Roundcube -- XSS vulnerability roundcube 1.5.2,1

The Roundcube project reports:

Cross-site scripting (XSS) via HTML messages with malicious CSS content

https://roundcube.net/news/2021/12/30/update-1.5.2-released 2021-12-30 2021-12-31
Mbed TLS -- Potential double-free after an out of memory error mbedtls 2.16.12 2.17.02.28.0

Manuel Pégourié-Gonnard reports:

If mbedtls_ssl_set_session() or mbedtls_ssl_get_session() were to fail with MBEDTLS_ERR_SSL_ALLOC_FAILED (in an out of memory condition), then calling mbedtls_ssl_session_free() and mbedtls_ssl_free() in the usual manner would cause an internal session buffer to be freed twice, due to two structures both having valid pointers to it after a call to ssl_session_copy().

An attacker could potentially trigger the out of memory condition, and therefore use this bug to create memory corruption, which could then be further exploited or targetted.

CVE-2021-44732 https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12 2021-12-14 2021-12-30
OpenDMARC - Remote denial of service opendmarc 1.4.11.4.2

OpenDMARC 1.4.1 and 1.4.1.1 will dereference a NULL pointer when encountering a multi-value From: header field. A remote attacker can send a specially crafted message resulting in a denial of service.

CVE-2021-34555 https://github.com/trusteddomainproject/OpenDMARC/issues/179 2021-06-09 2021-12-30
OpenDMARC - Multiple vulnerabilities opendmarc 1.4.1

OpenDMARC releases prior to 1.4.1 are susceptible to the following vulnerabilities:

CVE-2019-16378 CVE-2019-20790 CVE-2020-12272 CVE-2020-12460 https://github.com/trusteddomainproject/OpenDMARC/blob/rel-opendmarc-1-4-1-1/RELEASE_NOTES 2021-04-06 2021-12-30
minio -- User privilege escalation minio 2021.12.27.07.23.18

minio developers report:

AddUser() API endpoint was exposed to a legacy behavior. i.e it accepts a "policy" field

This API is mainly used to create a user or update a user's password.

However, a malicious client can hand-craft an HTTP API call that allows for updating Policy for a user and gaining higher privileges.

CVE-2021-43858 https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx 2021-12-27 2021-12-29
Pillow -- Regular Expression Denial of Service (ReDoS) py38-pillow 5.2.08.3.2

GitHub Advisory Database reports:

Uncontrolled Resource Consumption in pillow.

The package pillow from 0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.

References:

  • https://nvd.nist.gov/vuln/detail/CVE-2021-23437
  • https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b
  • https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html
  • https://snyk.io/vuln/SNYK-PYTHON-PILLOW-1319443
  • https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RNSG6VFXTAROGF7ACYLMAZNQV4EJ6I2C/
  • https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VKRCL7KKAKOXCVD7M6WC5OKFGL4L3SJT/
CVE-2021-23437 https://nvd.nist.gov/vuln/detail/CVE-2021-23437 2021-09-02 2021-09-03
OpenSearch -- Log4Shell opensearch 1.2.3

OpenSearch reports:

CVE-2021-45105 for Log4j was issued after the release of OpenSearch 1.2.2. This CVE advises upgrading to Log4j 2.17.0. While there has been no observed reproduction of the issue described in CVE-2021-45105 in OpenSearch, we have released OpenSearch 1.2.3 which updates Log4j to version 2.17.0.

CVE-2021-45105 https://opensearch.org/blog/releases/2021/12/update-1-2-3/ 2021-12-16 2021-12-27
OpenSearch -- Log4Shell opensearch 1.2.2

OpenSearch reports:

CVE-2021-45046 was issued shortly following the release of OpenSearch 1.2.1. This new CVE advises upgrading from Log4j 2.15.0 (used in OpenSearch 1.2.1) to Log4j 2.16.0. Out of an abundance of caution, the team is releasing OpenSearch 1.2.2 which includes Log4j 2.16.0. While there has been no observed reproduction of the issue described in CVE-2021-45046, Log4j 2.16.0 takes much more extensive JNDI mitigation measures.

CVE-2021-45046 https://opensearch.org/blog/releases/2021/12/update-1-2-2/ 2021-12-14 2021-12-27
opengrok -- Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. opengrok 1.6.7

Bobby Rauch of Accenture reports:

I ended up finding OpenGrok, and after careful testing, discovered that OpenGrok insecurely deserializes XML input, which can lead to Remote Code Execution. This vulnerability was found in all versions of OpenGrok <1.6.8 and was reported to Oracle. The vulnerability has now been patched in OpenGrok 1.6.9, and has been issued a CVE. (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2322)

CVE-2021-2322 https://www.oracle.com/security-alerts/oracle-open-source-cves-outside-other-oracle-public-documents.html https://www.oracle.com/security-alerts/oracle-open-source-cves-outside-other-oracle-public-documents.html https://github.com/oracle/opengrok/pull/3528 2021-04-07 2021-12-21
mediawiki -- multiple vulnerabilities mediawiki135 1.35.5 mediawiki136 1.36.3 mediawiki137 1.37.1

Mediawiki reports:

(T292763. CVE-2021-44854) REST API incorrectly publicly caches autocomplete search results from private wikis.

(T271037, CVE-2021-44856) Title blocked in AbuseFilter can be created via Special:ChangeContentModel.

(T297322, CVE-2021-44857) Unauthorized users can use action=mcrundo to replace the content of arbitrary pages.

(T297322, CVE-2021-44858) Unauthorized users can view contents of private wikis using various actions.

(T297574, CVE-2021-45038) Unauthorized users can access private wiki contents using rollback action

(T293589, CVE-2021-44855) Blind Stored XSS in VisualEditor media dialog.

(T294686) Special:Nuke doesn't actually delete pages.

CVE-2021-44854 CVE-2021-44856 CVE-2021-44857 CVE-2021-44858 CVE-2021-45038 CVE-2021-44855 https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/QEN3EK4JXAVJMJ5GF3GYOAKNJPEKFQYA/ 2021-12-01 2021-12-21
graylog -- remote code execution in log4j from user-controlled log input graylog 4.2.4

Apache Software Foundation reports:

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

CVE-2021-45046 https://github.com/Graylog2/graylog2-server/commit/d3e441f https://github.com/Graylog2/graylog2-server/commit/dd24b85 https://logging.apache.org/log4j/2.x/security.html 2021-11-14 2021-12-17
Apache httpd -- Multiple vulnerabilities apache24 2.4.52

The Apache httpd project reports:

moderate: Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier (CVE-2021-44224)
A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery).

high: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier (CVE-2021-44790)
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts).

CVE-2021-44224 CVE-2021-44790 https://httpd.apache.org/security/vulnerabilities_24.html 2021-12-20 2021-12-20
serviio -- affected by log4j vulnerability serviio 2.2.1

Serviio reports:

Serviio is affectred by the log4j vulnerability.

CVE-2021-44228 2021-12-13 2021-12-15
Privoxy -- Multiple vulnerabilities (memory leak, XSS) dropbear 3.0.33

Privoxy reports:

cgi_error_no_template(): Encode the template name to prevent XSS (cross-site scripting) when Privoxy is configured to servce the user-manual itself.

Commit 0e668e9409c. OVE-20211102-0001. CVE-2021-44543. Reported by: Artem Ivanov

get_url_spec_param(): Free memory of compiled pattern spec before bailing. Reported by Joshua Rogers (Opera) who also provided the fix. Commit 652b4b7cb0. OVE-20211201-0003. CVE-2021-44540.

process_encrypted_request_headers(): Free header memory when failing to get the request destination. Reported by Joshua Rogers (Opera) who also provided the fix. Commit 0509c58045. OVE-20211201-0002. CVE-2021-44541.

send_http_request(): Prevent memory leaks when handling errors Reported by Joshua Rogers (Opera) who also provided the fix. Commit c48d1d6d08. OVE-20211201-0001. CVE-2021-44542.

CVE-2021-44540 CVE-2021-44541 CVE-2021-44542 CVE-2021-44543 https://lists.privoxy.org/pipermail/privoxy-announce/2021-December/000009.html 2021-12-09 2021-12-15
OpenSSL -- Certificate validation issue openssl-devel 3.0.1

The OpenSSL project reports:

Invalid handling of X509_verify_cert() internal errors in libssl (Moderate)

Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses.

CVE-2021-4044 https://www.openssl.org/news/secadv/20211214.txt 2021-12-14 2021-12-14
bastillion -- log4j vulnerability bastillion 3.10.00_1

FreeBSD port maintainer reports:

Bastillion uses log4j.

CVE-2021-44228 2021-12-10 2021-12-14
chromium -- multiple vulnerabilities chromium 96.0.4664.110

Chrome Releases reports:

This release contains 5 security fixes, including:

  • [1263457] Critical CVE-2021-4098: Insufficient data validation in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2021-10-26
  • [1270658] High CVE-2021-4099: Use after free in Swiftshader. Reported by Aki Helin of Solita on 2021-11-16
  • [1272068] High CVE-2021-4100: Object lifecycle issue in ANGLE. Reported by Aki Helin of Solita on 2021-11-19
  • [1262080] High CVE-2021-4101: Heap buffer overflow in Swiftshader. Reported by Abraruddin Khan and Omair on 2021-10-21
  • [1278387] High CVE-2021-4102: Use after free in V8. Reported by Anonymous on 2021-12-09
CVE-2021-4098 CVE-2021-4099 CVE-2021-4100 CVE-2021-4101 CVE-2021-4102 https://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop_13.html 2021-12-13 2021-12-14
Matrix clients -- several vulnerabilities cinny 1.6.0 element-web 1.9.7

Matrix developers report:

Today we are releasing security updates to libolm, matrix-js-sdk, and several clients including Element Web / Desktop. Users are encouraged to upgrade as soon as possible.

These releases mitigate a buffer overflow in olm_session_describe, a libolm debugging function used by matrix-js-sdk in its end-to-end encryption (E2EE) implementation. If you rely on matrix-js-sdk for E2EE, you are affected.

https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk 2021-12-03 2021-12-13
openhab -- log4j remote code injection openhab2 openhab 2.5.12 3.1.1

Openhab reports:

Any openHAB instance that is publicly available or which consumes untrusted content from remote servers is potentially a target of this attack.

CVE-2021-44228 https://github.com/openhab/openhab-distro/security/advisories/GHSA-j99j-qp89-pcfq https://github.com/ops4j/org.ops4j.pax.logging/security/advisories/GHSA-xxfh-x98p-j8fr https://github.com/advisories/GHSA-jfh8-c2jp-5v3q 2021-12-10 2021-12-13
Solr -- Apache Log4J apache-solr 8.11.1

Solr reports:

Apache Solr affected by Apache Log4J

https://solr.apache.org/security.html 2021-12-10 2021-12-13 2021-12-13
OpenSearch -- Log4Shell opensearch 1.2.1

OpenSearch reports:

A recently published security issue (CVE-2021-44228) affects several versions of the broadly-used Apache Log4j library. Some software in the OpenSearch project includes versions of Log4j referenced in this CVE. While, at time of writing, the team has not found a reproduceable example in OpenSearch of remote code execution (RCE) described in this issue, its severity is such that all users should take mitigation measures. As recommended by the advisory, the team has released OpenSearch 1.2.1, which updates Log4j to version 2.15.0. For those who cannot upgrade to 1.2.1, the Log4j website outlines additional measures to mitigate the issue. This patch release also addresses CVE-2021-4352 in the OpenSearch Docker distributions..

CVE-2021-44228 https://opensearch.org/blog/releases/2021/12/update-to-1-2-1/ 2021-12-11 2021-12-13
Grafana -- Directory Traversal grafana grafana8 8.0.08.3.2

GitHub Security Labs reports:

A vulnerability through which authenticated users could read out fully lowercase or fully uppercase .md files through directory traversal. Doing our own follow-up investigation we found a related vulnerability through which authenticated users could read out arbitrary .csv files through directory traversal. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable.

The vulnerable URL path is: /api/ds/query

CVE-2021-43815 https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/ 2021-12-09 2021-12-12
Grafana -- Directory Traversal grafana 5.0.07.5.12 8.0.08.3.2 grafana6 6.0.0 grafana7 7.0.07.5.12 grafana8 8.0.08.3.2

GitHub Security Labs reports:

A vulnerability through which authenticated users could read out fully lowercase or fully uppercase .md files through directory traversal. Doing our own follow-up investigation we found a related vulnerability through which authenticated users could read out arbitrary .csv files through directory traversal. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable.

The vulnerable URL path is: /api/plugins/.*/markdown/.* for .md files

CVE-2021-43813 https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/ 2021-12-09 2021-12-12
Grafana -- Path Traversal grafana8 grafana 8.0.08.0.7 8.1.08.1.8 8.2.08.2.7 8.3.08.3.1

Grafana Labs reports:

Grafana is vulnerable to directory traversal, allowing access to local files. We have confirmed this for versions v8.0.0-beta1 to v8.3.0. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable.

The vulnerable URL path is: <grafana_host_url>/public/plugins/<“plugin-id”> where <“plugin-id”> is the plugin ID for any installed plugin.

