
<vuln vid="fb74eacc-ec8a-11e6-bc8a-0011d823eebd">
<topic>tiff -- multiple vulnerabilities</topic>
<affects>
<package>
<name>tiff</name>
<range><lt>4.0.7</lt></range>
</package>
<package>
<name>linux-c6-libtiff</name>
<name>linux-c6-tiff</name>
<range><lt>3.9.4_5</lt></range>
</package>
<package>
<name>linux-c7-libtiff</name>
<name>linux-c7-tiff</name>
<range><lt>4.0.3_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>libtiff project reports:</p>
<blockquote cite="http://simplesystems.org/libtiff/v4.0.7.html">
<p>Multiple flaws have been discovered in libtiff library and
utilities.</p>
</blockquote>
</body>
</description>
<references>
<url>http://simplesystems.org/libtiff/v4.0.7.html</url>
<cvename>CVE-2016-9533</cvename>
<cvename>CVE-2016-9534</cvename>
<cvename>CVE-2016-9535</cvename>
<cvename>CVE-2015-8870</cvename>
<cvename>CVE-2016-5652</cvename>
<cvename>CVE-2016-9540</cvename>
<cvename>CVE-2016-9537</cvename>
<cvename>CVE-2016-9536</cvename>
</references>
<dates>
<discovery>2016-11-19</discovery>
<entry>2017-02-06</entry>
</dates>
</vuln>
<vuln vid="2b63e964-eb04-11e6-9ac1-a4badb2f4699">
<topic>mantis -- XSS vulnerability</topic>
<affects>
<package>
<name>mantis</name>
<range><lt>1.2.19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>wdollman reports:</p>
<blockquote cite="https://mantisbt.org/bugs/view.php?id=21611">
<p>The value of the view_type parameter on the
view_all_bug_page.php page is not encoded before being displayed on the
page.</p>
</blockquote>
</body>
</description>
<references>
<url>https://mantisbt.org/bugs/view.php?id=21611</url>
<cvename>CVE-2016-6837</cvename>
<freebsdpr>ports/216662</freebsdpr>
</references>
<dates>
<discovery>2016-08-15</discovery>
<entry>2017-02-04</entry>
</dates>
</vuln>
<vuln vid="b4ecf774-eb01-11e6-9ac1-a4badb2f4699">
<topic>guile2 -- multiple vulnerabilities</topic>
<affects>
<package>
<name>guile2</name>
<range><lt>2.0.13</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ludovic Courtès reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2016/10/11/1">
<p>The REPL server is vulnerable to
the HTTP inter-protocol attack</p>
<p>The ‘mkdir’ procedure of GNU Guile, an implementation of
the Scheme programming language, temporarily changed the process’ umask
to zero. During that time window, in a multithreaded application, other
threads could end up creating files with insecure permissions.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openwall.com/lists/oss-security/2016/10/11/1</url>
<url>http://www.openwall.com/lists/oss-security/2016/10/12/2</url>
<cvename>CVE-2016-8605</cvename>
<cvename>CVE-2016-8606</cvename>
<freebsdpr>ports/216663</freebsdpr>
</references>
<dates>
<discovery>2016-10-12</discovery>
<entry>2017-02-04</entry>
</dates>
</vuln>
<vuln vid="c6932dd4-eaff-11e6-9ac1-a4badb2f4699">
<topic>chicken -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chicken</name>
<range><lt>4.12,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Peter Bex reports:</p>
<blockquote cite="http://lists.nongnu.org/archive/html/chicken-announce/2016-08/msg00001.html">
<p>A buffer overflow error was found in the POSIX unit's procedures
process-execute and process-spawn.</p>
<p>Additionally, a memory leak existed in this code, which would be
triggered when an error is raised during argument and environment
processing.</p>
</blockquote>
<blockquote cite="http://lists.nongnu.org/archive/html/chicken-announce/2016-12/msg00000.html">
<p>Irregex versions before 0.9.6 contain a resource exhaustion
vulnerability: when compiling deeply nested regexes containing the
"+" operator due to exponential expansion behaviour.</p>
</blockquote>
</body>
</description>
<references>
<url>http://lists.nongnu.org/archive/html/chicken-announce/2016-08/msg00001.html</url>
<cvename>CVE-2016-6830</cvename>
<cvename>CVE-2016-6831</cvename>
<cvename>CVE-2016-9954</cvename>
<freebsdpr>ports/216661</freebsdpr>
</references>
<dates>
<discovery>2016-08-12</discovery>
<entry>2017-02-04</entry>
<modified>2017-03-05</modified>
</dates>
</vuln>
<vuln vid="a130bd8c-eafe-11e6-9ac1-a4badb2f4699">
<topic>libebml -- multiple vulnerabilities</topic>
<affects>
<package>
<name>libebml</name>
<range><lt>1.3.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mortiz Bunkus reports:</p>
<blockquote cite="https://lists.matroska.org/pipermail/matroska-users/2015-October/006985.html">
<p>Multiple invalid memory accesses vulnerabilities.</p>
</blockquote>
</body>
</description>
<references>
<url>https://lists.matroska.org/pipermail/matroska-users/2015-October/006985.html</url>
<cvename>CVE-2015-8789</cvename>
<cvename>CVE-2015-8790</cvename>
<cvename>CVE-2015-8791</cvename>
<freebsdpr>ports/216659</freebsdpr>
</references>
<dates>
<discovery>2015-10-20</discovery>
<entry>2017-02-04</entry>
</dates>
</vuln>
<vuln vid="5b1631dc-eafd-11e6-9ac1-a4badb2f4699">
<topic>freeimage -- code execution vulnerability</topic>
<affects>
<package>
<name>freeimage</name>
<range><lt>3.16.0_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>TALOS reports:</p>
<blockquote cite="http://www.talosintelligence.com/reports/TALOS-2016-0189/">
<p>An exploitable out-of-bounds write vulnerability exists in
the XMP image handling functionality of the FreeImage library.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.talosintelligence.com/reports/TALOS-2016-0189/</url>
<cvename>CVE-2016-5684</cvename>
<freebsdpr>ports/216657</freebsdpr>
</references>
<dates>
<discovery>2016-10-03</discovery>
<entry>2017-02-04</entry>
<modified>2018-04-14</modified>
</dates>
</vuln>
<vuln vid="5a9b3d70-48e2-4267-b196-83064cb14fe0">
<topic>shotwell -- failure to encrypt authentication</topic>
<affects>
<package>
<name>shotwell</name>
<range><lt>0.24.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jens Georg reports:</p>
<blockquote cite="https://mail.gnome.org/archives/shotwell-list/2017-January/msg00048.html">
<p>I have just released Shotwell 0.24.5 and 0.25.4 which turn
on HTTPS encryption all over the publishing plugins.</p>
<p>Users using Tumblr and Yandex.Fotki publishing are strongly
advised to change their passwords and reauthenticate Shotwell
to those services after upgrade.</p>
<p>Users of Picasa and Youtube publishing are strongly advised
to reauthenticate (Log out and back in) Shotwell to those
services after upgrade.</p>
</blockquote>
</body>
</description>
<references>
<url>https://mail.gnome.org/archives/shotwell-list/2017-January/msg00048.html</url>
</references>
<dates>
<discovery>2017-01-31</discovery>
<entry>2017-02-01</entry>
</dates>
</vuln>
<vuln vid="5cfa9d0c-73d7-4642-af4f-28fbed9e9404">
<topic>jenkins -- multiple vulnerabilities</topic>
<affects>
<package>