Every Grafana instance comes with pre-installed plugins like the Prometheus plugin or MySQL plugin so the following URLs are vulnerable for every instance:

  • <grafana_host_url>/public/plugins/alertlist/
  • <grafana_host_url>/public/plugins/annolist/
  • <grafana_host_url>/public/plugins/barchart/
  • <grafana_host_url>/public/plugins/bargauge/
  • <grafana_host_url>/public/plugins/candlestick/
  • <grafana_host_url>/public/plugins/cloudwatch/
  • <grafana_host_url>/public/plugins/dashlist/
  • <grafana_host_url>/public/plugins/elasticsearch/
  • <grafana_host_url>/public/plugins/gauge/
  • <grafana_host_url>/public/plugins/geomap/
  • <grafana_host_url>/public/plugins/gettingstarted/
  • <grafana_host_url>/public/plugins/grafana-azure-monitor-datasource/
  • <grafana_host_url>/public/plugins/graph/
  • <grafana_host_url>/public/plugins/heatmap/
  • <grafana_host_url>/public/plugins/histogram/
  • <grafana_host_url>/public/plugins/influxdb/
  • <grafana_host_url>/public/plugins/jaeger/
  • <grafana_host_url>/public/plugins/logs/
  • <grafana_host_url>/public/plugins/loki/
  • <grafana_host_url>/public/plugins/mssql/
  • <grafana_host_url>/public/plugins/mysql/
  • <grafana_host_url>/public/plugins/news/
  • <grafana_host_url>/public/plugins/nodeGraph/
  • <grafana_host_url>/public/plugins/opentsdb
  • <grafana_host_url>/public/plugins/piechart/
  • <grafana_host_url>/public/plugins/pluginlist/
  • <grafana_host_url>/public/plugins/postgres/
  • <grafana_host_url>/public/plugins/prometheus/
  • <grafana_host_url>/public/plugins/stackdriver/
  • <grafana_host_url>/public/plugins/stat/
  • <grafana_host_url>/public/plugins/state-timeline/
  • <grafana_host_url>/public/plugins/status-history/
  • <grafana_host_url>/public/plugins/table/
  • <grafana_host_url>/public/plugins/table-old/
  • <grafana_host_url>/public/plugins/tempo/
  • <grafana_host_url>/public/plugins/testdata/
  • <grafana_host_url>/public/plugins/text/
  • <grafana_host_url>/public/plugins/timeseries/
  • <grafana_host_url>/public/plugins/welcome/
  • <grafana_host_url>/public/plugins/zipkin/
CVE-2021-43798 https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/ 2021-12-03 2021-12-11
Grafana -- Incorrect Access Control grafana8 grafana 8.0.08.2.4

Grafana Labs reports:

When the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin.

CVE-2021-41244 https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/ 2021-11-02 2021-12-11
Grafana -- XSS grafana8 grafana 8.0.08.2.3

Grafana Labs reports:

If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim’s browser.

The user visiting the malicious link must be unauthenticated, and the link must be for a page that contains the login button in the menu bar.

There are two ways an unauthenticated user can open a page in Grafana that contains the login button:

  • Anonymous authentication is enabled. This means all pages in Grafana would be open for the attack.
  • The link is to an unauthenticated page. The following pages are vulnerable:
    • /dashboard-solo/snapshot/*
    • /dashboard/snapshot/*
    • /invite/:code

The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }}

An example of an expression would be: {{constructor.constructor(‘alert(1)’)()}}. This can be included in the link URL like this:

https://play.grafana.org/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1

When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated, and the AngularJS rendering engine will execute the JavaScript expression contained in the URL.

CVE-2021-41174 https://grafana.com/blog/2021/11/03/grafana-8.2.3-released-with-medium-severity-security-fix-cve-2021-41174-grafana-xss/ 2021-10-21 2021-12-11
p7zip -- usage of uninitialized memory p7zip 18.05

NVD reports:

Incorrect initialization logic of RAR decoder objects in 7-Zip 18.03 and before can lead to usage of uninitialized memory, allowing remote attackers to cause a denial of service (segmentation fault) or execute arbitrary code via a crafted RAR archive.

CVE-2018-10115 https://nvd.nist.gov/vuln/detail/CVE-2018-10115 2018-05-02 2021-12-11
graylog -- include log4j patches graylog 4.2.3

Apache Software Foundation repos:

Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or paramters can execute arbitrary code from attacker-controller LDAP servers when message lookup substitution is enabled.

CVE-2021-44228 https://github.com/Graylog2/graylog2-server/commit/d3e441f1126f0dc292e986879039a87c59375b2a https://logging.apache.org/log4j/2.x/security.html 2021-12-10 2021-12-11
go -- multiple vulnerabilities go 1.17.5,1

The Go project reports:

net/http: limit growth of header canonicalization cache. An attacker can cause unbounded memory growth in a Go server accepting HTTP/2 requests.

syscall: don’t close fd 0 on ForkExec error. When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one.

CVE-2021-44716 https://github.com/golang/go/issues/50058 CVE-2021-44717 https://github.com/golang/go/issues/50057 2021-12-08 2021-12-09
chromium -- multiple vulnerabilities chromium 96.0.4664.93

Chrome Releases reports:

This release contains 22 security fixes, including:

  • [1267661] High CVE-2021-4052: Use after free in web apps. Reported by Wei Yuan of MoyunSec VLab on 2021-11-07
  • [1267791] High CVE-2021-4053: Use after free in UI. Reported by Rox on 2021-11-08
  • [1265806] High CVE-2021-4079: Out of bounds write in WebRTC. Reported by Brendon Tiszka on 2021-11-01
  • [1239760] High CVE-2021-4054: Incorrect security UI in autofill. Reported by Alesandro Ortiz on 2021-08-13
  • [1268738] High CVE-2021-4078: Type confusion in V8. Reported by Nan Wang (@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2021-11-09
  • [1266510] High CVE-2021-4055: Heap buffer overflow in extensions. Reported by Chen Rong on 2021-11-03
  • [1260939] High CVE-2021-4056: Type Confusion in loader. Reported by @__R0ng of 360 Alpha Lab on 2021-10-18
  • [1262183] High CVE-2021-4057: Use after free in file API. Reported by Sergei Glazunov of Google Project Zero on 2021-10-21
  • [1267496] High CVE-2021-4058: Heap buffer overflow in ANGLE. Reported by Abraruddin Khan and Omair on 2021-11-06
  • [1270990] High CVE-2021-4059: Insufficient data validation in loader. Reported by Luan Herrera (@lbherrera_) on 2021-11-17
  • [1271456] High CVE-2021-4061: Type Confusion in V8. Reported by Paolo Severini on 2021-11-18
  • [1272403] High CVE-2021-4062: Heap buffer overflow in BFCache. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-11-22
  • [1273176] High CVE-2021-4063: Use after free in developer tools. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-11-23
  • [1273197] High CVE-2021-4064: Use after free in screen capture. Reported by @ginggilBesel on 2021-11-23
  • [1273674] High CVE-2021-4065: Use after free in autofill. Reported by 5n1p3r0010 on 2021-11-25
  • [1274499] High CVE-2021-4066: Integer underflow in ANGLE. Reported by Jaehun Jeong(@n3sk) of Theori on 2021-11-29
  • [1274641] High CVE-2021-4067: Use after free in window manager. Reported by @ginggilBesel on 2021-11-29
  • [1265197] Low CVE-2021-4068: Insufficient validation of untrusted input in new tab page. Reported by NDevTK on 2021-10-31
CVE-2021-4052 CVE-2021-4053 CVE-2021-4054 CVE-2021-4055 CVE-2021-4056 CVE-2021-4057 CVE-2021-4058 CVE-2021-4059 CVE-2021-4061 CVE-2021-4062 CVE-2021-4063 CVE-2021-4064 CVE-2021-4065 CVE-2021-4066 CVE-2021-4067 CVE-2021-4068 CVE-2021-4078 CVE-2021-4079 https://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop.html 2021-12-06 2021-12-07
Gitlab -- Multiple Vulnerabilities gitlab-ce 14.5.014.5.2 14.4.014.4.4 014.3.6

Gitlab reports:

Group members with developer role can escalate their privilege to maintainer on projects that they import

When user registration is limited, external users that aren't developers shouldn't have access to the CI Lint API

Collision in access memoization leads to potential elevated privileges on groups and projects

Project access token names are returned for unauthenticated requesters

Sensitive info disclosure in logs

Disclosure of a user's custom project and group templates

ReDoS in Maven package version

Potential denial of service via the Diff feature

Regular Expression Denial of Service via user comments

Service desk email accessible by any project member

Regular Expression Denial of Service via quick actions

IDOR in "external status check" API leaks data about any status check on the instance

Default branch name visible in public projects restricting access to the source code repository

Deploy token allows access to disabled project Wiki

Regular Expression Denial of Service via deploy Slash commands

Users can reply to Vulnerability Report discussions despite Only Project Members settings

Unauthorised deletion of protected branches

Author can approve Merge Request after having access revoked

HTML Injection via Swagger UI

CVE-2021-39944 CVE-2021-39935 CVE-2021-39937 CVE-2021-39915 CVE-2021-39919 CVE-2021-39930 CVE-2021-39940 CVE-2021-39932 CVE-2021-39933 CVE-2021-39934 CVE-2021-39917 CVE-2021-39916 CVE-2021-39941 CVE-2021-39936 CVE-2021-39938 CVE-2021-39918 CVE-2021-39931 CVE-2021-39945 CVE-2021-39910 https://about.gitlab.com/releases/2021/12/06/security-release-gitlab-14-5-2-released/ 2021-12-06 2021-12-07
NSS -- Memory corruption nss 3.73

The Mozilla project reports:

Memory corruption in NSS via DER-encoded DSA and RSA-PSS signatures (Critical)

NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS.

CVE-2021-43527 https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/ 2021-12-01 2021-12-02
mailman < 2.1.38 -- CSRF vulnerability of list mod or member against list admin page mailman 2.1.38 mailman-exim4 2.1.38 mailman-exim4-with-htdig 2.1.38 mailman-postfix 2.1.38 mailman-postfix-with-htdig 2.1.38 mailman-with-htdig 2.1.38

Mark Sapiro reports:

A list moderator or list member can potentially carry out a CSRF attack by getting a list admin to visit a crafted web page.

CVE-2021-44227 https://bugs.launchpad.net/mailman/+bug/1952384 https://www.mail-archive.com/mailman-users@python.org/msg73979.html 2021-11-25 2021-12-01
rubygem-cgi -- cookie prefix spoofing in CGI::Cookie.parse ruby 2.6.0,12.6.9,1 2.7.0,12.7.5,1 3.0.0,13.0.3,1 ruby26 2.6.0,12.6.9,1 ruby27 2.7.0,12.7.5,1 ruby30 3.0.0,13.0.3,1 rubygem-cgi 0.3.1

ooooooo_q reports:

The old versions of CGI::Cookie.parse applied URL decoding to cookie names. An attacker could exploit this vulnerability to spoof security prefixes in cookie names, which may be able to trick a vulnerable application.

By this fix, CGI::Cookie.parse no longer decodes cookie names. Note that this is an incompatibility if cookie names that you are using include non-alphanumeric characters that are URL-encoded.

CVE-2021-41819 https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/ 2021-11-24 2021-11-24
rubygem-cgi -- buffer overrun in CGI.escape_html ruby 2.7.0,12.7.5,1 3.0.0,13.0.3,1 ruby27 2.7.0,12.7.5,1 ruby30 3.0.0,13.0.3,1 rubygem-cgi 0.3.1

chamal reports:

A security vulnerability that causes buffer overflow when you pass a very large string (> 700 MB) to CGI.escape_html on a platform where long type takes 4 bytes, typically, Windows.

CVE-2021-41816 https://www.ruby-lang.org/en/news/2021/11/24/buffer-overrun-in-cgi-escape_html-cve-2021-41816/ 2021-11-24 2021-11-24
py-matrix-synapse -- several vulnerabilities py36-matrix-synapse py37-matrix-synapse py38-matrix-synapse py39-matrix-synapse py310-matrix-synapse 1.47.1

Matrix developers report:

This release patches one high severity issue affecting Synapse installations 1.47.0 and earlier using the media repository. An attacker could cause these Synapses to download a remote file and store it in a directory outside the media repository.

Note that:

  • This only affects homeservers using Synapse's built-in media repository, as opposed to synapse-s3-storage-provider or matrix-media-repo.
  • Attackers cannot control the exact name or destination of the stored file.
ports/259994 CVE-2021-41281 https://matrix.org/blog/2021/11/23/synapse-1-47-1-released 2021-11-18 2021-11-23
advancecomp -- multiple vulnerabilities advancecomp 2.1.6

Joonun Jang reports:

heap buffer overflow running advzip with "-l poc" option

Running 'advzip -l poc' with the attached file raises heap buffer overflow which may allow a remote attacker to cause unspecified impact including denial-of-service attack. I expected the program to terminate without segfault, but the program crashes as follow. [...]

and other vulnerabilities.

CVE-2018-1056 CVE-2019-8379 CVE-2019-8383 CVE-2019-9210 2018-07-29 2021-11-19
chromium -- multiple vulnerabilities chromium 96.0.4664.45

Chrome Releases reports:

This release contains 25 security fixes, including:

  • [1263620] High CVE-2021-38008: Use after free in media. Reported by Marcin Towalski of Cisco Talos on 2021-10-26
  • [1260649] High CVE-2021-38009: Inappropriate implementation in cache. Reported by Luan Herrera (@lbherrera_) on 2021-10-16
  • [1240593] High CVE-2021-38006: Use after free in storage foundation. Reported by Sergei Glazunov of Google Project Zero on 2021-08-17
  • [1254189] High CVE-2021-38007: Type Confusion in V8. Reported by Polaris Feng and SGFvamll at Singular Security Lab on 2021-09-29
  • [1241091] High CVE-2021-38005: Use after free in loader. Reported by Sergei Glazunov of Google Project Zero on 2021-08-18
  • [1264477] High CVE-2021-38010: Inappropriate implementation in service workers. Reported by Sergei Glazunov of Google Project Zero on 2021-10-28
  • [1268274] High CVE-2021-38011: Use after free in storage foundation. Reported by Sergei Glazunov of Google Project Zero on 2021-11-09
  • [1262791] Medium CVE-2021-38012: Type Confusion in V8. Reported by Yonghwi Jin (@jinmo123) on 2021-10-24
  • [1242392] Medium CVE-2021-38013: Heap buffer overflow in fingerprint recognition. Reported by raven (@raid_akame) on 2021-08-23
  • [1248567] Medium CVE-2021-38014: Out of bounds write in Swiftshader. Reported by Atte Kettunen of OUSPG on 2021-09-10
  • [957553] Medium CVE-2021-38015: Inappropriate implementation in input. Reported by David Erceg on 2019-04-29
  • [1244289] Medium CVE-2021-38016: Insufficient policy enforcement in background fetch. Reported by Maurice Dauer on 2021-08-28
  • [1256822] Medium CVE-2021-38017: Insufficient policy enforcement in iframe sandbox. Reported by NDevTK on 2021-10-05
  • [1197889] Medium CVE-2021-38018: Inappropriate implementation in navigation. Reported by Alesandro Ortiz on 2021-04-11
  • [1251179] Medium CVE-2021-38019: Insufficient policy enforcement in CORS. Reported by Maurice Dauer on 2021-09-20
  • [1259694] Medium CVE-2021-38020: Insufficient policy enforcement in contacts picker. Reported by Luan Herrera (@lbherrera_) on 2021-10-13
  • [1233375] Medium CVE-2021-38021: Inappropriate implementation in referrer. Reported by Prakash (@1lastBr3ath) and Jun Kokatsu on 2021-07-27
  • [1248862] Low CVE-2021-38022: Inappropriate implementation in WebAuthentication. Reported by Michal Kepkowski on 2021-09-13
CVE-2021-38005 CVE-2021-38006 CVE-2021-38007 CVE-2021-38008 CVE-2021-38009 CVE-2021-38010 CVE-2021-38011 CVE-2021-38012 CVE-2021-38013 CVE-2021-38014 CVE-2021-38015 CVE-2021-38016 CVE-2021-38017 CVE-2021-38018 CVE-2021-38019 CVE-2021-38020 CVE-2021-38021 CVE-2021-38022 https://chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.html 2021-11-15 2021-11-16
rubygem-date -- Regular Expression Denial of Service Vunlerability of Date Parsing Methods ruby 2.6.0,12.6.9,1 2.7.0,12.7.5,1 3.0.0,13.0.3,1 ruby26 2.6.0,12.6.9,1 ruby27 2.7.0,12.7.5,1 ruby30 3.0.0,13.0.3,1 rubygem-date 3.2.1

Stanislav Valkanov reports:

Date's parsing methods including Date.parse are using Regexps internally, some of which are vulnerable against regular expression denial of service. Applications and libraries that apply such methods to untrusted input may be affected.

CVE-2021-41817 https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/ 2021-11-15 2021-11-15 2021-11-24
Roundcube -- Multiple vulnerabilities roundcube 1.4.12,1

The Roundcube project reports:

XSS issue in handling attachment filename extension in mimetype mismatch warning

possible SQL injection via some session variables

https://roundcube.net/news/2021/11/12/security-updates-1.4.12-and-1.3.17-released 2021-11-12 2021-11-15
mailman -- 2.1.37 fixes XSS via user options, and moderator offline brute-force vuln against list admin password mailman 2.1.37 mailman-exim4 2.1.37 mailman-exim4-with-htdig 2.1.37 mailman-postfix 2.1.37 mailman-postfix-with-htdig 2.1.37 mailman-with-htdig 2.1.37

Mark Sapiro reports:

A potential XSS attack via the user options page has been reported by Harsh Jaiswal. This is fixed. CVE-2021-43331 (LP: #1949401).

A potential for for a list moderator to carry out an off-line brute force attack to obtain the list admin password has been reported by Andre Protas, Richard Cloke and Andy Nuttall of Apple. This is fixed. CVE-2021-43332 (LP: #1949403)

CVE-2021-43331 CVE-2021-43332 https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/1879/NEWS#L8 https://bugs.launchpad.net/mailman/+bug/1949401 https://bugs.launchpad.net/mailman/+bug/1949403 2021-11-01 2021-11-13
PostgreSQL -- Possible man-in-the-middle attacks postgresql14-server 14.1 postgresql13-server 13.5 postgresql12-server 12.9 postgresql11-server 11.14 postgresql10-server 10.19 postgresql96-server 9.6.24

The PostgreSQL Project reports:

CVE-2021-23214: A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)

CVE-2021-23222: A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214.

CVE-2021-23214 CVE-2021-23222 2021-11-08 2021-11-10
puppet -- Silent Configuration Failure puppet6 6.25.1 puppet7 7.12.1

Puppet reports:

A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first pluginsync.

CVE-2021-27025 https://puppet.com/security/cve/cve-2021-27025 2021-11-09 2021-11-10
puppet -- Unsafe HTTP Redirect puppet6 6.25.1 puppet7 7.12.1 puppetserver6 6.17.1 puppetserver7 7.4.2

Puppet reports:

A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007.

CVE-2021-27023 https://puppet.com/security/cve/cve-2021-27023 2021-11-09 2021-11-10
samba -- Multiple Vulnerabilities samba413 4.13.14 samba414 4.14.10 samba415 4.15.2

The Samba Team reports:

  • CVE-2020-25717: A user in an AD Domain could become root on domain members.
  • CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC.
  • CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets.
  • CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid).
  • CVE-2020-25722: Samba AD DC did not do sufficient access and conformance checking of data stored.
  • CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication.
  • CVE-2021-3738: Use after free in Samba AD DC RPC server.
  • CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.
CVE-2020-25717 CVE-2020-25718 CVE-2020-25719 CVE-2020-25721 CVE-2020-25722 CVE-2016-2124 CVE-2021-3738 CVE-2021-23192 https://www.samba.org/samba/security/CVE-2020-25717.html https://www.samba.org/samba/security/CVE-2020-25718.html https://www.samba.org/samba/security/CVE-2020-25719.html https://www.samba.org/samba/security/CVE-2020-25721.html https://www.samba.org/samba/security/CVE-2020-25722.html https://www.samba.org/samba/security/CVE-2016-2124.html https://www.samba.org/samba/security/CVE-2021-3738.html https://www.samba.org/samba/security/CVE-2021-23192.html 2021-11-10 2021-11-10
pyrad -- multiple vulnerabilities py36-pyrad py37-pyrad py38-pyrad py39-pyrad py310-pyrad 2.1

Nathaniel McCallum reports:

packet.py in pyrad before 2.1 uses weak random numbers to generate RADIUS authenticators and hash passwords, which makes it easier for remote attackers to obtain sensitive information via a brute force attack.

The CreateID function in packet.py in pyrad before 2.1 uses sequential packet IDs, which makes it easier for remote attackers to spoof packets by predicting the next ID, a different vulnerability than CVE-2013-0294.

CVE-2013-0294 CVE-2013-0342 https://bugzilla.redhat.com/show_bug.cgi?id=911682 https://bugzilla.redhat.com/show_bug.cgi?id=911685 2013-01-15 2021-11-05
go -- multiple vulnerabilities go 1.17.3,1

The Go project reports:

debug/macho fails out when loading a file that contains a dynamic symbol table command that indicates a larger number of symbols than exist in the loaded symbol table.

Previously, opening a zip with (*Reader).Open could result in a panic if the zip contained a file whose name was exclusively made up of slash characters or ".." path elements. Open could also panic if passed the empty string directly as an argument.

CVE-2021-41771 https://github.com/golang/go/issues/48990 CVE-2021-41772 https://github.com/golang/go/issues/48085 2021-11-04 2021-11-05
jenkins -- multiple vulnerabilities jenkins 2.319 jenkins-lts 2.303.3

Jenkins Security Advisory:

Description

(Critical) SECURITY-2455 / CVE-2021-21685, CVE-2021-21686, CVE-2021-21687, CVE-2021-21688, CVE-2021-21689, CVE-2021-21690, CVE-2021-21691, CVE-2021-21692, CVE-2021-21693, CVE-2021-21694, CVE-2021-21695

Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control

(High) SECURITY-2423 / CVE-2021-21696

Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin

(High) SECURITY-2428 / CVE-2021-21697

Agent-to-controller access control allows reading/writing most content of build directories

(Medium) SECURITY-2506 / CVE-2021-21698

Path traversal vulnerability in Subversion Plugin allows reading arbitrary files

CVE-2021-21685 CVE-2021-21686 CVE-2021-21687 CVE-2021-21688 CVE-2021-21689 CVE-2021-21690 CVE-2021-21691 CVE-2021-21692 CVE-2021-21693 CVE-2021-21694 CVE-2021-21695 CVE-2021-21696 CVE-2021-21697 CVE-2021-21698 https://www.jenkins.io/security/advisory/2021-11-04/ 2021-11-04 2021-11-04
gitea -- multiple vulnerabilities gitea 1.15.5

The Gitea Team reports for release 1.15.5:

  • Upgrade Bluemonday to v1.0.16 (#17372) (#17374)
  • Ensure correct SSH permissions check for private and restricted users (#17370) (#17373)
https://github.com/go-gitea/gitea/releases/tag/v1.15.5 ports/259548 2021-10-21 2021-11-04
Gitlab -- Multiple Vulnerabilities gitlab-ce 14.4.014.4.1 14.3.014.3.4 014.2.6

Gitlab reports:

Stored XSS via ipynb files

Pipeline schedules on imported projects can be set to automatically active after import

Potential Denial of service via Workhorse

Improper Access Control allows Merge Request creator to bypass locked status

Projects API discloses ID and name of private groups

Severity of an incident can be changed by a guest user

System root password accidentally written to log file

Potential DoS via a malformed TIFF image

Bypass of CODEOWNERS Merge Request approval requirement

Change project visibility to a restricted option

Project exports leak external webhook token value

SCIM token is visible after creation

Invited group members, with access inherited from parent group, continue to have project access even after invited subgroup is transfered

Regular expression denial of service issue when cleaning namespace path

Prevent creation of scopeless apps using applications API

Webhook data exposes assignee's private email address

CVE-2021-39906 CVE-2021-39895 CVE-2021-39907 CVE-2021-39904 CVE-2021-39905 CVE-2021-39902 CVE-2021-39913 CVE-2021-39912 CVE-2021-39909 CVE-2021-39903 CVE-2021-39898 CVE-2021-39901 CVE-2021-39897 CVE-2021-39914 CVE-2021-39911 https://about.gitlab.com/releases/2021/10/28/security-release-gitlab-14-4-1-released/ 2021-10-28 2021-10-30
chromium -- multiple vulnerabilities chromium 95.0.4638.69

Chrome Releases reports:

This release contains 8 security fixes, including:

  • [1259864] High CVE-2021-37997 : Use after free in Sign-In. Reported by Wei Yuan of MoyunSec VLab on 2021-10-14
  • [1259587] High CVE-2021-37998 : Use after free in Garbage Collection. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-10-13
  • [1251541] High CVE-2021-37999 : Insufficient data validation in New Tab Page. Reported by Ashish Arun Dhone on 2021-09-21
  • [1249962] High CVE-2021-38000 : Insufficient validation of untrusted input in Intents. Reported by Clement Lecigne, Neel Mehta, and Maddie Stone of Google Threat Analysis Group on 2021-09-15
  • [1260577] High CVE-2021-38001 : Type Confusion in V8. Reported by @s0rrymybad of Kunlun Lab via Tianfu Cup on 2021-10-16
  • [1260940] High CVE-2021-38002 : Use after free in Web Transport. Reported by @__R0ng of 360 Alpha Lab, ? via Tianfu Cup on 2021-10-16
  • [1263462] High CVE-2021-38003 : Inappropriate implementation in V8. Reported by Clément Lecigne from Google TAG and Samuel Gross from Google Project Zero on 2021-10-26

Google is aware that exploits for CVE-2021-38000 and CVE-2021-38003 exist in the wild.

CVE-2021-37997 CVE-2021-37998 CVE-2021-37999 CVE-2021-38000 CVE-2021-38001 CVE-2021-38002 CVE-2021-38003 https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html 2021-10-28 2021-10-29
fail2ban -- possible RCE vulnerability in mailing action using mailutils py36-fail2ban py37-fail2ban py38-fail2ban py39-fail2ban py310-fail2ban 0.11.2_3

Jakub Żoczek reports:

Command mail from mailutils package used in mail actions like mail-whois can execute command if unescaped sequences (\n~) are available in "foreign" input (for instance in whois output).

CVE-2021-32749 https://github.com/fail2ban/fail2ban/security/advisories/GHSA-m985-3f3v-cwmm 2021-07-16 2021-10-28
Grafana -- Snapshot authentication bypass grafana8 grafana7 grafana6 grafana 8.0.08.1.6 2.0.17.5.11

Grafana Labs reports:

Unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths:

  • /dashboard/snapshot/:key, or
  • /api/snapshots/:key

If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path:

  • /api/snapshots-delete/:deleteKey

Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths:

  • /api/snapshots/:key, or
  • /api/snapshots-delete/:deleteKey

The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss.

CVE-2021-39226 https://grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-critical-security-fix/ 2021-09-15 2021-10-06
minio -- policy restriction issue minio 2021.10.23.03.28.24

minio developers report:

Looks like policy restriction was not working properly for normal users when they are not svc or STS accounts.

  • svc accounts are now properly fixed to get right permissions when its inherited, so we do not have to set 'owner = true'
  • sts accounts have always been using right permissions, do not need an explicit lookup
  • regular users always have proper policy mapping
CVE-2021-41137 https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c 2021-10-12 2021-10-23
mailman -- brute-force vuln on list admin password, and CSRF vuln in releases before 2.1.35 mailman 2.1.35 mailman-with-htdig 2.1.35

Mark Sapiro reports:

A potential for for a list member to carry out an off-line brute force attack to obtain the list admin password has been reported by Andre Protas, Richard Cloke and Andy Nuttall of Apple. This is fixed.

A CSRF attack via the user options page could allow takeover of a users account. This is fixed.