<name>jenkins</name>
<range><lt>2.44</lt></range>
</package>
<package>
<name>jenkins-lts</name>
<range><lt>2.32.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jenkins Security Advisory:</p>
<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01">
<p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-2598</cvename>
<cvename>CVE-2017-2599</cvename>
<cvename>CVE-2017-2600</cvename>
<cvename>CVE-2011-4969</cvename>
<cvename>CVE-2017-2601</cvename>
<cvename>CVE-2015-0886</cvename>
<cvename>CVE-2017-2602</cvename>
<cvename>CVE-2017-2603</cvename>
<cvename>CVE-2017-2604</cvename>
<cvename>CVE-2017-2605</cvename>
<cvename>CVE-2017-2606</cvename>
<cvename>CVE-2017-2607</cvename>
<cvename>CVE-2017-2608</cvename>
<cvename>CVE-2017-2609</cvename>
<cvename>CVE-2017-2610</cvename>
<cvename>CVE-2017-2611</cvename>
<cvename>CVE-2017-2612</cvename>
<cvename>CVE-2017-2613</cvename>
<url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01</url>
</references>
<dates>
<discovery>2017-02-01</discovery>
<entry>2017-02-01</entry>
</dates>
</vuln>
<vuln vid="14ea4458-e5cd-11e6-b56d-38d547003487">
<topic>wordpress -- multiple vulnerabilities</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>4.7.2,1</lt></range>
</package>
<package>
<name>de-wordpress</name>
<name>ja-wordpress</name>
<name>ru-wordpress</name>
<name>zh-wordpress-zh_CN</name>
<name>zh-wordpress-zh_TW</name>
<range><lt>4.7.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Aaron D. Campbell reports:</p>
<blockquote cite="https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/">
<p>WordPress versions 4.7.1 and earlier are affected by three security
issues:</p>
<ul>
<li>The user interface for assigning taxonomy terms in Press This is
shown to users who do not have permissions to use it.</li>
<li>WP_Query is vulnerable to a SQL injection (SQLi) when passing
unsafe data. WordPress core is not directly vulnerable to this
issue, but we’ve added hardening to prevent plugins and
themes from accidentally causing a vulnerability.</li>
<li>A cross-site scripting (XSS) vulnerability was discovered in the
posts list table.</li>
<li>An unauthenticated privilege escalation vulnerability was
discovered in a REST API endpoint.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-5610</cvename>
<cvename>CVE-2017-5611</cvename>
<cvename>CVE-2017-5612</cvename>
<url>http://www.openwall.com/lists/oss-security/2017/01/28/5</url>
<url>https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/</url>
<url>https://make.wordpress.org/core/2017/02/01/disclosure-of-additional-security-fix-in-wordpress-4-7-2/</url>
</references>
<dates>
<discovery>2017-01-26</discovery>
<entry>2017-01-29</entry>
</dates>
</vuln>
<vuln vid="6e83b2f3-e4e3-11e6-9ac1-a4badb2f4699">
<topic>nfsen -- remote command execution</topic>
<affects>
<package>
<name>nfsen</name>
<range><lt>1.3.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Peter Haag reports:</p>
<blockquote cite="https://sourceforge.net/p/nfsen/mailman/message/35623845/">
<p>A remote attacker with access to the web interface to
execute arbitrary commands on the host operating system.</p>
</blockquote>
</body>
</description>
<references>
<url>https://sourceforge.net/p/nfsen/mailman/message/35623845/</url>
</references>
<dates>
<discovery>2017-01-24</discovery>
<entry>2017-01-27</entry>
</dates>
</vuln>
<vuln vid="4b9ca994-e3d9-11e6-813d-e8e0b747a45a">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<name>chromium-npapi</name>
<name>chromium-pulse</name>
<range><lt>56.0.2924.76</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2017/01/stable-channel-update-for-desktop.html">
<p>51 security fixes in this release</p>
<p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-5007</cvename>
<cvename>CVE-2017-5006</cvename>
<cvename>CVE-2017-5008</cvename>
<cvename>CVE-2017-5010</cvename>
<cvename>CVE-2017-5011</cvename>
<cvename>CVE-2017-5009</cvename>
<cvename>CVE-2017-5012</cvename>
<cvename>CVE-2017-5013</cvename>
<cvename>CVE-2017-5014</cvename>
<cvename>CVE-2017-5015</cvename>
<cvename>CVE-2017-5019</cvename>
<cvename>CVE-2017-5016</cvename>
<cvename>CVE-2017-5017</cvename>
<cvename>CVE-2017-5018</cvename>
<cvename>CVE-2017-2020</cvename>
<cvename>CVE-2017-2021</cvename>
<cvename>CVE-2017-2022</cvename>
<cvename>CVE-2017-2023</cvename>
<cvename>CVE-2017-2024</cvename>
<cvename>CVE-2017-2025</cvename>
<cvename>CVE-2017-2026</cvename>
<url>https://chromereleases.googleblog.com/2017/01/stable-channel-update-for-desktop.html</url>
</references>
<dates>
<discovery>2017-01-25</discovery>
<entry>2017-01-26</entry>
</dates>
</vuln>
<vuln vid="d455708a-e3d3-11e6-9940-b499baebfeaf">
<topic>OpenSSL -- multiple vulnerabilities</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.0.2k,1</lt></range>
</package>
<package>
<name>openssl-devel</name>
<range><lt>1.1.0d</lt></range>
</package>
<package>
<name>linux-c6-openssl</name>
<range><lt>1.0.1e_13</lt></range>
</package>
<package>
<name>linux-c7-openssl-libs</name>
<range><lt>1.0.1e_3</lt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>11.0</ge><lt>11.0_8</lt></range>
<range><ge>10.3</ge><lt>10.3_17</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenSSL project reports:</p>
<blockquote cite="https://www.openssl.org/news/secadv/20170126.txt">
<ul>
<li>Truncated packet could crash via OOB read (CVE-2017-3731)</li>
<li>Bad (EC)DHE parameters cause a client crash (CVE-2017-3730)</li>
<li>BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)</li>
<li>Montgomery multiplication may produce incorrect results (CVE-2016-7055)</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://www.openssl.org/news/secadv/20170126.txt</url>
<cvename>CVE-2016-7055</cvename>
<cvename>CVE-2017-3730</cvename>
<cvename>CVE-2017-3731</cvename>
<cvename>CVE-2017-3732</cvename>
<freebsdsa>SA-17:02.openssl</freebsdsa>
</references>
<dates>
<discovery>2017-01-26</discovery>
<entry>2017-01-26</entry>
<modified>2017-05-26</modified>
</dates>
</vuln>
<vuln vid="e60169c4-aa86-46b0-8ae2-0d81f683df09">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>51.0_1,1</lt></range>
</package>
<package>
<name>seamonkey</name>
<name>linux-seamonkey</name>
<range><lt>2.48</lt></range>
</package>
<package>
<name>firefox-esr</name>
<range><lt>45.7.0,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>45.7.0,2</lt></range>
</package>
<package>
<name>libxul</name>
<name>thunderbird</name>
<name>linux-thunderbird</name>
<range><lt>45.7.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/">
<p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-5373</cvename>
<cvename>CVE-2017-5374</cvename>
<cvename>CVE-2017-5375</cvename>
<cvename>CVE-2017-5376</cvename>
<cvename>CVE-2017-5377</cvename>