CVE-2021-42096 CVE-2021-42097 https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/view/1873/NEWS#L8 https://bugs.launchpad.net/mailman/+bug/1947639 https://bugs.launchpad.net/mailman/+bug/1947640 2021-10-18 2021-10-20
chromium -- multiple vulnerabilities chromium 95.0.4638.54

Chrome Releases reports:

This release contains 19 security fixes, including:

  • [1246631] High CVE-2021-37981: Heap buffer overflow in Skia. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-09-04
  • [1248661] High CVE-2021-37982: Use after free in Incognito. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2021-09-11
  • [1249810] High CVE-2021-37983: Use after free in Dev Tools. Reported by Zhihua Yao of KunLun Lab on 2021-09-15
  • [1253399] High CVE-2021-37984: Heap buffer overflow in PDFium. Reported by Antti Levomäki, Joonas Pihlaja andChristian Jali from Forcepoint on 2021-09-27
  • [1241860] High CVE-2021-37985: Use after free in V8. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-08-20
  • [1242404] Medium CVE-2021-37986: Heap buffer overflow in Settings. Reported by raven (@raid_akame) on 2021-08-23
  • [1206928] Medium CVE-2021-37987: Use after free in Network APIs. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-05-08
  • [1228248] Medium CVE-2021-37988: Use after free in Profiles. Reported by raven (@raid_akame) on 2021-07-12
  • [1233067] Medium CVE-2021-37989: Inappropriate implementation in Blink. Reported by Matt Dyas, Ankur Sundara on 2021-07-26
  • [1247395] Medium CVE-2021-37990: Inappropriate implementation in WebView. Reported by Kareem Selim of CyShield on 2021-09-07
  • [1250660] Medium CVE-2021-37991: Race in V8. Reported by Samuel Gross of Google Project Zero on 2021-09-17
  • [1253746] Medium CVE-2021-37992: Out of bounds read in WebAudio. Reported by sunburst@Ant Security Light-Year Lab on 2021-09-28
  • [1255332] Medium CVE-2021-37993: Use after free in PDF Accessibility. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-10-02
  • [1243020] Medium CVE-2021-37996: Insufficient validation of untrusted input in Downloads. Reported by Anonymous on 2021-08-24
  • [1100761] Low CVE-2021-37994: Inappropriate implementation in iFrame Sandbox. Reported by David Erceg on 2020-06-30
  • [1242315] Low CVE-2021-37995: Inappropriate implementation in WebApp Installer. Reported by Terence Eden on 2021-08-23
CVE-2021-37981 CVE-2021-37982 CVE-2021-37983 CVE-2021-37984 CVE-2021-37985 CVE-2021-37986 CVE-2021-37987 CVE-2021-37988 CVE-2021-37989 CVE-2021-37990 CVE-2021-37991 CVE-2021-37992 CVE-2021-37993 CVE-2021-37994 CVE-2021-37995 CVE-2021-37996 https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_19.html 2021-10-19 2021-10-19
MySQL -- Multiple vulnerabilities mysql57-server 5.7.36 mysql80-client 8.0.27 mysql-connector-java 8.0.27 mysql80-server 8.0.27 mariadb103-server 10.3.32 mariadb104-server 10.4.22 mariadb105-server 10.5.13

Oracle reports:

This Critical Patch Update contains 66 new security patches for Oracle MySQL. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 9.8.

Note: MariaDB only vulnerable against CVE-2021-35604

https://www.oracle.com/security-alerts/cpuoct2021.html CVE-2021-22931 CVE-2021-3711 CVE-2021-22926 CVE-2021-36222 CVE-2021-35583 CVE-2021-35610 CVE-2021-35597 CVE-2021-35607 CVE-2021-2481 CVE-2021-35590 CVE-2021-35592 CVE-2021-35593 CVE-2021-35594 CVE-2021-35598 CVE-2021-35621 CVE-2021-2471 CVE-2021-35604 CVE-2021-35612 CVE-2021-35608 CVE-2021-35602 CVE-2021-35577 CVE-2021-2478 CVE-2021-2479 CVE-2021-35537 CVE-2021-35591 CVE-2021-35596 CVE-2021-35648 CVE-2021-35631 CVE-2021-35626 CVE-2021-35627 CVE-2021-35628 CVE-2021-35629 CVE-2021-35575 CVE-2021-35634 CVE-2021-35635 CVE-2021-35636 CVE-2021-35638 CVE-2021-35641 CVE-2021-35642 CVE-2021-35643 CVE-2021-35644 CVE-2021-35645 CVE-2021-35646 CVE-2021-35647 CVE-2021-35630 CVE-2021-35637 CVE-2021-35546 CVE-2021-35622 CVE-2021-35624 CVE-2021-35639 CVE-2021-35632 CVE-2021-35584 CVE-2021-35613 CVE-2021-35640 CVE-2021-35633 CVE-2021-35625 CVE-2021-35623 CVE-2021-35618 2021-10-16 2021-10-17 2021-11-09
Node.js -- October 2021 Security Releases node 16.11.1 node14 14.18.1

Node.js reports:

HTTP Request Smuggling due to spaced in headers (Medium)(CVE-2021-22959)

The http parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS).

HTTP Request Smuggling when parsing the body (Medium)(CVE-2021-22960)

The parse ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.

CVE-2021-22959 CVE-2021-22960 https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/ 2021-10-12 2021-10-14
OpenSSH -- OpenSSH 6.2 through 8.7 failed to correctly initialise supplemental groups when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand openssh-portable openssh-portable-hpn openssh-portable-gssapi 6.2.p1,18.7.p1_2,1

OpenBSD Project reports:

sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise supplemental groups when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive has been set to run the command as a different user. Instead these commands would inherit the groups that sshd(8) was started with.

Depending on system configuration, inherited groups may allow AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to gain unintended privilege.

Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are enabled by default in sshd_config(5).

CVE-2021-41617 https://www.openssh.com/txt/release-8.8 2021-09-26 2021-10-12
couchdb -- user privilege escalation couchdb 3.1.2,2

Cory Sabol reports:

A malicious user with permission to create documents in a database is able to attach a HTML attachment to a document. If a CouchDB admin opens that attachment in a browser, e.g. via the CouchDB admin interface Fauxton, any JavaScript code embedded in that HTML attachment will be executed within the security context of that admin. A similar route is available with the already deprecated _show and _list functionality.

CVE-2021-39205 https://docs.couchdb.org/en/stable/cve/2021-38295.html 2021-08-09 2021-10-12
Ansible -- Ansible user credentials disclosure in ansible-connection module py36-ansible-core py37-ansible-core py38-ansible-core py39-ansible-core py310-ansible-core 2.11.6 py36-ansible-base py37-ansible-base py38-ansible-base py39-ansible-base py310-ansible-base 2.10.15 py36-ansible2 py37-ansible2 py38-ansible2 py39-ansible2 py310-ansible2 2.9.27 py36-ansible py37-ansible py38-ansible py39-ansible py310-ansible 2.9.27

Red Hat reports:

A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality.

CVE-2021-3620 https://access.redhat.com/security/cve/CVE-2021-3620 https://nvd.nist.gov/vuln/detail/CVE-2021-3620 https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#v2-9-27 https://github.com/ansible/ansible/blob/stable-2.10/changelogs/CHANGELOG-v2.10.rst#v2-10-15 https://github.com/ansible/ansible/blob/stable-2.11/changelogs/CHANGELOG-v2.11.rst#v2-11-6 2021-06-25 2021-10-11
Apache OpenOffice -- multiple vulnerabilities. apache-openoffice 4.1.11 apache-openoffice-devel 4.2.1633255994,4

The Apache Openoffice project reports:

Apache OpenOffice opens dBase/DBF documents and shows the contents as spreadsheets. DBF are database files with data organized in fields. When reading DBF data the size of certain fields is not checked: the data is just copied into local variables. A carefully crafted document could overflow the allocated space, leading to the execution of arbitrary code by altering the contents of the program stack. This issue affects Apache OpenOffice up to and including version 4.1.10

It is possible for an attacker to manipulate signed documents and macros to appear to come from a trusted source. All versions of Apache OpenOffice up to 4.1.10 are affected. Users are advised to update to version 4.1.11. See CVE-2021-25633 for the LibreOffice advisory

It is possible for an attacker to manipulate the timestamp of signed documents. All versions of Apache OpenOffice up to 4.1.10 are affected. Users are advised to update to version 4.1.11. See CVE-2021-25634 for the LibreOffice advisory.

It is possible for an attacker to manipulate documents to appear to be signed by a trusted source. All versions of Apache OpenOffice up to 4.1.10 are affected. Users are advised to update to version 4.1.11. See CVE-2021-25635 for the LibreOffice advisory.

CVE-2021-33035 CVE-2021-41830 CVE-2021-41831 CVE-2021-41832 https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+4.1.11+Release+Notes/#AOO4.1.11ReleaseNotes-Security 2021-05-04 2021-10-09
go -- misc/wasm, cmd/link: do not let command line arguments overwrite global data go 1.17.2,1

The Go project reports:

When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments.

If using wasm_exec.js to execute WASM modules, users will need to replace their copy after rebuilding any modules.

CVE-2021-38297 https://github.com/golang/go/issues/48797 2021-10-06 2021-10-09
chromium -- multiple vulnerabilities chromium 94.0.4606.81

Chrome Releases reports:

This release contains 4 security fixes, including:

  • [1252878] High CVE-2021-37977: Use after free in Garbage Collection. Reported by Anonymous on 2021-09-24
  • [1236318] High CVE-2021-37978: Heap buffer overflow in Blink. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-08-04
  • [1247260] High CVE-2021-37979: Heap buffer overflow in WebRTC. Reported by Marcin Towalski of Cisco Talos on 2021-09-07
  • [1254631] High CVE-2021-37980: Inappropriate implementation in Sandbox. Reported by Yonghwi Jin (@jinmo123) on 2021-09-30
CVE-2021-37977 CVE-2021-37978 CVE-2021-37979 CVE-2021-37980 https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop.html 2021-10-07 2021-10-08
Apache httpd -- Path Traversal and Remote Code Execution apache24 2.4.492.4.51

The Apache http server project reports:

critical: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013).

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.

If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.

This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.

Acknowledgements: Reported by Juan Escobar from Dreamlab Technologies, Fernando Munoz from NULL Life CTF Team, and Shungo Kumasaka

CVE-2021-42013 2021-10-07 2021-10-07
jenkins -- Jenkins core bundles vulnerable version of the commons-httpclient library jenkins 2.315 jenkins-lts 2.303.2

Jenkins Security Advisory:

Description

(Medium) SECURITY-2475 / CVE-2014-3577

Jenkins core bundles vulnerable version of the commons-httpclient library

CVE-2014-3577 https://www.jenkins.io/security/advisory/2021-10-06/ 2021-10-06 2021-10-07
Apache httpd -- Multiple vulnerabilities apache24 2.4.492.4.50

The Apache http server project reports:

  • moderate: null pointer dereference in h2 fuzzing (CVE-2021-41524)
  • important: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 (CVE-2021-41773)
CVE-2021-41524 CVE-2021-41773 https://httpd.apache.org/security/vulnerabilities_24.html 2021-10-05 2021-10-05 2021-10-06
Bacula-Web -- Multiple Vulnerabilities bacula-web 8.4.2

Bacula-Web reports:

Address Smarty CVE

CVE-2021-26119 CVE-2021-26120 https://www.bacula-web.org/releases/2021-07-11-bacula-web-8.4.2/ 2021-07-11 2021-10-05
redis -- multiple vulnerabilities redis-devel 7.0.0.20211005 redis 6.2.6 redis6 6.0.16 redis5 5.0.14

The Redis Team reports:

CVE-2021-41099
Integer to heap buffer overflow handling certain string commands and network payloads, when proto-max-bulk-len is manually configured.
CVE-2021-32762
Integer to heap buffer overflow issue in redis-cli and redis-sentinel parsing large multi-bulk replies on some older and less common platforms.
CVE-2021-32687
Integer to heap buffer overflow with intsets, when set-max-intset-entries is manually configured to a non-default, very large value.
CVE-2021-32675
Denial Of Service when processing RESP request payloads with a large number of elements on many connections.
CVE-2021-32672
Random heap reading issue with Lua Debugger.
CVE-2021-32628
Integer to heap buffer overflow handling ziplist-encoded data types, when configuring a large, non-default value for hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value.
CVE-2021-32627
Integer to heap buffer overflow issue with streams, when configuring a non-default, large value for proto-max-bulk-len and client-query-buffer-limit.
CVE-2021-32626
Specially crafted Lua scripts may result with Heap buffer overflow.
CVE-2021-41099 CVE-2021-32762 CVE-2021-32687 CVE-2021-32675 CVE-2021-32672 CVE-2021-32628 CVE-2021-32627 CVE-2021-32626 https://groups.google.com/g/redis-db/c/GS_9L2KCk9g 2021-10-04 2021-10-05
mediawiki -- multiple vulnerabilities mediawiki131 1.31.16 mediawiki135 1.35.4 mediawiki136 1.36.2

Mediawiki reports:

(T285515, CVE-2021-41798) SECURITY: XSS vulnerability in Special:Search.

(T290379, CVE-2021-41799) SECURITY: ApiQueryBacklinks can cause a full table scan.

(T284419, CVE-2021-41800) SECURITY: fix PoolCounter protection of Special:Contributions.

(T279090, CVE-2021-41801) SECURITY: ReplaceText continues performing actions if the user no longer has the correct permission (such as by being blocked).

CVE-2021-41798 CVE-2021-41799 CVE-2021-41800 CVE-2021-41801 https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/2IFS5CM2YV4VMSODPX3J2LFHKSEWVFV5/ 2021-06-24 2021-10-01
chromium -- multiple vulnerabilities chromium 94.0.4606.71

Chrome Releases/Stable updates reports:

This release contains 4 security fixes, including:

  • [1245578] High CVE-2021-37974: Use after free in Safe Browsing. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2021-09-01
  • [1252918] High CVE-2021-37975: Use after free in V8. Reported by Anonymous on 2021-09-24
  • [1251787] Medium CVE-2021-37976: Information leak in core. Reported by Clement Lecigne from Google TAG, with technical assistance from Sergei Glazunov and Mark Brand from Google Project Zero on 2021-09-21

Google is aware the exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild.