<cvename>CVE-2017-5378</cvename>
<cvename>CVE-2017-5379</cvename>
<cvename>CVE-2017-5380</cvename>
<cvename>CVE-2017-5381</cvename>
<cvename>CVE-2017-5382</cvename>
<cvename>CVE-2017-5383</cvename>
<cvename>CVE-2017-5384</cvename>
<cvename>CVE-2017-5385</cvename>
<cvename>CVE-2017-5386</cvename>
<cvename>CVE-2017-5387</cvename>
<cvename>CVE-2017-5388</cvename>
<cvename>CVE-2017-5389</cvename>
<cvename>CVE-2017-5390</cvename>
<cvename>CVE-2017-5391</cvename>
<cvename>CVE-2017-5392</cvename>
<cvename>CVE-2017-5393</cvename>
<cvename>CVE-2017-5394</cvename>
<cvename>CVE-2017-5395</cvename>
<cvename>CVE-2017-5396</cvename>
<url>https://www.mozilla.org/security/advisories/mfsa2017-01/</url>
<url>https://www.mozilla.org/security/advisories/mfsa2017-02/</url>
</references>
<dates>
<discovery>2017-01-24</discovery>
<entry>2017-01-24</entry>
</dates>
</vuln>
<vuln vid="7721562b-e20a-11e6-b2e2-6805ca0b3d42">
<topic>phpMyAdmin -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><ge>4.6.0</ge><lt>4.6.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2017-1/">
<p>Open redirect</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2017-2/">
<p>php-gettext code execution</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2017-3/">
<p>DOS vulnerability in table editing</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2017-4/">
<p>CSS injection in themes</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2017-5/">
<p>Cookie attribute injection attack</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2017-6/">
<p>SSRF in replication</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2017-7/">
<p>DOS in replication status</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.phpmyadmin.net/security/PMASA-2017-1</url>
<url>https://www.phpmyadmin.net/security/PMASA-2017-2</url>
<url>https://www.phpmyadmin.net/security/PMASA-2017-3</url>
<url>https://www.phpmyadmin.net/security/PMASA-2017-4</url>
<url>https://www.phpmyadmin.net/security/PMASA-2017-5</url>
<url>https://www.phpmyadmin.net/security/PMASA-2017-6</url>
<url>https://www.phpmyadmin.net/security/PMASA-2017-7</url>
<cvename>CVE-2015-8980</cvename>
</references>
<dates>
<discovery>2017-01-24</discovery>
<entry>2017-01-24</entry>
</dates>
</vuln>
<vuln vid="a4b7def1-e165-11e6-9d84-90e2ba9881c8">
<topic>Intel(R) NVMUpdate -- Intel(R) Ethernet Controller X710/XL710 NVM Security Vulnerability</topic>
<affects>
<package>
<name>intel-nvmupdate</name>
<range><lt>5.05</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Intel Corporation reports:</p>
<blockquote cite="https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00063&languageid=en-fr">
<p>A security vulnerability in the Intel(R) Ethernet Controller X710
and Intel(R) Ethernet Controller XL710 family of products
(Fortville) has been found in the Non-Volatile Flash Memory (NVM)
image.</p>
</blockquote>
</body>
</description>
<references>
<url>https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00063&languageid=en-fr</url>
<cvename>CVE-2016-8106</cvename>
</references>
<dates>
<discovery>2017-01-09</discovery>
<entry>2017-01-23</entry>
</dates>
</vuln>
<vuln vid="709e025a-de8b-11e6-a9a5-b499baebfeaf">
<topic>PHP -- undisclosed vulnerabilities</topic>
<affects>
<package>
<name>php56</name>
<range><lt>5.6.30</lt></range>
</package>
<package>
<name>php70</name>
<range><lt>7.0.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PHP project reports:</p>
<blockquote cite="http://php.net/archive/2017.php#id2017-01-19-2">
<p>The PHP development team announces the immediate availability of
PHP 7.0.15. This is a security release. Several security bugs were
fixed in this release.</p>
</blockquote>
<blockquote cite="http://php.net/archive/2017.php#id2017-01-19-3">
<p>The PHP development team announces the immediate availability of
PHP 5.6.30. This is a security release. Several security bugs were
fixed in this release.</p>
</blockquote>
</body>
</description>
<references>
<url>http://php.net/archive/2017.php#id2017-01-19-2</url>
<url>http://php.net/archive/2017.php#id2017-01-19-3</url>
</references>
<dates>
<discovery>2017-01-19</discovery>
<entry>2017-01-19</entry>
<modified>2017-01-20</modified>
</dates>
</vuln>
<vuln vid="57facd35-ddf6-11e6-915d-001b3856973b">
<topic>icoutils -- check_offset overflow on 64-bit systems</topic>
<affects>
<package>
<name>icoutils</name>
<range><lt>0.31.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Choongwoo Han reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2017/q1/38">
<p>An exploitable crash exists in the wrestool utility on 64-bit systems
where the result of subtracting two pointers exceeds the size of int.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-5208</cvename>
<cvename>CVE-2017-5331</cvename>
<cvename>CVE-2017-5332</cvename>
<cvename>CVE-2017-5333</cvename>
<url>http://seclists.org/oss-sec/2017/q1/38</url>
</references>
<dates>
<discovery>2017-01-03</discovery>
<entry>2017-01-19</entry>
</dates>
</vuln>
<vuln vid="4d2f9d09-ddb7-11e6-a9a5-b499baebfeaf">
<topic>mysql -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mariadb55-server</name>
<range><lt>5.5.54</lt></range>
</package>
<package>
<name>mariadb100-server</name>
<range><lt>10.0.30</lt></range>
</package>
<package>
<name>mariadb101-server</name>
<range><lt>10.1.22</lt></range>
</package>
<package>
<name>mysql55-server</name>
<range><lt>5.5.54</lt></range>
</package>
<package>
<name>mysql56-server</name>
<range><lt>5.6.35</lt></range>
</package>
<package>
<name>mysql57-server</name>
<range><lt>5.7.17</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Oracle reports:</p>
<blockquote cite="http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixMSQL">
<p>No further details have been provided in the Critical Patch Update</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixMSQL</url>
<cvename>CVE-2016-8318</cvename>
<cvename>CVE-2017-3312</cvename>
<cvename>CVE-2017-3258</cvename>
<cvename>CVE-2017-3273</cvename>
<cvename>CVE-2017-3244</cvename>
<cvename>CVE-2017-3257</cvename>
<cvename>CVE-2017-3238</cvename>
<cvename>CVE-2017-3256</cvename>
<cvename>CVE-2017-3291</cvename>
<cvename>CVE-2017-3265</cvename>
<cvename>CVE-2017-3251</cvename>
<cvename>CVE-2017-3313</cvename>
<cvename>CVE-2017-3243</cvename>
<cvename>CVE-2016-8327</cvename>
<cvename>CVE-2017-3317</cvename>
<cvename>CVE-2017-3318</cvename>
<cvename>CVE-2017-3319</cvename>
<cvename>CVE-2017-3320</cvename>
</references>
<dates>
<discovery>2017-01-18</discovery>
<entry>2017-01-18</entry>
<modified>2017-03-14</modified>
</dates>
</vuln>
<vuln vid="e3200958-dd6c-11e6-ae1b-002590263bf5">
<topic>powerdns -- multiple vulnerabilities</topic>
<affects>
<package>