CVE-2021-37974 CVE-2021-37975 CVE-2021-37976 https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_30.html 2021-09-30 2021-09-30
Gitlab -- vulnerabilities gitlab-ce 14.3.014.3.1 14.2.014.2.5 014.1.7

Gitlab reports:

Stored XSS in merge request creation page

Denial-of-service attack in Markdown parser

Stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown

DNS Rebinding vulnerability in Gitea importer

Exposure of trigger tokens on project exports

Improper access control for users with expired password

Access tokens are not cleared after impersonation

Reflected Cross-Site Scripting in Jira Integration

DNS Rebinding vulnerability in Fogbugz importer

Access tokens persist after project deletion

User enumeration vulnerability

Potential DOS via API requests

Pending invitations of public groups and public projects are visible to any user

Bypass Disabled Repo by URL Project Creation

Low privileged users can see names of the private groups shared in projects

API discloses sensitive info to low privileged users

Epic listing do not honour group memberships

Insecure Direct Object Reference vulnerability may lead to protected branch names getting disclosed

Low privileged users can import users from projects that they they are not a maintainer on

Potential DOS via dependencies API

Create a project with unlimited repository size through malicious Project Import

Bypass disabled Bitbucket Server import source project creation

Requirement to enforce 2FA is not honored when using git commands

Content spoofing vulnerability

Improper session management in impersonation feature

Create OAuth application with arbitrary scopes through content spoofing

Lack of account lockout on change password functionality

Epic reference was not updated while moved between groups

Missing authentication allows disabling of two-factor authentication

Information disclosure in SendEntry

CVE-2021-39885 CVE-2021-39877 CVE-2021-39887 CVE-2021-39867 CVE-2021-39869 CVE-2021-39872 CVE-2021-39878 CVE-2021-39866 CVE-2021-39882 CVE-2021-39875 CVE-2021-39870 CVE-2021-39884 CVE-2021-39883 CVE-2021-22259 CVE-2021-39868 CVE-2021-39871 CVE-2021-39874 CVE-2021-39873 CVE-2021-39881 CVE-2021-39886 CVE-2021-39879 https://about.gitlab.com/releases/2021/09/30/security-release-gitlab-14-3-1-released/ 2021-09-30 2021-09-30
ha -- Directory traversals ha 0.999b_2

Alexander Cherepanov reports:

Version 0.999b and older of ha archiver is susceptible to directory traversal vulnerabilities via absolute and relative paths.

CVE-2015-1198 http://www.openwall.com/lists/oss-security/2015/01/18/8 2015-01-18 2021-09-30
nexus2-oss -- Apache ActiveMQ JMX vulnerability nexus2-oss 2.14.20

Sonatype reports:

  • CVE-2020-13920: Apache ActiveMQ JMX is vulnerable to a MITM attack
CVE-2020-13920 https://help.sonatype.com/repomanager2/release-notes/2020-release-notes#id-2020ReleaseNotes-RepositoryManage 2020-12-28 2021-09-29
nexus2-oss -- NXRM2 Directory Traversal vulnerability nexus2-oss 2.14.19

Sonatype reports:

  • CVE-2020-15012: NXRM2 Directory Traversal vulnerability
CVE-2020-15012 https://help.sonatype.com/repomanager2/release-notes/2020-release-notes#id-2020ReleaseNotes-RepositoryManage 2020-06-23 2021-09-29
webkit2-gtk3 -- multiple vulnerabilities webkit2-gtk3 2.32.4

The WebKitGTK project reports vulnerabilities:

  • CVE-2021-30858: Processing maliciously crafted web content may lead to arbitrary code execution.
CVE-2021-30858 https://webkitgtk.org/security/WSA-2021-0005.html 2021-09-20 2021-09-24
chromium -- use after free in Portals chromium 94.0.4606.61

Chrome Releases reports:

][1251727] High CVE-2021-37973 : Use after free in Portals. Reported by Clement Lecigne from Google TAG, with technical assistance from Sergei Glazunov and Mark Brand from Google Project Zero on 2021-09-21

Google is aware that an exploit for CVE-2021-37973 exists in the wild.

CVE-2021-37973 https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_24.html 2021-09-24 2021-09-24
zeek -- several vulnerabilities zeek 4.0.4

Tim Wojtulewicz of Corelight reports:

Paths from log stream make it into system() unchecked, potentially leading to commands being run on the system unintentionally. This requires either bad scripting or a malicious package to be installed, and is considered low severity.

Fix potential unbounded state growth in the PIA analyzer when receiving a connection with either a large number of zero-length packets, or one which continues ack-ing unseen segments. It is possible to run Zeek out of memory in these instances and cause it to crash. Due to the possibility of this happening with packets received from the network, this is a potential DoS vulnerability.

https://github.com/zeek/zeek/releases/tag/v4.0.4 2021-08-26 2021-09-22
mod_auth_mellon -- Redirect URL validation bypass mod_auth_mellon 0.18.0

Jakub Hrozek reports:

Version 0.17.0 and older of mod_auth_mellon allows the redirect URL validation to be bypassed by specifying an URL formatted as ///fishing-site.example.com/logout.html

CVE-2019-13038 https://github.com/latchset/mod_auth_mellon/releases/tag/v0.18.0 2021-07-30 2021-09-22
Node.js -- August 2021 Security Releases (2) node14 14.17.6

Node.js reports:

npm 6 update - node-tar, arborist, npm cli modules

These are vulnerabilities in the node-tar, arborist, and npm cli modules which are related to the initial reports and subsequent remediation of node-tar vulnerabilities CVE-2021-32803 and CVE-2021-32804. Subsequent internal security review of node-tar and additional external bounty reports have resulted in another 5 CVE being remediated in core npm CLI dependencies including node-tar, and npm arborist.

CVE-2021-32803 CVE-2021-32804 CVE-2021-37701 CVE-2021-37712 CVE-2021-37713 CVE-2021-39134 CVE-2021-39135 https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases2/ 2021-08-31 2021-09-21
Node.js -- August 2021 Security Releases node14 14.17.4 node 16.6.2

Node.js reports:

cares upgrade - Improper handling of untypical characters in domain names (High) (CVE-2021-22931)

Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of host names returned by Domain Name Servers in the Node.js DNS library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.

Use after free on close http2 on stream canceling (High) (CVE-2021-22940)

Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. The issue is a follow on to CVE-2021-22930 as the issue was not completely resolved in the fix for CVE-2021-22930.

Incomplete validation of rejectUnauthorized parameter (Low) (CVE-2021-22939)

If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.

CVE-2021-22931 CVE-2021-22940 CVE-2021-22939 https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/ 2021-08-11 2021-09-21
Node.js -- July 2021 Security Releases (2) node14 14.17.4 node 16.6.0

Node.js reports:

Use after free on close http2 on stream canceling (High) (CVE-2021-22930)

Node.js is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

CVE-2021-22930 https://nodejs.org/en/blog/vulnerability/july-2021-security-releases-2/ 2021-07-29 2021-09-21
Node.js -- July 2021 Security Releases node14 14.17.2 node 16.4.1

Node.js reports:

libuv upgrade - Out of bounds read (Medium) (CVE-2021-22918)

Node.js is vulnerable to out-of-bounds read in libuv's uv__idna_toascii() function which is used to convert strings to ASCII. This is called by Node's dns module's lookup() function and can lead to information disclosures or crashes.

Windows installer - Node Installer Local Privilege Escalation (Medium) (CVE-2021-22921)

Node.js is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.

npm upgrade - ssri Regular Expression Denial of Service (ReDoS) (High) (CVE-2021-27290)

This is a vulnerability in the ssri npm module which may be vulnerable to denial of service attacks.

npm upgrade - hosted-git-info Regular Expression Denial of Service (ReDoS) (Medium) (CVE-2021-23362)

This is a vulnerability in the hosted-git-info npm module which may be vulnerable to denial of service attacks.

CVE-2021-22918 CVE-2021-22921 CVE-2021-27290 CVE-2021-23362 https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/ 2021-07-01 2021-09-21
chromium -- multiple vulnerabilities chromium 94.0.4606.54

Chrome Releases reports:

This update contains 19 security fixes, including:

  • [1243117] High CVE-2021-37956: Use after free in Offline use. Reported by Huyna at Viettel Cyber Security on 2021-08-24
  • [1242269] High CVE-2021-37957: Use after free in WebGPU. Reported by Looben Yang on 2021-08-23
  • [1223290] High CVE-2021-37958: Inappropriate implementation in Navigation. Reported by James Lee (@Windowsrcer) on 2021-06-24
  • [1229625] High CVE-2021-37959: Use after free in Task Manager. Reported by raven (@raid_akame) on 2021-07-15
  • [1247196] High CVE-2021-37960: Inappropriate implementation in Blink graphics. Reported by Atte Kettunen of OUSPG on 2021-09-07
  • [1228557] Medium CVE-2021-37961: Use after free in Tab Strip. Reported by Khalil Zhani on 2021-07-13
  • [1231933] Medium CVE-2021-37962: Use after free in Performance Manager. Reported by Sri on 2021-07-22
  • [1199865] Medium CVE-2021-37963: Side-channel information leakage in DevTools. Reported by Daniel Genkin and Ayush Agarwal, University of Michigan, Eyal Ronen and Shaked Yehezkel, Tel Aviv University, Sioli O'Connell, University of Adelaide, and Jason Kim, Georgia Institute of Technology on 2021-04-16
  • [1203612] Medium CVE-2021-37964: Inappropriate implementation in ChromeOS Networking. Reported by Hugo Hue and Sze Yiu Chau of the Chinese University of Hong Kong on 2021-04-28
  • [1239709] Medium CVE-2021-37965: Inappropriate implementation in Background Fetch API. Reported by Maurice Dauer on 2021-08-13
  • [1238944] Medium CVE-2021-37966: Inappropriate implementation in Compositing. Reported by Mohit Raj (shadow2639) on 2021-08-11
  • [1243622] Medium CVE-2021-37967: Inappropriate implementation in Background Fetch API. Reported by SorryMybad (@S0rryMybad) of Kunlun Lab on 2021-08-26
  • [1245053] Medium CVE-2021-37968: Inappropriate implementation in Background Fetch API. Reported by Maurice Dauer on 2021-08-30
  • [1245879] Medium CVE-2021-37969: Inappropriate implementation in Google Updater. Reported by Abdelhamid Naceri (halov) on 2021-09-02
  • [1248030] Medium CVE-2021-37970: Use after free in File System API. Reported by SorryMybad (@S0rryMybad) of Kunlun Lab on 2021-09-09
  • [1219354] Low CVE-2021-37971: Incorrect security UI in Web Browser UI. Reported by Rayyan Bijoora on 2021-06-13
  • [1234259] Low CVE-2021-37972: Out of bounds read in libjpeg-turbo. Reported by Xu Hanyu and Lu Yutao from Panguite-Forensics-Lab of Qianxin on 2021-07-29
CVE-2021-37956 CVE-2021-37957 CVE-2021-37958 CVE-2021-37959 CVE-2021-37960 CVE-2021-37961 CVE-2021-37962 CVE-2021-37963 CVE-2021-37964 CVE-2021-37965 CVE-2021-37966 CVE-2021-37967 CVE-2021-37968 CVE-2021-37969 CVE-2021-37970 CVE-2021-37971 CVE-2021-37972 https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_21.html 2021-09-21 2021-09-21
libssh -- possible heap-buffer overflow vulnerability libssh 0.9.10.9.5

libssh security advisories:

The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called `secret_hash` and and the other `session_id`. Initially, both of them are the same, but after key re-exchange, previous `session_id` is kept and used as an input to new `secret_hash`.

Historically, both of these buffers had shared length variable, which worked as long as these buffers were same. But the key re-exchange operation can also change the key exchange method, which can be based on hash of different size, eventually creating `secret_hash` of different size than the `session_id` has.

This becomes an issue when the `session_id` memory is zeroized or when it is used again during second key re-exchange.

CVE-2021-3634 https://www.libssh.org/security/advisories/CVE-2021-3634.txt https://www.libssh.org/2021/08/26/libssh-0-9-6-security-release/ 2021-08-26 2021-09-21
Apache httpd -- multiple vulnerabilities apache24 2.4.49

The Apache project reports:

  • moderate: Request splitting via HTTP/2 method injection and mod_proxy (CVE-2021-33193)
  • moderate: NULL pointer dereference in httpd core (CVE-2021-34798)
  • moderate: mod_proxy_uwsgi out of bound read (CVE-2021-36160)
  • low: ap_escape_quotes buffer overflow (CVE-2021-39275)
  • high: mod_proxy SSRF (CVE-2021-40438)
CVE-2021-33193 CVE-2021-34798 CVE-2021-36160 CVE-2021-39275 CVE-2021-40438 http://httpd.apache.org/security/vulnerabilities_24.html 2021-09-16 2021-09-17 2021-09-28
cURL -- Multiple vulnerabilities curl 7.20.07.79.0

The cURL project reports:

  • UAF and double-free in MQTT sending (CVE-2021-22945)
  • Protocol downgrade required TLS bypassed (CVE-2021-22946)
  • STARTTLS protocol injection via MITM (CVE-2021-22945)
CVE-2021-22945 CVE-2021-22946 CVE-2021-22947 https://curl.se/docs/security.html 2021-09-15 2021-09-17 2021-09-28
libpano13 -- arbitrary memory access through format string vulnerability libpano13 2.9.20

libpano13 developers reports:

Fix crash and security issue caused by malformed filename prefix

CVE-2021-20307 https://nvd.nist.gov/vuln/detail/CVE-2021-20307 2021-05-04 2021-09-07
seatd-launch -- privilege escalation with SUID seatd 0.6.00.6.2

Kenny Levinsen reports:

seatd-launch used execlp, which reads the PATH environment variable to search for the requested executable, to execute seatd. This meant that the caller could freely control what executable was loaded by adding a user-writable directory to PATH.

If seatd-launch had the SUID bit set, this could be used by a malicious user with the ability to execute seatd-launch to mount a privilege escalation attack to the owner of seatd-launch, which is likely root.

https://lists.sr.ht/~kennylevinsen/seatd-announce/%3CGJ2IZQ.HCKS1J0LSI803%40kl.wtf%3E CVE-2021-41387 2021-09-15 2021-09-16 2021-09-18
chromium -- multiple vulnerabilities chromium 93.0.4577.82

Chrome Releases reports:

This release includes 11 security fixes, including:

  • [1237533] High CVE-2021-30625: Use after free in Selection API. Reported by Marcin Towalski of Cisco Talos on 2021-08-06
  • [1241036] High CVE-2021-30626: Out of bounds memory access in ANGLE. Reported by Jeonghoon Shin of Theori on 2021-08-18
  • [1245786] High CVE-2021-30627: Type Confusion in Blink layout. Reported by Aki Helin of OUSPG on 2021-09-01
  • [1241123] High CVE-2021-30628: Stack buffer overflow in ANGLE. Reported by Jaehun Jeong(@n3sk) of Theori on 2021-08-18
  • [1243646] High CVE-2021-30629: Use after free in Permissions. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2021-08-26
  • [1244568] High CVE-2021-30630: Inappropriate implementation in Blink. Reported by SorryMybad (@S0rryMybad) of Kunlun Lab on 2021-08-30
  • [1246932] High CVE-2021-30631: Type Confusion in Blink layout. Reported by Atte Kettunen of OUSPG on 2021-09-06
  • [1247763] High CVE-2021-30632: Out of bounds write in V8. Reported by Anonymous on 2021-09-08
  • [1247766] High CVE-2021-30633: Use after free in Indexed DB API. Reported by Anonymous on 2021-09-08

Google is aware that exploits for CVE-2021-30632 and CVE-2021-30633 exist in the wild.

CVE-2021-30625 CVE-2021-30626 CVE-2021-30627 CVE-2021-30628 CVE-2021-30629 CVE-2021-30630 CVE-2021-30631 CVE-2021-30632 CVE-2021-30633 https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html 2021-09-13 2021-09-14
Matrix clients -- several vulnerabilities cinny 1.2.1 element-web 1.8.3 nheko 0.8.2_2

Matrix developers report:

Today we are disclosing a critical security issue affecting multiple Matrix clients and libraries including Element (Web/Desktop/Android), FluffyChat, Nheko, Cinny, and SchildiChat.

Specifically, in certain circumstances it may be possible to trick vulnerable clients into disclosing encryption keys for messages previously sent by that client to user accounts later compromised by an attacker.

Exploiting this vulnerability to read encrypted messages requires gaining control over the recipient’s account. This requires either compromising their credentials directly or compromising their homeserver.

CVE-2021-40823 CVE-2021-40824 https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing 2021-08-23 2021-09-13
consul -- rpc: authorize raft requests consul 1.10.2 1.9.9 1.8.15

Hashicorp reports:

HashiCorp Consul Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation.

CVE-2021-37219 https://github.com/hashicorp/consul/releases/tag/v1.9.9 2021-08-27 2021-09-11
go -- archive/zip: overflow in preallocation check can cause OOM panic go 1.17.1,1

The Go project reports:

An oversight in the previous fix still allows for an OOM panic when the indicated directory size in the archive header is so large that subtracting it from the archive size overflows a uint64, effectively bypassing the check that the number of files in the archive is reasonable.

CVE-2021-39293 https://github.com/golang/go/issues/47801 2021-08-18 2021-09-10
Python -- multiple vulnerabilities python38 3.8.12

Python reports:

bpo-42278: Replaced usage of tempfile.mktemp() with TemporaryDirectory to avoid a potential race condition.

bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS.

bpo-43124: Made the internal putcmd function in smtplib sanitize input for presence of \r and \n characters to avoid (unlikely) command injection.

bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4 address strings. Leading zeros are ambiguous and interpreted as octal notation by some libraries. For example the legacy function socket.inet_aton() treats leading zeros as octal notation. glibc implementation of modern inet_pton() does not accept any leading zeros. For a while the ipaddress module used to accept ambiguous leading zeros.

https://docs.python.org/3.8/whatsnew/changelog.html#changelog 2021-08-30 2021-09-09
MPD5 PPPoE Server remotely exploitable crash mpd5 5.05.9_2

Version 5.9_2 contains security fix for PPPoE servers. Insufficient validation of incoming PPPoE Discovery request specially crafted by unauthenticated user might lead to unexpected termination of the process. The problem affects mpd versions since 5.0. Installations not using PPPoE server configuration were not affected.

http://mpd.sourceforge.net/doc5/mpd4.html#4 2021-09-04 2021-09-09
Python -- multiple vulnerabilities python36 3.6.15 python37 3.7.12

Python reports:

bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS.

bpo-43124: Made the internal putcmd function in smtplib sanitize input for presence of \r and \n characters to avoid (unlikely) command injection.

https://docs.python.org/3.6/whatsnew/changelog.html#changelog https://docs.python.org/3.7/whatsnew/changelog.html#changelog 2021-08-30 2021-09-07
WeeChat -- Crash when decoding a malformed websocket frame in relay plugin. weechat 3.2.1

The WeeChat project reports:

Crash when decoding a malformed websocket frame in relay plugin.

https://weechat.org/doc/security/ https://github.com/weechat/weechat/commit/8b1331f98de1714bae15a9ca2e2b393ba49d735b 2021-09-04 2021-09-05
py-matrix-synapse -- several vulnerabilities py36-matrix-synapse py37-matrix-synapse py38-matrix-synapse py39-matrix-synapse py310-matrix-synapse 1.41.1

Matrix developers report:

This release patches two moderate severity issues which could reveal metadata about private rooms:

  • CVE-2021-39164: Enumerating a private room's list of members and their display names.
  • CVE-2021-39163: Disclosing a private room's name, avatar, topic, and number of members.
ports/258187 CVE-2021-39164 CVE-2021-39163 https://matrix.org/blog/2021/08/31/synapse-1-41-1-released 2021-08-31 2021-09-02
Python -- multiple vulnerabilities python39 3.9.7

Python reports:

bpo-42278: Replaced usage of tempfile.mktemp() with TemporaryDirectory to avoid a potential race condition.

bpo-41180: Add auditing events to the marshal module, and stop raising code.__init__ events for every unmarshalled code object. Directly instantiated code objects will continue to raise an event, and audit event handlers should inspect or collect the raw marshal data. This reduces a significant performance overhead when loading from .pyc files.

bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS.

bpo-43124: Made the internal putcmd function in smtplib sanitize input for presence of \r and \n characters to avoid (unlikely) command injection.

https://docs.python.org/release/3.9.7/whatsnew/changelog.html 2021-08-30 2021-09-02
chromium -- multiple vulnerabilities chromium 93.0.4577.63

Chrome Releases reports:

This release contains 27 security fixes, including:

  • [1233975] High CVE-2021-30606: Use after free in Blink. Reported by Nan Wang (@eternalsakura13) and koocola (@alo_cook) of 360 Alpha Lab on 2021-07-28
  • [1235949] High CVE-2021-30607: Use after free in Permissions. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2021-08-03
  • [1219870] High CVE-2021-30608: Use after free in Web Share. Reported by Huyna at Viettel Cyber Security on 2021-06-15
  • [1239595] High CVE-2021-30609: Use after free in Sign-In. Reported by raven (@raid_akame) on 2021-08-13
  • [1200440] High CVE-2021-30610: Use after free in Extensions API. Reported by Igor Bukanov from Vivaldi on 2021-04-19
  • [1233942] Medium CVE-2021-30611: Use after free in WebRTC. Reported by Nan Wang (@eternalsakura13) and koocola (@alo_cook) of 360 Alpha Lab on 2021-07-28
  • [1234284] Medium CVE-2021-30612: Use after free in WebRTC. Reported by Nan Wang (@eternalsakura13) and koocola (@alo_cook) of 360 Alpha Lab on 2021-07-29
  • [1209622] Medium CVE-2021-30613: Use after free in Base internals. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-05-16
  • [1207315] Medium CVE-2021-30614: Heap buffer overflow in TabStrip. Reported by Huinian Yang (@vmth6) of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-05-10
  • [1208614] Medium CVE-2021-30615: Cross-origin data leak in Navigation. Reported by NDevTK on 2021-05-12
  • [1231432] Medium CVE-2021-30616: Use after free in Media. Reported by Anonymous on 2021-07-21
  • [1226909] Medium CVE-2021-30617: Policy bypass in Blink. Reported by NDevTK on 2021-07-07
  • [1232279] Medium CVE-2021-30618: Inappropriate implementation in DevTools. Reported by @DanAmodio and @mattaustin from Contrast Security on 2021-07-23
  • [1235222] Medium CVE-2021-30619: UI Spoofing in Autofill. Reported by Alesandro Ortiz on 2021-08-02
  • [1063518] Medium CVE-2021-30620: Insufficient policy enforcement in Blink. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-03-20
  • [1204722] Medium CVE-2021-30621: UI Spoofing in Autofill. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-04-30
  • [1224419] Medium CVE-2021-30622: Use after free in WebApp Installs. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2021-06-28
  • [1223667] Low CVE-2021-30623: Use after free in Bookmarks. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-06-25
  • [1230513] Low CVE-2021-30624: Use after free in Autofill. Reported by Wei Yuan of MoyunSec VLab on 2021-07-19
CVE-2021-30606 CVE-2021-30607 CVE-2021-30608 CVE-2021-30609 CVE-2021-30610 CVE-2021-30611 CVE-2021-30612 CVE-2021-30613 CVE-2021-30614 CVE-2021-30615 CVE-2021-30616 CVE-2021-30617 CVE-2021-30618 CVE-2021-30619 CVE-2021-30620 CVE-2021-30621 CVE-2021-30622 CVE-2021-30623 CVE-2021-30624 https://chromereleases.googleblog.com/2021/08/stable-channel-update-for-desktop_31.html 2021-08-31 2021-09-01
cyrus-imapd -- multiple-minute daemon hang via input that is mishandled during hash-table interaction cyrus-imapd34 3.4.2 cyrus-imapd32 3.2.8 cyrus-imapd30 3.0.16 cyrus-imapd25 cyrus-imapd24 cyrus-imapd23 0

Cyrus IMAP 3.4.2 Release Notes states:

Fixed CVE-2021-33582: Certain user inputs are used as hash table keys during processing. A poorly chosen string hashing algorithm meant that the user could control which bucket their data was stored in, allowing a malicious user to direct many inputs to a single bucket. Each subsequent insertion to the same bucket requires a strcmp of every other entry in it. At tens of thousands of entries, each new insertion could keep the CPU busy in a strcmp loop for minutes. The string hashing algorithm has been replaced with a better one, and now also uses a random seed per hash table, so malicious inputs cannot be precomputed.

CVE-2021-33582 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33582 2021-05-26 2021-09-01
Gitlab -- Vulnerabilities gitlab-ce 14.2.014.2.2 14.1.014.1.4 014.0.9

Gitlab reports:

Stored XSS in DataDog Integration

Invited group members continue to have project access even after invited group is deleted

Specially crafted requests to apollo_upload_server middleware leads to denial of service

Privilege escalation of an external user through project token

Missing access control allows non-admin users to add/remove Jira Connect Namespaces

User enumeration on private instances

Member e-mails can be revealed via project import/export feature

Stored XSS in Jira integration

Stored XSS in markdown via the Design reference

CVE-2021-22257 CVE-2021-22258 CVE-2021-22238 https://about.gitlab.com/releases/2021/08/31/security-release-gitlab-14-2-2-released/ 2021-08-31 2021-08-31
fetchmail -- STARTTLS bypass vulnerabilities fetchmail 6.4.22.r1

Problem:

In certain circumstances, fetchmail 6.4.21 and older would not encrypt the session using STARTTLS/STLS, and might not have cleared session state across the TLS negotiation.

CVE-2021-39272 https://www.fetchmail.info/fetchmail-SA-2021-02.txt 2021-08-10 2021-08-26
FreeBSD -- libfetch out of bounds read FreeBSD 13.013.0_4 12.212.2_10 11.411.4_13

Problem Description:

The passive mode in FTP communication allows an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for *p == '\0' one byte too late because p++ was already performed.

Impact:

The connection buffer size can be controlled by a malicious FTP server because the size is increased until a newline is encountered (or no more characters are read). This also allows to move the buffer into more interesting areas within the address space, potentially parsing relevant numbers for the attacker. Since these bytes become available to the server in form of a new TCP connection to a constructed port number or even part of the IPv6 address this is a potential information leak.

CVE-2021-36159 SA-21:15.libfetch 2021-08-24 2021-08-25
FreeBSD -- Remote code execution in ggatec(8) FreeBSD 13.013.0_4 12.212.2_10 11.411.4_13

Problem Description:

The ggatec(8) daemon does not validate the size of a response before writing it to a fixed-sized buffer. This allows to overwrite the stack of ggatec(8).

Impact:

A malicious ggated(8) or an attacker in a priviledged network position can overwrite the stack with crafted content and potentially execute arbitrary code.

CVE-2021-29630 SA-21:14.ggatec 2021-08-24 2021-08-25
FreeBSD -- Missing error handling in bhyve(8) device models FreeBSD 13.013.0_4 12.212.2_10 11.411.4_13

Problem Description:

Certain VirtIO-based device models failed to handle errors when fetching I/O descriptors. Such errors could be triggered by a malicious guest. As a result, the device model code could be tricked into operating on uninitialized I/O vectors, leading to memory corruption.

Impact:

A malicious guest may be able to crash the bhyve process. It may be possible to exploit the memory corruption bugs to achieve arbitrary code execution in the bhyve process.