<name>powerdns</name>
<range><lt>3.4.11</lt></range>
<range><ge>4.0.0</ge><lt>4.0.2</lt></range>
</package>
<package>
<name>powerdns-recursor</name>
<range><lt>3.7.4</lt></range>
<range><ge>4.0.0</ge><lt>4.0.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PowerDNS reports:</p>
<blockquote cite="https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/">
<p>2016-02: Crafted queries can cause abnormal CPU usage</p>
</blockquote>
<blockquote cite="https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/">
<p>2016-03: Denial of service via the web server</p>
</blockquote>
<blockquote cite="https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/">
<p>2016-04: Insufficient validation of TSIG signatures</p>
</blockquote>
<blockquote cite="https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/">
<p>2016-05: Crafted zone record can cause a denial of service</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-7068</cvename>
<cvename>CVE-2016-7072</cvename>
<cvename>CVE-2016-7073</cvename>
<cvename>CVE-2016-7074</cvename>
<cvename>CVE-2016-2120</cvename>
<freebsdpr>ports/216135</freebsdpr>
<freebsdpr>ports/216136</freebsdpr>
<url>https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/</url>
<url>https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/</url>
<url>https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/</url>
<url>https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/</url>
<url>https://blog.powerdns.com/2017/01/13/powerdns-authoritative-server-4-0-2-released/</url>
<url>https://blog.powerdns.com/2017/01/13/powerdns-recursor-4-0-4-released/</url>
</references>
<dates>
<discovery>2016-12-15</discovery>
<entry>2017-01-18</entry>
</dates>
</vuln>
<vuln vid="4af92a40-db33-11e6-ae1b-002590263bf5">
<topic>groovy -- remote execution of untrusted code/DoS vulnerability</topic>
<affects>
<package>
<name>groovy</name>
<range><ge>1.7.0</ge><lt>2.4.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache Groovy project reports:</p>
<blockquote cite="http://groovy-lang.org/security.html">
<p>When an application with Groovy on classpath uses standard Java
serialization mechanisms, e.g. to communicate between servers or to
store local data, it is possible for an attacker to bake a special
serialized object that will execute code directly when deserialized.
All applications which rely on serialization and do not isolate the
code which deserializes objects are subject to this vulnerability.
This is similar to CVE-2015-3253 but this exploit involves extra
wrapping of objects and catching of exceptions which are now safe
guarded against.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-6814</cvename>
<url>http://groovy-lang.org/security.html</url>
</references>
<dates>
<discovery>2016-09-20</discovery>
<entry>2017-01-15</entry>
</dates>
</vuln>
<vuln vid="6aa956fb-d97f-11e6-a071-001e67f15f5a">
<topic>RabbitMQ -- Authentication vulnerability</topic>
<affects>
<package>
<name>rabbitmq</name>
<range><ge>3.0.0</ge><lt>3.5.8</lt></range>
<range><ge>3.6.0</ge><lt>3.6.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Pivotal.io reports:</p>
<blockquote cite="https://pivotal.io/security/cve-2016-9877">
<p>MQTT (MQ Telemetry Transport) connection authentication with a
username/password pair succeeds if an existing username is
provided but the password is omitted from the connection
request. Connections that use TLS with a client-provided
certificate are not affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-9877</cvename>
<url>https://pivotal.io/security/cve-2016-9877</url>
<url>https://github.com/rabbitmq/rabbitmq-server/releases/tag/rabbitmq_v3_6_6</url>
</references>
<dates>
<discovery>2016-12-06</discovery>
<entry>2017-01-15</entry>
</dates>
</vuln>
<vuln vid="b180d1fb-dac6-11e6-ae1b-002590263bf5">
<topic>wordpress -- multiple vulnerabilities</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>4.7.1,1</lt></range>
</package>
<package>
<name>de-wordpress</name>
<name>ja-wordpress</name>
<name>ru-wordpress</name>
<name>zh-wordpress-zh_CN</name>
<name>zh-wordpress-zh_TW</name>
<range><lt>4.7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Aaron D. Campbell reports:</p>
<blockquote cite="https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/">
<p>WordPress versions 4.7 and earlier are affected by eight security
issues...</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-5487</cvename>
<cvename>CVE-2017-5488</cvename>
<cvename>CVE-2017-5489</cvename>
<cvename>CVE-2017-5490</cvename>
<cvename>CVE-2017-5491</cvename>
<cvename>CVE-2017-5492</cvename>
<cvename>CVE-2017-5493</cvename>
<url>http://www.openwall.com/lists/oss-security/2017/01/14/6</url>
<url>https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/</url>
</references>
<dates>
<discovery>2017-01-11</discovery>
<entry>2017-01-15</entry>
</dates>
</vuln>
<vuln vid="e5186c65-d729-11e6-a9a5-b499baebfeaf">
<topic>mysql -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mysql57-client</name>
<name>mysql57-server</name>
<range><lt>5.7.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Oracle reports:</p>
<blockquote cite="http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html">
<p>Local security vulnerability in 'Server: Packaging' sub component.</p>
</blockquote>
</body>
</description>
<references>
<bid>93617</bid>
<cvename>CVE-2016-5625</cvename>
<url>http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html</url>
</references>
<dates>
<discovery>2016-10-18</discovery>
<entry>2017-01-14</entry>
<modified>2017-01-15</modified>
</dates>
</vuln>
<vuln vid="22373c43-d728-11e6-a9a5-b499baebfeaf">
<topic>MySQL -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mariadb55-client</name>
<name>mariadb55-server</name>
<range><lt>5.5.52</lt></range>
</package>
<package>
<name>mariadb100-client</name>
<name>mariadb100-server</name>
<range><lt>10.0.28</lt></range>
</package>
<package>
<name>mariadb101-client</name>
<name>mariadb101-server</name>
<range><lt>10.1.18</lt></range>
</package>
<package>
<name>mysql55-client</name>
<name>mysql55-server</name>
<range><lt>5.5.52</lt></range>
</package>
<package>
<name>mysql56-client</name>
<name>mysql56-server</name>
<range><lt>5.6.33</lt></range>
</package>
<package>
<name>mysql57-client</name>
<name>mysql57-server</name>
<range><lt>5.7.15</lt></range>
</package>
<package>
<name>percona55-client</name>
<name>percona55-server</name>
<range><lt>5.5.51.38.2</lt></range>
</package>
<package>
<name>percona56-client</name>
<name>percona56-server</name>
<range><lt>5.6.32.78.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MySQL project reports:</p>
<blockquote cite="http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixMSQL">
<ul>
<li>CVE-2016-3492: Remote security vulnerability in 'Server: Optimizer'
sub component.</li>
<li>CVE-2016-5616, CVE-2016-6663: Race condition allows local users with
certain permissions to gain privileges by leveraging use of my_copystat
by REPAIR TABLE to repair a MyISAM table.</li>
<li>CVE-2016-5617, CVE-2016-6664: mysqld_safe, when using file-based
logging, allows local users with access to the mysql account to gain
root privileges via a symlink attack on error logs and possibly other
files.</li>
<li>CVE-2016-5624: Remote security vulnerability in 'Server: DML' sub
component.</li>
<li>CVE-2016-5626: Remote security vulnerability in 'Server: GIS' sub
component.</li>
<li>CVE-2016-5629: Remote security vulnerability in 'Server: Federated'
sub component.</li>
<li>CVE-2016-8283: Remote security vulnerability in 'Server: Types' sub
component.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixMSQL</url>
<url>https://mariadb.com/kb/en/mariadb/mariadb-10028-release-notes/</url>
<url>https://mariadb.com/kb/en/mariadb/mariadb-5552-release-notes/</url>
<url>https://mariadb.com/kb/en/mariadb/mariadb-10118-release-notes/</url>
<cvename>CVE-2016-3492</cvename>
<cvename>CVE-2016-5616</cvename>
<cvename>CVE-2016-5617</cvename>
<cvename>CVE-2016-5624</cvename>
<cvename>CVE-2016-5626</cvename>
<cvename>CVE-2016-5629</cvename>
<cvename>CVE-2016-6663</cvename>
<cvename>CVE-2016-6664</cvename>
<cvename>CVE-2016-8283</cvename>
</references>
<dates>
<discovery>2016-09-13</discovery>
<entry>2017-01-14</entry>
</dates>
</vuln>
<vuln vid="a93c3287-d8fd-11e6-be5c-001fbc0f280f">
<topic>Ansible -- Command execution on Ansible controller from host</topic>
<affects>
<package>
<name>ansible</name>
<range><gt>1.9.6_1</gt><lt>2.2.0.0_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Computest reports:</p>
<blockquote cite="https://www.computest.nl/advisories/CT-2017-0109_Ansible.txt">
<p>Computest found and exploited several issues
that allow a compromised host to execute commands
on the Ansible controller and thus gain access
to other hosts controlled by that controller.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-9587</cvename>
<url>https://www.computest.nl/advisories/CT-2017-0109_Ansible.txt</url>
<url>https://lwn.net/Articles/711357/</url>
</references>
<dates>
<discovery>2017-01-09</discovery>
<entry>2017-01-12</entry>
</dates>
</vuln>
<vuln vid="7ae0be99-d8bb-11e6-9b7f-d43d7e971a1b">
<topic>phpmailer -- Remote Code Execution</topic>
<affects>
<package>
<name>phpmailer</name>
<range><lt>5.2.22</lt></range>
</package>
<package>
<name>tt-rss</name>
<range><lt>2017.01.16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SecurityFocus reports:</p>
<blockquote cite="http://www.securityfocus.com/bid/95328/discuss">
<p>PHPMailer is prone to an local information-disclosure vulnerability.
Attackers can exploit this issue to obtain sensitive information
that may aid in launching further attacks.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.securityfocus.com/bid/95328/discuss</url>
<cvename>CVE-2017-5223</cvename>
</references>
<dates>
<discovery>2017-01-10</discovery>
<entry>2017-01-12</entry>
</dates>
</vuln>
<vuln vid="d4c7e9a9-d893-11e6-9b4d-d050996490d0">
<topic>BIND -- multiple vulnerabilities</topic>
<affects>
<package>
<name>bind99</name>
<range><lt>9.9.9P5</lt></range>
</package>
<package>
<name>bind910</name>
<range><lt>9.10.4P5</lt></range>
</package>
<package>
<name>bind911</name>
<range><lt>9.11.0P2</lt></range>
</package>
<package>
<name>bind9-devel</name>
<range><le>9.12.0.a.2016.12.28</le></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>9.3</ge><lt>10.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://kb.isc.org/article/AA-01439/0">
<p>A malformed query response received by a recursive
server in response to a query of RTYPE ANY could
trigger an assertion failure while named is attempting
to add the RRs in the query response to the cache.</p>
</blockquote>
<blockquote cite="https://kb.isc.org/article/AA-01440/0">
<p>Depending on the type of query and the EDNS options
in the query they receive, DNSSEC-enabled authoritative
servers are expected to include RRSIG and other RRsets
in their responses to recursive servers.
DNSSEC-validating servers will also make specific queries
for DS and other RRsets.
Whether DNSSEC-validating or not, an error in processing
malformed query responses that contain DNSSEC-related
RRsets that are inconsistent with other RRsets in the
same query response can trigger an assertion failure.
Although the combination of properties which triggers
the assertion should not occur in normal traffic, it
is potentially possible for the assertion to be triggered
deliberately by an attacker sending a specially-constructed
answer.</p>
</blockquote>
<blockquote cite="https://kb.isc.org/article/AA-01441/0">
<p>An unusually-formed answer containing a DS resource
record could trigger an assertion failure. While the
combination of properties which triggers the assertion
should not occur in normal traffic, it is potentially
possible for the assertion to be triggered deliberately
by an attacker sending a specially-constructed answer
having the required properties.</p>
</blockquote>
<blockquote cite="https://kb.isc.org/article/AA-01442/0">
<p>An error in handling certain queries can cause an
assertion failure when a server is using the
nxdomain-redirect feature to cover a zone for which
it is also providing authoritative service.
A vulnerable server could be intentionally stopped
by an attacker if it was using a configuration that
met the criteria for the vulnerability and if the
attacker could cause it to accept a query that
possessed the required attributes.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-9131</cvename>
<cvename>CVE-2016-9147</cvename>
<cvename>CVE-2016-9444</cvename>
<cvename>CVE-2016-9778</cvename>
<url>https://kb.isc.org/article/AA-01439/0</url>
<url>https://kb.isc.org/article/AA-01440/0</url>
<url>https://kb.isc.org/article/AA-01441/0</url>
<url>https://kb.isc.org/article/AA-01442/0</url>
</references>
<dates>
<discovery>2017-01-11</discovery>
<entry>2017-01-12</entry>
</dates>
</vuln>
<vuln vid="2c948527-d823-11e6-9171-14dae9d210b8">
<topic>FreeBSD -- OpenSSH multiple vulnerabilities</topic>
<affects>
<package>
<name>openssh-portable</name>
<range><lt>7.3.p1_5,1</lt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>11.0</ge><lt>11.0_7</lt></range>
<range><ge>10.3</ge><lt>10.3_16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The ssh-agent(1) agent supports loading a PKCS#11 module
from outside a trusted whitelist. An attacker can request
loading of a PKCS#11 module across forwarded agent-socket.