CVE-2021-29631 SA-21:13.bhyve 2021-08-24 2021-08-25
OpenSSL -- multiple vulnerabilities openssl 1.1.1l,1 openssl-devel 3.0.0.b3 FreeBSD 13.013.0_4 12.212.2_10

The OpenSSL project reports:

SM2 Decryption Buffer Overflow (CVE-2021-3711: High)

Read buffer overruns processing ASN.1 strings (CVE-2021-3712: Moderate)

CVE-2021-3711 CVE-2021-3712 https://www.openssl.org/news/secadv/20210824.txt SA-21:16.openssl 2021-08-24 2021-08-24 2021-08-25
gitea -- multiple vulnerabilities gitea 1.15.0

The Gitea Team reports for release 1.15.0:

  • Encrypt LDAP bind password in db with SECRET_KEY (#15547)
  • Remove random password in Dockerfiles (#15362)
  • Upgrade to the latest version of golang-jwt and increase minimum go to 1.15 (#16590) (#16606)
  • Correctly create of git-daemon-export-ok files (#16508) (#16514)
  • Don't show private user's repo in explore view (#16550) (#16554)
  • Update node tar dependency to 6.1.6 (#16622) (#16623)
https://github.com/go-gitea/gitea/releases/tag/v1.15.0 ports/257994 2021-04-29 2021-08-22
gitea -- multiple vulnerabilities gitea 1.14.6

The Gitea Team reports for release 1.14.6:

  • Bump github.com/markbates/goth from v1.67.1 to v1.68.0 (#16538) (#16540)
  • Switch to maintained JWT lib (#16532) (#16535)
  • Upgrade to latest version of golang-jwt (as forked for 1.14) (#16590) (#16607)
https://github.com/go-gitea/gitea/releases/tag/v1.14.6 ports/257973 2021-07-24 2021-08-20
bouncycastle15 -- bcrypt password checking vulnerability bouncycastle15 1.651.67

The Bouncy Castle team reports:

The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.

CVE-2020-28052 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28052 2020-11-02 2021-08-20
The Bouncy Castle Crypto APIs -- EC math vulnerability bouncycastle15 1.66 bouncycastle 1.66

The Bouncy Castle team reports::

Bouncy Castle BC Java before 1.66 has a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.

CVE-2020-15522 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15522 2020-07-04 2021-08-20
binutils -- excessive debug section size can cause excessive memory consumption in bfd's dwarf2.c read_section() binutils 2.33.1_5

Hao Wang reports:

There's a flaw in the BFD library of binutils in versions before 2.36. An attacker who supplies a crafted file to an application linked with BFD, and using the DWARF functionality, could cause an impact to system availability by way of excessive memory consumption.

CVE-2021-3487 https://sourceware.org/bugzilla/show_bug.cgi?id=26946 2020-11-25 2021-08-13
chromium -- multiple vulnerabilities chromium 92.0.4515.159

Chrome Releases reports:

This release contains 9 security fixes, including:

  • [1234764] High CVE-2021-30598: Type Confusion in V8. Reported by Manfred Paul on 2021-07-30
  • [1234770] High CVE-2021-30599: Type Confusion in V8. Reported by Manfred Paul on 2021-07-30
  • [1231134] High CVE-2021-30600: Use after free in Printing. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-07-20
  • [1234009] High CVE-2021-30601: Use after free in Extensions API. Reported by koocola(@alo_cook) and Nan Wang(@eternalsakura13) of 360 Alpha Lab on 2021-07-28
  • [1230767] High CVE-2021-30602: Use after free in WebRTC. Reported by Marcin Towalski of Cisco Talos on 2021-07-19
  • [1233564] High CVE-2021-30603: Race in WebAudio. Reported by Sergei Glazunov of Google Project Zero on 2021-07-27
  • [1234829] High CVE-2021-30604: Use after free in ANGLE. Reported by Seong-Hwan Park (SeHwa) of SecunologyLab on 2021-07-30
CVE-2021-30598 CVE-2021-30599 CVE-2021-30600 CVE-2021-30601 CVE-2021-30602 CVE-2021-30603 CVE-2021-30604 https://chromereleases.googleblog.com/2021/08/stable-channel-update-for-desktop.html 2021-08-16 2021-08-17
lynx -- SSL certificate validation error ja-lynx 2.8.10 ja-lynx-current 2.9.0d9 lynx 2.8.10 lynx-current 2.9.0d9

Axel Beckert reports:

[...] I was able to capture the password given on the commandline in traffic of an TLS handshake using tcpdump and analysing it with Wireshark: [...]

https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00002.html 2021-08-07 2021-08-14 2021-08-15
PostgreSQL server -- Memory disclosure in certain queries postgresql13-server 13.4 postgresql12-server 12.8 postgresql11-server 11.13

The PostgreSQL Project reports:

A purpose-crafted query can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can complete this attack at will. The attack does not require the ability to create objects. If server settings include max_worker_processes=0, the known versions of this attack are infeasible. However, undiscovered variants of the attack may be independent of that setting.

CVE-2021-3677 https://www.postgresql.org/support/security/CVE-2021-3677/ 2021-08-12 2021-08-12
xtrlock -- xtrlock does not block multitouch events xtrlock 2.12

Debian reports:

xtrlock did not block multitouch events so an attacker could still input and thus control various programs such as Chromium, etc. via so-called "multitouch" events including pan scrolling, "pinch and zoom" or even being able to provide regular mouse clicks by depressing the touchpad once and then clicking with a secondary finger.

CVE-2016-10894 https://lists.debian.org/debian-lts-announce/2019/10/msg00019.html 2016-07-10 2021-08-09
x11/cde -- Local privilege escalation via CDE dtsession cde 2.4.0

Marco Ivaldi (marco.ivaldi () mediaservice net) reports:

A buffer overflow in the CheckMonitor() function in the Common Desktop Environment 2.3.1 and earlier and 1.6 and earlier, as distributed with Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain root privileges via a long palette name passed to dtsession in a malicious .Xdefaults file.

CVE-2020-2696 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2696 2020-01-15 2021-08-09
go -- net/http: panic due to racy read of persistConn after handler panic go 1.16.7,1

The Go project reports:

A net/http/httputil ReverseProxy can panic due to a race condition if its Handler aborts with ErrAbortHandler, for example due to an error in copying the response body. An attacker might be able to force the conditions leading to the race condition.

CVE-2021-36221 https://github.com/golang/go/issues/46866 2021-06-21 2021-08-05
Gitlab -- Gitlab gitlab-ce 14.1.014.1.2 14.0.014.0.7 013.12.9

Gitlab reports:

Stored XSS in Mermaid when viewing Markdown files

Stored XSS in default branch name

Perform Git actions with an impersonation token even if impersonation is disabled

Tag and branch name confusion allows Developer to access protected CI variables

New subscriptions generate OAuth tokens on an incorrect OAuth client application

Ability to list and delete impersonation tokens for your own user

Pipelines page is partially visible for users that have no right to see CI/CD

Improper email validation on an invite URL

Unauthorised user was able to add meta data upon issue creation

Unauthorized user can trigger deployment to a protected environment

Guest in private project can see CI/CD Analytics

Guest users can create issues for Sentry errors and track their status

Private user email disclosure via group invitation

Projects are allowed to add members with email address domain that should be blocked by group settings

Misleading username could lead to impersonation in using SSH Certificates

Unauthorized user is able to access and view project vulnerability reports

Denial of service in repository caused by malformed commit author

CVE-2021-22237 CVE-2021-22236 CVE-2021-22239 https://about.gitlab.com/releases/2021/08/03/security-release-gitlab-14-1-2-released/ 2021-08-03 2021-08-04
Prosody -- Remote Information Disclosure prosody 0.11.10

A Prosody XMPP server advisory reports:

It was discovered that Prosody allows any entity to access the list of admins, members, owners and banned entities of any federated XMPP group chat of which they know the address.

CVE-2021-37601 https://prosody.im/security/advisory_20210722/ 2021-07-22 2021-08-03
chromium -- multiple vulnerabilities chromium 92.0.4515.131

Chrome Releases reports:

This release contains 10 security fixes, including:

  • [1227777] High CVE-2021-30590: Heap buffer overflow in Bookmarks. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-07-09
  • [1229298] High CVE-2021-30591: Use after free in File System API. Reported by SorryMybad (@S0rryMybad) of Kunlun Lab on 2021-07-14
  • [1209469] High CVE-2021-30592: Out of bounds write in Tab Groups. Reported by David Erceg on 2021-05-15
  • [1209616] High CVE-2021-30593: Out of bounds read in Tab Strip. Reported by David Erceg on 2021-05-16
  • [1218468] High CVE-2021-30594: Use after free in Page Info UI. Reported by raven (@raid_akame) on 2021-06-10
  • [1214481] Medium CVE-2021-30596: Incorrect security UI in Navigation. Reported by Mohit Raj (shadow2639) on 2021-05-29
  • [1232617] Medium CVE-2021-30597: Use after free in Browser UI. Reported by raven (@raid_akame) on 2021-07-24
CVE-2021-30590 CVE-2021-30591 CVE-2021-30592 CVE-2021-30593 CVE-2021-30594 CVE-2021-30596 CVE-2021-30597 https://chromereleases.googleblog.com/search/label/Stable%20updates 2021-08-02 2021-08-03
RabbitMQ -- Denial of Service in AMQP1.0 plugin rabbitmq 3.8.16

Pivotal.io reports:

All versions prior to 3.8.16 are prone to a denial of service vulnerability due to improper input validation in AMQP 1.0 client connection endpoint.

CVE-2016-9877 https://tanzu.vmware.com/security/cve-2021-22116 https://github.com/rabbitmq/rabbitmq-server/releases/tag/v3.8.19 2021-05-10 2021-05-10
tomcat -- HTTP request smuggling in multiple versions tomcat85 8.5.08.5.66 tomcat9 9.0.09.0.46 tomcat10 10.0.010.0.6

Bahruz Jabiyev, Steven Sprecher and Kaan Onarlioglu of NEU seclab reports:

Apache Tomcat did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: Tomcat incorrectly ignored the transfer-encoding header if the client declared it would only accept an HTTP/1.0 response; Tomcat honoured the identify encoding; and Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

CVE-2021-33037 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33037 2021-05-07 2021-08-01
tomcat -- JNDI Realm Authentication Weakness in multiple versions tomcat7 7.0.07.0.108 tomcat85 8.5.08.5.65 tomcat9 9.0.09.0.45 tomcat10 10.0.010.0.5

ilja.farber reports:

Queries made by the JNDI Realm did not always correctly escape parameters. Parameter values could be sourced from user provided data (eg user names) as well as configuration data provided by an administrator. In limited circumstances it was possible for users to authenticate using variations of their user name and/or to bypass some of the protection provided by the LockOut Realm.

CVE-2021-30640 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30640 2021-04-08 2021-08-01
tomcat -- Remote Denial of Service in multiple versions tomcat85 8.5.64 tomcat9 9.0.44 tomcat10 10.0.310.0.4

rbeaudry reports:

A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS.

Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64.

CVE-2021-30639 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30639 2021-03-24 2021-08-01
fetchmail -- 6.4.19 and older denial of service or information disclosure fetchmail 6.3.9 6.3.176.4.20

Matthias Andree reports:

When a log message exceeds c. 2 kByte in size, for instance, with very long header contents, and depending on verbosity option, fetchmail can crash or misreport each first log message that requires a buffer reallocation.

CVE-2021-36386 CVE-2008-2711 https://sourceforge.net/p/fetchmail/mailman/message/37327392/ 2021-07-07 2021-07-28 2021-08-03
redis -- Integer overflow issues with BITFIELD command on 32-bit systems redis 6.0.15 redis-devel 6.2.5 redis5 5.0.13

Huang Zhw reports:

On 32-bit versions, Redis BITFIELD command is vulnerable to integer overflow that can potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code execution. The vulnerability involves constructing specially crafted bit commands which overflow the bit offset.

This problem only affects 32-bit versions of Redis.

CVE-2021-32761 https://github.com/redis/redis/security/advisories/GHSA-8wxq-j7rp-g8wj 2021-07-04 2021-07-27
powerdns -- remotely triggered crash powerdns 4.5.0

powerdns reports:

PowerDNS Security Advisory 2021-01: Specific query crashes Authoritative Server

CVE-2021-36754 https://blog.powerdns.com/2021/07/26/security-advisory-2021-01-for-powerdns-authoritative-server-4-5-0/ 2021-07-26 2021-07-27
mosquitto -- NULL pointer dereference mosquitto 2.0.02.0.10

Roger Light reports:

If an authenticated client connected with MQTT v5 sent a malformed CONNACK message to the broker a NULL pointer dereference occurred, most likely resulting in a segfault.

(Note: a CVE is referenced in the github commit but it appears to be for a python-bleach vulnerability so it is not included here.)

https://github.com/eclipse/mosquitto/blob/d5ecd9f5aa98d42e7549eea09a71a23eef241f31/ChangeLog.txt 2021-04-10 2021-07-24
pjsip -- Race condition in SSL socket server pjsip 2.11.1

pjsip reports:

There are a couple of issues found in the SSL socket:

  • A race condition between callback and destroy, due to the accepted socket having no group lock.
  • SSL socket parent/listener may get destroyed during handshake.
CVE-2021-32686 https://github.com/pjsip/pjproject/security/advisories/GHSA-cv8x-p47p-99wr 2021-07-23 2021-07-23
asterisk -- pjproject/pjsip: crash when SSL socket destroyed during handshake asterisk13 13.38.3 asterisk16 16.19.1 asterisk18 18.5.1

The Asterisk project reports:

Depending on the timing, it's possible for Asterisk to crash when using a TLS connection if the underlying socket parent/listener gets destroyed during the handshake.

CVE-2021-32686 https://downloads.asterisk.org/pub/security/AST-2021-009.html 2021-05-05 2021-07-23
asterisk -- Remote crash when using IAX2 channel driver asterisk13 13.38.3 asterisk16 16.19.1 asterisk18 18.5.1

The Asterisk project reports:

If the IAX2 channel driver receives a packet that contains an unsupported media format it can cause a crash to occur in Asterisk.

CVE-2021-32558 https://downloads.asterisk.org/pub/security/AST-2021-008.html 2021-04-13 2021-07-23
asterisk -- Remote Crash Vulnerability in PJSIP channel driver asterisk16 16.17.016.19.1 asterisk18 18.3.018.5.1

The Asterisk project reports:

When Asterisk receives a re-INVITE without SDP after having sent a BYE request a crash will occur. This occurs due to the Asterisk channel no longer being present while code assumes it is.