[CVE-2016-10009]</p>
<p>When privilege separation is disabled, forwarded Unix
domain sockets would be created by sshd(8) with the privileges
of 'root' instead of the authenticated user. [CVE-2016-10010]</p>
<h1>Impact:</h1>
<p>A remote attacker who have control of a forwarded
agent-socket on a remote system and have the ability to
write files on the system running ssh-agent(1) agent can
run arbitrary code under the same user credential. Because
the attacker must already have some control on both systems,
it is relatively hard to exploit this vulnerability in a
practical attack. [CVE-2016-10009]</p>
<p>When privilege separation is disabled (on FreeBSD,
privilege separation is enabled by default and has to be
explicitly disabled), an authenticated attacker can potentially
gain root privileges on systems running OpenSSH server.
[CVE-2016-10010]</p>
</body>
</description>
<references>
<cvename>CVE-2016-10009</cvename>
<cvename>CVE-2016-10010</cvename>
<freebsdsa>SA-17:01.openssh</freebsdsa>
</references>
<dates>
<discovery>2017-01-11</discovery>
<entry>2017-01-11</entry>
<modified>2017-01-13</modified>
</dates>
</vuln>
<vuln vid="7caebe30-d7f1-11e6-a9a5-b499baebfeaf">
<topic>openssl -- timing attack vulnerability</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.0.2</lt></range>
</package>
<package>
<name>libressl</name>
<range><lt>2.4.4_1</lt></range>
</package>
<package>
<name>libressl-devel</name>
<range><lt>2.5.0_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Cesar Pereida Garcia reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2017/q1/52">
<p>The signing function in crypto/ecdsa/ecdsa_ossl.c in certain OpenSSL
versions and forks is vulnerable to timing attacks when signing with the
standardized elliptic curve P-256 despite featuring constant-time curve
operations and modular inversion. A software defect omits setting the
BN_FLG_CONSTTIME flag for nonces, failing to take a secure code path in
the BN_mod_inverse method and therefore resulting in a cache-timing attack
vulnerability.<br/>
A malicious user with local access can recover ECDSA P-256 private keys.</p>
</blockquote>
</body>
</description>
<references>
<url>http://seclists.org/oss-sec/2017/q1/52</url>
<cvename>CVE-2016-7056</cvename>
</references>
<dates>
<discovery>2017-01-10</discovery>
<entry>2017-01-11</entry>
<modified>2017-01-11</modified>
</dates>
</vuln>
<vuln vid="2a7bdc56-d7a3-11e6-ae1b-002590263bf5">
<topic>flash -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-flashplayer</name>
<range><lt>24.0.0.194</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://helpx.adobe.com/security/products/flash-player/apsb17-02.html">
<p>These updates resolve a security bypass vulnerability that could
lead to information disclosure (CVE-2017-2938).</p>
<p>These updates resolve use-after-free vulnerabilities that could
lead to code execution (CVE-2017-2932, CVE-2017-2936,
CVE-2017-2937).</p>
<p>These updates resolve heap buffer overflow vulnerabilities that
could lead to code execution (CVE-2017-2927, CVE-2017-2933,
CVE-2017-2934, CVE-2017-2935).</p>
<p>These updates resolve memory corruption vulnerabilities that could
lead to code execution (CVE-2017-2925, CVE-2017-2926, CVE-2017-2928,
CVE-2017-2930, CVE-2017-2931).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-2925</cvename>
<cvename>CVE-2017-2926</cvename>
<cvename>CVE-2017-2927</cvename>
<cvename>CVE-2017-2928</cvename>
<cvename>CVE-2017-2930</cvename>
<cvename>CVE-2017-2931</cvename>
<cvename>CVE-2017-2932</cvename>
<cvename>CVE-2017-2933</cvename>
<cvename>CVE-2017-2934</cvename>
<cvename>CVE-2017-2935</cvename>
<cvename>CVE-2017-2936</cvename>
<cvename>CVE-2017-2937</cvename>
<cvename>CVE-2017-2938</cvename>
<url>https://helpx.adobe.com/security/products/flash-player/apsb17-02.html</url>
</references>
<dates>
<discovery>2017-01-10</discovery>
<entry>2017-01-11</entry>
</dates>
</vuln>
<vuln vid="ab804e60-d693-11e6-9171-14dae9d210b8">
<topic>moinmoin -- XSS vulnerabilities</topic>
<affects>
<package>
<name>moinmoin</name>
<range><lt>1.9.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Thomas Waldmann reports:</p>
<blockquote cite="http://hg.moinmo.in/moin/1.9/file/1.9.9/docs/CHANGES">
<ul>
<li><p>fix XSS in AttachFile view (multifile related) CVE-2016-7148</p></li>
<li><p>fix XSS in GUI editor's attachment dialogue CVE-2016-7146</p></li>
<li><p>fix XSS in GUI editor's link dialogue CVE-2016-9119</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://hg.moinmo.in/moin/1.9/file/1.9.9/docs/CHANGES</url>
<cvename>CVE-2016-7148</cvename>
<cvename>CVE-2016-7146</cvename>
<cvename>CVE-2016-9119</cvename>
<freebsdpr>ports/214937</freebsdpr>
</references>
<dates>
<discovery>2016-10-31</discovery>
<entry>2017-01-09</entry>
</dates>
</vuln>
<vuln vid="64be967a-d379-11e6-a071-001e67f15f5a">
<topic>libvncserver -- multiple buffer overflows</topic>
<affects>
<package>
<name>libvncserver</name>
<range><lt>0.9.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>libvnc server reports:</p>
<blockquote cite="https://github.com/LibVNC/libvncserver/pull/137">
<p>Two unrelated buffer overflows can be used by a malicious server to overwrite parts of the heap and crash the client (or possibly execute arbitrary code).</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/LibVNC/libvncserver/pull/137</url>
<cvename>CVE-2016-9941</cvename>
<cvename>CVE-2016-9942</cvename>
<freebsdpr>ports/215805</freebsdpr>
</references>
<dates>
<discovery>2016-11-24</discovery>
<entry>2017-01-09</entry>
</dates>
</vuln>
<vuln vid="83041ca7-d690-11e6-9171-14dae9d210b8">
<topic>libdwarf -- multiple vulnerabilities</topic>
<affects>
<package>
<name>libdwarf</name>
<range><lt>20161124</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Christian Rebischke reports:</p>
<blockquote cite="https://lwn.net/Articles/708092/">
<p>libdwarf is vulnerable to multiple issues including
arbitrary code execution, information disclosure and denial of
service.</p>
</blockquote>
</body>
</description>
<references>
<url>https://lwn.net/Articles/708092/</url>
<cvename>CVE-2016-5027</cvename>
<cvename>CVE-2016-5028</cvename>
<cvename>CVE-2016-5029</cvename>
<cvename>CVE-2016-5030</cvename>
<cvename>CVE-2016-5031</cvename>
<cvename>CVE-2016-5032</cvename>
<cvename>CVE-2016-5033</cvename>
<cvename>CVE-2016-5035</cvename>
<cvename>CVE-2016-5037</cvename>
<cvename>CVE-2016-5040</cvename>
<cvename>CVE-2016-5041</cvename>
<cvename>CVE-2016-5043</cvename>
<cvename>CVE-2016-5044</cvename>
<cvename>CVE-2016-7510</cvename>
<cvename>CVE-2016-7511</cvename>
<cvename>CVE-2016-8679</cvename>
<cvename>CVE-2016-8680</cvename>
<cvename>CVE-2016-8681</cvename>
<cvename>CVE-2016-9275</cvename>
<cvename>CVE-2016-9276</cvename>
<cvename>CVE-2016-9480</cvename>
<cvename>CVE-2016-9558</cvename>
</references>
<dates>
<discovery>2016-12-04</discovery>
<entry>2017-01-09</entry>
</dates>
</vuln>
<vuln vid="03532a19-d68e-11e6-9171-14dae9d210b8">
<topic>lynx -- multiple vulnerabilities</topic>
<affects>
<package>
<name>lynx</name>
<range><lt>2.8.8.2_5,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Oracle reports:</p>
<blockquote>
<p>Lynx is vulnerable to POODLE by still supporting vulnerable
version of SSL. Lynx is also vulnerable to URL attacks by incorrectly
parsing hostnames ending with an '?'.</p>
</blockquote>
</body>
</description>
<references>
<url>https://hg.java.net/hg/solaris-userland~gate/file/bc5351dcb9ac/components/lynx/patches/02-init-openssl.patch</url>
<url>https://hg.java.net/hg/solaris-userland~gate/file/0a979060f73b/components/lynx/patches/05-fix-CVE-2016-9179.patch</url>
<cvename>CVE-2014-3566</cvename>
<cvename>CVE-2016-9179</cvename>
<freebsdpr>ports/215464</freebsdpr>
</references>
<dates>
<discovery>2016-10-26</discovery>
<entry>2017-01-09</entry>
</dates>
</vuln>
<vuln vid="91e039ed-d689-11e6-9171-14dae9d210b8">
<topic>hdf5 -- multiple vulnerabilities</topic>
<affects>
<package>
<name>hdf5</name>
<range><lt>1.10.0</lt></range>
</package>
<package>
<name>hdf5-18</name>
<range><lt>1.8.18</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Talos Security reports:</p>
<blockquote cite="http://blog.talosintel.com/2016/11/hdf5-vulns.html">
<ul>
<li><p>CVE-2016-4330 (TALOS-2016-0176) - HDF5 Group libhdf5 H5T_ARRAY Code Execution Vulnerability</p></li>
<li><p>CVE-2016-4331 (TALOS-2016-0177) - HDF5 Group libhdf5 H5Z_NBIT Code Execution Vulnerability</p></li>
<li><p>CVE-2016-4332 (TALOS-2016-0178) - HDF5 Group libhdf5 Shareable Message Type Code Execution Vulnerability</p></li>
<li><p>CVE-2016-4333 (TALOS-2016-0179) - HDF5 Group libhdf5 H5T_COMPOUND Code Execution Vulnerability</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://blog.talosintel.com/2016/11/hdf5-vulns.html</url>
<cvename>CVE-2016-4330</cvename>
<cvename>CVE-2016-4331</cvename>
<cvename>CVE-2016-4332</cvename>
<cvename>CVE-2016-4333</cvename>
</references>
<dates>
<discovery>2016-11-17</discovery>
<entry>2017-01-09</entry>
</dates>
</vuln>
<vuln vid="e1ff4c5e-d687-11e6-9171-14dae9d210b8">
<topic>End of Life Ports</topic>
<affects>
<package>
<name>py27-django16</name>
<name>py33-django16</name>
<name>py34-django16</name>
<name>py35-django16</name>
<range><ge>0</ge></range>
</package>
<package>
<name>drupal6</name>
<range><ge>0</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>These packages have reached End of Life status and/or have
been removed from the Ports Tree. They may contain undocumented
security issues. Please take caution and find alternative
software as soon as possible.</p>
</body>
</description>
<references>
<freebsdpr>ports/211975</freebsdpr>
</references>
<dates>
<discovery>2017-01-06</discovery>
<entry>2017-01-06</entry>
</dates>
</vuln>
<vuln vid="c218873d-d444-11e6-84ef-f0def167eeea">
<topic>Use-After-Free Vulnerability in pcsc-lite</topic>
<affects>
<package>
<name>pcsc-lite</name>
<range><ge>1.6.0</ge><lt>1.8.20</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Peter Wu on Openwall mailing-list reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2017/01/03/2">
<p>The issue allows a local attacker to cause a Denial of Service,
but can potentially result in Privilege Escalation since
the daemon is running as root. while any local user can
connect to the Unix socket.
Fixed by patch which is released with hpcsc-lite 1.8.20.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-10109</cvename>
<url>http://www.openwall.com/lists/oss-security/2017/01/03/2</url>
</references>
<dates>
<discovery>2017-01-03</discovery>
<entry>2017-01-06</entry>
<modified>2017-01-10</modified>
</dates>
</vuln>
<vuln vid="0c5369fc-d671-11e6-a9a5-b499baebfeaf">
<topic>GnuTLS -- Memory corruption vulnerabilities</topic>
<affects>
<package>
<name>gnutls</name>
<range><lt>3.5.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The GnuTLS project reports:</p>
<blockquote cite="http://www.gnutls.org/news.html#2017-01-09">
<ul>
<li>It was found using the OSS-FUZZ fuzzer infrastructure that
decoding a specially crafted OpenPGP certificate could lead
to heap and stack overflows. (GNUTLS-SA-2017-2)</li>
<li>It was found using the OSS-FUZZ fuzzer infrastructure that
decoding a specially crafted X.509 certificate with Proxy
Certificate Information extension present could lead to a
double free. (GNUTLS-SA-2017-1)</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://www.gnutls.org/news.html#2017-01-09</url>
<url>http://www.gnutls.org/security.html#GNUTLS-SA-2017-2</url>
<url>http://www.gnutls.org/security.html#GNUTLS-SA-2017-1</url>
</references>
<dates>
<discovery>2017-01-09</discovery>
<entry>2017-01-09</entry>
</dates>
</vuln>
<vuln vid="e5ec2767-d529-11e6-ae1b-002590263bf5">
<topic>tomcat -- information disclosure vulnerability</topic>
<affects>
<package>
<name>tomcat</name>
<range><lt>6.0.49</lt></range>
</package>
<package>
<name>tomcat7</name>
<range><lt>7.0.74</lt></range>
</package>
<package>
<name>tomcat8</name>
<range><lt>8.0.40</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache Software Foundation reports:</p>
<blockquote cite="http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.40">
<p>Important: Information Disclosure CVE-2016-8745</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-8745</cvename>
<freebsdpr>ports/215865</freebsdpr>
<url>http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.49</url>
<url>http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.74</url>
<url>http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.40</url>
</references>
<dates>
<discovery>2017-01-05</discovery>
<entry>2017-01-07</entry>
<modified>2017-03-18</modified>
</dates>
</vuln>
<vuln vid="0b9af110-d529-11e6-ae1b-002590263bf5">
<topic>tomcat -- multiple vulnerabilities</topic>
<affects>
<package>
<name>tomcat</name>
<range><lt>6.0.48</lt></range>
</package>
<package>
<name>tomcat7</name>
<range><lt>7.0.73</lt></range>
</package>
<package>
<name>tomcat8</name>
<range><lt>8.0.39</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache Software Foundation reports:</p>
<blockquote cite="http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39">
<p>Important: Remote Code Execution CVE-2016-8735</p>
<p>Important: Information Disclosure CVE-2016-6816</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-8735</cvename>
<cvename>CVE-2016-6816</cvename>
<freebsdpr>ports/214599</freebsdpr>
<url>http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48</url>
<url>http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73</url>
<url>http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39</url>
</references>
<dates>
<discovery>2016-11-22</discovery>
<entry>2017-01-07</entry>
<modified>2017-03-18</modified>
</dates>
</vuln>
<vuln vid="3ae106e2-d521-11e6-ae1b-002590263bf5">
<topic>tomcat -- multiple vulnerabilities</topic>
<affects>
<package>
<name>tomcat</name>
<range><lt>6.0.47</lt></range>
</package>
<package>
<name>tomcat7</name>
<range><lt>7.0.72</lt></range>
</package>
<package>
<name>tomcat8</name>
<range><lt>8.0.37</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache Software Foundation reports:</p>
<blockquote cite="http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37">
<p>Low: Unrestricted Access to Global Resources CVE-2016-6797</p>
<p>Low: Security Manager Bypass CVE-2016-6796</p>
<p>Low: System Property Disclosure CVE-2016-6794</p>
<p>Low: Security Manager Bypass CVE-2016-5018</p>
<p>Low: Timing Attack CVE-2016-0762</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2016-6797</cvename>
<cvename>CVE-2016-6796</cvename>
<cvename>CVE-2016-6794</cvename>
<cvename>CVE-2016-5018</cvename>
<cvename>CVE-2016-0762</cvename>
<url>http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47</url>
<url>http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72</url>
<url>http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37</url>
</references>
<dates>
<discovery>2016-10-27</discovery>
<entry>2017-01-07</entry>
<modified>2017-03-18</modified>
</dates>
</vuln>
<vuln vid="3d6be69b-d365-11e6-a071-001e67f15f5a">
<topic>Irssi -- multiple vulnerabilities</topic>
<affects>
<package>
<name>irssi</name>
<range><lt>0.8.21</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Irssi reports:</p>
<blockquote cite="https://irssi.org/security/irssi_sa_2017_01.txt">
<p>Five vulnerabilities have been located in Irssi</p>
<ul>
<li>A NULL pointer dereference in the nickcmp function found by
Joseph Bisch. (CWE-690)</li>
<li>Use after free when receiving invalid nick message (Issue #466,
CWE-146)</li>
<li>Out of bounds read in certain incomplete control codes found
by Joseph Bisch. (CWE-126)</li>
<li>Out of bounds read in certain incomplete character sequences
found by Hanno Böck and independently by J. Bisch. (CWE-126)</li>
<li>Out of bounds read when Printing the value '%['. Found by
Hanno Böck. (CWE-126)</li>
</ul>
<p>These issues may result in denial of service (remote crash).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2017-5193</cvename>
<cvename>CVE-2017-5194</cvename>
<cvename>CVE-2017-5195</cvename>
<cvename>CVE-2017-5196</cvename>
<cvename>CVE-2017-5356</cvename>
<freebsdpr>ports/215800</freebsdpr>
<url>https://irssi.org/security/irssi_sa_2017_01.txt</url>
</references>
<dates>
<discovery>2017-01-03</discovery>
<entry>2017-01-05</entry>
<modified>2017-01-15</modified>
</dates>
</vuln>
<vuln vid="496160d3-d3be-11e6-ae1b-002590263bf5">
<topic>codeigniter -- multiple vulnerabilities</topic>
<affects>
<package>
<name>codeigniter</name>
<range><lt>3.1.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The CodeIgniter changelog reports:</p>
<blockquote cite="https://www.codeigniter.com/user_guide/changelog.html">
<p>Fixed a number of new vulnerabilities in Security Library method
xss_clean().</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.codeigniter.com/user_guide/changelog.html</url>
</references>
<dates>
<discovery>2016-10-28</discovery>
<entry>2017-01-06</entry>
</dates>
</vuln>
<vuln vid="5e439ee7-d3bd-11e6-ae1b-002590263bf5">
<topic>codeigniter -- multiple vulnerabilities</topic>
<affects>
<package>
<name>codeigniter</name>
<range><lt>3.1.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The CodeIgniter changelog reports:</p>
<blockquote cite="https://www.codeigniter.com/user_guide/changelog.html">
<p>Fixed an SQL injection in the ‘odbc’ database driver.</p>
<p>Updated set_realpath() Path Helper function to filter-out php://
wrapper inputs.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.codeigniter.com/user_guide/changelog.html</url>
</references>
<dates>
<discovery>2016-07-26</discovery>
<entry>2017-01-06</entry>
</dates>
</vuln>
<vuln vid="eafa3aec-211b-4dd4-9b8a-a664a3f0917a">
<topic>w3m -- multiple vulnerabilities</topic>
<affects>
<package>
<name>w3m</name>
<name>w3m-img</name>
<name>ja-w3m</name>
<name>ja-w3m-img</name>
<range><lt>0.5.3.20170102</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Multiple remote code execution and denial of service conditions present.</p>
</body>
</description>
<references>
<url>http://seclists.org/oss-sec/2016/q4/452</url>
<url>http://seclists.org/oss-sec/2016/q4/516</url>
<cvename>CVE-2016-9422</cvename>
<cvename>CVE-2016-9423</cvename>
<cvename>CVE-2016-9424</cvename>
<cvename>CVE-2016-9425</cvename>
<cvename>CVE-2016-9426</cvename>
<cvename>CVE-2016-9428</cvename>
<cvename>CVE-2016-9429</cvename>
<cvename>CVE-2016-9430</cvename>
<cvename>CVE-2016-9431</cvename>
<cvename>CVE-2016-9432</cvename>
<cvename>CVE-2016-9433</cvename>
<cvename>CVE-2016-9434</cvename>
<cvename>CVE-2016-9435</cvename>
<cvename>CVE-2016-9436</cvename>
<cvename>CVE-2016-9437</cvename>
<cvename>CVE-2016-9438</cvename>
<cvename>CVE-2016-9439</cvename>
<cvename>CVE-2016-9440</cvename>
<cvename>CVE-2016-9441</cvename>
<cvename>CVE-2016-9442</cvename>
<cvename>CVE-2016-9443</cvename>
<cvename>CVE-2016-9622</cvename>
<cvename>CVE-2016-9623</cvename>
<cvename>CVE-2016-9624</cvename>
<cvename>CVE-2016-9625</cvename>
<cvename>CVE-2016-9626</cvename>
<cvename>CVE-2016-9627</cvename>
<cvename>CVE-2016-9628</cvename>
<cvename>CVE-2016-9629</cvename>
<cvename>CVE-2016-9630</cvename>
<cvename>CVE-2016-9631</cvename>
<cvename>CVE-2016-9632</cvename>
<cvename>CVE-2016-9633</cvename>
</references>
<dates>
<discovery>2016-11-03</discovery>
<entry>2017-01-01</entry>
<modified>2017-01-09</modified>
</dates>
</vuln>