CVE-2021-31878 https://downloads.asterisk.org/pub/security/AST-2021-007.html 2021-04-06 2021-07-23
chromium -- multiple vulnerabilities chromium 92.0.4515.107

Chrome Releases reports:

This release contains 35 security fixes, including:

  • ][1210985] High CVE-2021-30565: Out of bounds write in Tab Groups. Reported by David Erceg on 2021-05-19
  • [1202661] High CVE-2021-30566: Stack buffer overflow in Printing. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-04-26
  • [1211326] High CVE-2021-30567: Use after free in DevTools. Reported by DDV_UA on 2021-05-20
  • [1219886] High CVE-2021-30568: Heap buffer overflow in WebGL. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-06-15
  • [1218707] High CVE-2021-30569: Use after free in sqlite. Reported by Chris Salls (@salls) of Makai Security on 2021-06-11
  • [1101897] High CVE-2021-30571: Insufficient policy enforcement in DevTools. Reported by David Erceg on 2020-07-03
  • [1214234] High CVE-2021-30572: Use after free in Autofill. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2021-05-28
  • [1216822] High CVE-2021-30573: Use after free in GPU. Reported by Security For Everyone Team - https://securityforeveryone.com on 2021-06-06
  • [1227315] High CVE-2021-30574: Use after free in protocol handling. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-07-08
  • [1213313] Medium CVE-2021-30575: Out of bounds read in Autofill. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-05-26
  • [1194896] Medium CVE-2021-30576: Use after free in DevTools. Reported by David Erceg on 2021-04-01
  • [1204811] Medium CVE-2021-30577: Insufficient policy enforcement in Installer. Reported by Jan van der Put (REQON B.V) on 2021-05-01
  • [1201074] Medium CVE-2021-30578: Uninitialized Use in Media. Reported by Chaoyuan Peng on 2021-04-21
  • [1207277] Medium CVE-2021-30579: Use after free in UI framework. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2021-05-10
  • [1189092] Medium CVE-2021-30580: Insufficient policy enforcement in Android intents. Reported by @retsew0x01 on 2021-03-17
  • [1194431] Medium CVE-2021-30581: Use after free in DevTools. Reported by David Erceg on 2021-03-31
  • [1205981] Medium CVE-2021-30582: Inappropriate implementation in Animation. Reported by George Liu on 2021-05-05
  • [1179290] Medium CVE-2021-30583: Insufficient policy enforcement in image handling on Windows. Reported by Muneaki Nishimura (nishimunea) on 2021-02-17
  • [1213350] Medium CVE-2021-30584: Incorrect security UI in Downloads. Reported by @retsew0x01 on 2021-05-26
  • [1023503] Medium CVE-2021-30585: Use after free in sensor handling. Reported by niarci on 2019-11-11
  • [1201032] Medium CVE-2021-30586: Use after free in dialog box handling on Windows. Reported by kkomdal with kkwon and neodal on 2021-04-21
  • [1204347] Medium CVE-2021-30587: Inappropriate implementation in Compositing on Windows. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-04-30
  • [1195650] Low CVE-2021-30588: Type Confusion in V8. Reported by Jose Martinez (tr0y4) from VerSprite Inc. on 2021-04-04
  • [1180510] Low CVE-2021-30589: Insufficient validation of untrusted input in Sharing. Reported by Kirtikumar Anandrao Ramchandani (@Kirtikumar_A_R) and Patrick Walker (@homesen) on 2021-02-20
CVE-2021-30565 CVE-2021-30566 CVE-2021-30567 CVE-2021-30568 CVE-2021-30569 CVE-2021-30571 CVE-2021-30572 CVE-2021-30573 CVE-2021-30574 CVE-2021-30575 CVE-2021-30576 CVE-2021-30577 CVE-2021-30578 CVE-2021-30579 CVE-2021-30580 CVE-2021-30581 CVE-2021-30582 CVE-2021-30583 CVE-2021-30584 CVE-2021-30585 CVE-2021-30586 CVE-2021-30587 CVE-2021-30588 CVE-2021-30589 https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop_20.html 2021-07-20 2021-07-21
cURL -- Multiple vulnerabilities curl 7.78.0

The cURL project reports:

CURLOPT_SSLCERT mixup with Secure Transport (CVE-2021-22926)

TELNET stack contents disclosure again (CVE-2021-22925)

Bad connection reuse due to flawed path name checks (CVE-2021-92254)

Metalink download sends credentials (CVE-2021-92253)

Wrong content via metalink not discarded (CVE-2021-92252)

CVE-2021-22922 CVE-2021-22923 CVE-2021-22924 CVE-2021-22925 CVE-2021-22926 https://curl.se/docs/vuln-7.77.0.html 2021-07-21 2021-07-21
MySQL -- Multiple vulnerabilities mysql57-server 5.7.35 mysql80-server 8.0.26 mariadb103-server 10.3.31 mariadb104-server 10.4.21 mariadb105-server 10.5.12

Oracle reports:

This Critical Patch Update contains 41 new security patches for Oracle MySQL. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 8.8.

MariaDB is affected by CVE-2021-2372 and CVE-2021-2389 only.

https://www.oracle.com/security-alerts/cpujul2021.html CVE-2019-17543 CVE-2021-2339 CVE-2021-2340 CVE-2021-2342 CVE-2021-2352 CVE-2021-2354 CVE-2021-2356 CVE-2021-2357 CVE-2021-2367 CVE-2021-2370 CVE-2021-2372 CVE-2021-2374 CVE-2021-2383 CVE-2021-2384 CVE-2021-2385 CVE-2021-2387 CVE-2021-2389 CVE-2021-2390 CVE-2021-2399 CVE-2021-2402 CVE-2021-2410 CVE-2021-2411 CVE-2021-2412 CVE-2021-2417 CVE-2021-2418 CVE-2021-2422 CVE-2021-2424 CVE-2021-2425 CVE-2021-2426 CVE-2021-2427 CVE-2021-2429 CVE-2021-2437 CVE-2021-2440 CVE-2021-2441 CVE-2021-2444 CVE-2021-3450 CVE-2021-22884 CVE-2021-22901 2021-07-20 2021-07-20 2021-08-04
gitea -- multiple vulnerabilities gitea 1.14.5

The Gitea Team reports for release 1.14.5:

  • Hide mirror passwords on repo settings page (#16022) (#16355)
  • Update bluemonday to v1.0.15 (#16379) (#16380)
https://github.com/go-gitea/gitea/releases/tag/v1.14.5 ports/257221 2021-05-16 2021-07-18
chromium -- multiple vulnerabilities chromium 91.0.4472.164

Chrome Releases reports:

This release contains 8 security fixes, including:

  • [1219082] High CVE-2021-30559: Out of bounds write in ANGLE. Reported by Seong-Hwan Park (SeHwa) of SecunologyLab on 2021-06-11
  • [1214842] High CVE-2021-30541: Use after free in V8. Reported by Richard Wheeldon on 2021-05-31
  • [1219209] High CVE-2021-30560: Use after free in Blink XSLT. Reported by Nick Wellnhofer on 2021-06-12
  • [1219630] High CVE-2021-30561: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2021-06-14
  • [1220078] High CVE-2021-30562: Use after free in WebSerial. Reported by Anonymous on 2021-06-15
  • [1228407] High CVE-2021-30563: Type Confusion in V8. Reported by Anonymous on 2021-07-12
  • [1221309] Medium CVE-2021-30564: Heap buffer overflow in WebXR. Reported by Ali Merchant, iQ3Connect VR Platform on 2021-06-17

Google is aware of reports that an exploit for CVE-2021-30563 exists in the wild.

CVE-2021-30541 CVE-2021-30559 CVE-2021-30560 CVE-2021-30561 CVE-2021-30562 CVE-2021-30563 CVE-2021-30564 https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html 2021-07-15 2021-07-16
Ruby -- multiple vulnerabilities ruby26 2.6.8,1 ruby 2.7.4,1 ruby30 3.0.2,1

Ruby news:

This release includes security fixes. Please check the topics below for details.

CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP

CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP

CVE-2021-31799: A command injection vulnerability in RDoc

CVE-2021-31799 CVE-2021-31810 CVE-2021-32066 https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-6-8-released/ https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-7-4-released/ https://www.ruby-lang.org/en/news/2021/07/07/ruby-3-0-2-released/ https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/ https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/ https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/ 2021-07-07 2021-07-14
go -- crypto/tls: clients can panic when provided a certificate of the wrong type for the negotiated parameters go 1.16.6,1

The Go project reports:

crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated parameters. net/http clients performing HTTPS requests are also affected. The panic can be triggered by an attacker in a privileged network position without access to the server certificate's private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.

CVE-2021-34558 https://github.com/golang/go/issues/47143 2021-07-07 2021-07-12
mantis -- multiple vulnerabilities mantis-php73 mantis-php74 mantis-php80 2.25.2,1

Mantis 2.25.1 and 2.25.2 releases report:

Security and maintenance release, PHPMailer update to 6.5.0

  • 0028552: XSS in manage_custom_field_edit_page.php (CVE-2021-33557)
  • 0028821: Update PHPMailer to 6.5.0 (CVE-2021-3603, CVE-2020-36326)
CVE-2021-33557 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-33557 CVE-2021-3603 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3603 CVE-2020-36326 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-36326 2021-04-28 2021-07-09
Gitlab -- vulnerability gitlab-ce 14.0.014.0.4 13.12.013.12.8 13.11.013.11.7

Gitlab reports:

Arbitrary file read via design feature

https://about.gitlab.com/releases/2021/07/07/critical-security-release-gitlab-14-0-4-released/ 2021-07-07 2021-07-08
Exiv2 -- Multiple vulnerabilities exiv2 0.27.4,1

Exiv2 teams reports:

Multiple vulnerabilities covering buffer overflows, out-of-bounds, read of uninitialized memory and denial of serivce. The heap overflow is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. The read of uninitialized memory is triggered when Exiv2 is used to read the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to leak a few bytes of stack memory, if they can trick the victim into running Exiv2 on a crafted image file.

CVE-2021-29457 https://github.com/Exiv2/exiv2/security/advisories/GHSA-v74w-h496-cgqm CVE-2021-29458 https://github.com/Exiv2/exiv2/security/advisories/GHSA-57jj-75fm-9rq5 CVE-2021-29463 https://github.com/Exiv2/exiv2/security/advisories/GHSA-5p8g-9xf3-gfrr CVE-2021-29464 https://github.com/Exiv2/exiv2/security/advisories/GHSA-jgm9-5fw5-pw9p CVE-2021-29470 https://github.com/Exiv2/exiv2/security/advisories/GHSA-8949-hhfh-j7rj CVE-2021-29473 https://github.com/Exiv2/exiv2/security/advisories/GHSA-7569-phvm-vwc2 CVE-2021-29623 https://github.com/Exiv2/exiv2/security/advisories/GHSA-6253-qjwm-3q4v CVE-2021-32617 https://github.com/Exiv2/exiv2/security/advisories/GHSA-w8mv-g8qq-36mj CVE-2021-3482 https://github.com/Exiv2/exiv2/security/advisories/GHSA-9jp9-m3fv-2vg9 2021-04-25 2021-06-30
openexr v3.0.5 -- fixes miscellaneous security issues openexr 3.0.5

Cary Phillips reports:

  • 1038 fix/extend part number validation in MultiPart methods
  • 1037 verify data size in deepscanlines with NO_COMPRESSION
  • 1036 detect buffer overflows in RleUncompress
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.0.5 2021-06-03 2021-07-02
Gitlab -- Multiple Vulnerabilities gitlab-ce 14.0.014.0.2 13.12.013.12.6 8.0.013.11.6

Gitlab reports:

DoS using Webhook connections

CSRF on GraphQL API allows executing mutations through GET requests

Private projects information disclosure

Denial of service of user profile page

Single sign-on users not getting blocked

Some users can push to Protected Branch with Deploy keys

A deactivated user can access data through GraphQL

Reflected XSS in release edit page

Clipboard DOM-based XSS

Stored XSS on Audit Log

Forks of public projects by project members could leak codebase

Improper text rendering

HTML Injection in full name field

https://about.gitlab.com/releases/2021/07/01/security-release-gitlab-14-0-2-released/ 2021-07-01 2021-07-02
jenkins -- multiple vulnerabilities jenkins 2.300 jenkins-lts 2.289.2

Jenkins Security Advisory:

Description

(Medium) SECURITY-2278 / CVE-2021-21670

Improper permission checks allow canceling queue items and aborting builds

(High) SECURITY-2371 / CVE-2021-21671

Session fixation vulnerability

CVE-2021-21670 CVE-2021-21671 https://www.jenkins.io/security/advisory/2021-06-30/ 2021-06-30 2021-07-01
RabbitMQ -- Denial of Service via improper input validation rabbitmq 3.8.16

Jonathon Knudsen of Synopsys Cybersecurity Research Center reports:

All versions prior to 3.8.16 are prone to a denial of service vulnerability due to improper input validation in AMQP 1.0 client connection endpoint. A malicious client can exploit the vulnerability by sending malicious AMQP messages to the target RabbitMQ instance having the AMQP 1.0 plugin enabled.

CVE-2021-22116 https://tanzu.vmware.com/security/cve-2021-22116 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22116 2021-05-10 2021-06-28
RabbitMQ-C -- integer overflow leads to heap corruption rabbitmq-c rabbitmq-c-devel 0.10.0

alanxz reports:

When parsing a frame header, validate that the frame_size is less than or equal to INT32_MAX. Given frame_max is limited between 0 and INT32_MAX in amqp_login and friends, this does not change the API. This prevents a potential buffer overflow when a malicious client sends a frame_size that is close to UINT32_MAX, in which causes an overflow when computing state->target_size resulting in a small value there. A buffer is then allocated with the small amount, then memcopy copies the frame_size writing to memory beyond the end of the buffer.

CVE-2019-18609 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18609 2019-10-29 2021-06-25
PuppetDB -- SQL Injection puppetdb6 6.17.0 puppetdb7 7.4.1

Puppet reports:

Fixed an issue where someone with the ability to query PuppetDB could arbitrarily write, update, or delete data CVE-2021-27021 PDB-5138.

CVE-2021-27021 https://puppet.com/security/cve/cve-2021-27021/ https://tickets.puppetlabs.com/browse/PDB-5138 2021-06-24 2021-06-25
Ansible -- Templating engine bug py36-ansible-core py37-ansible-core py38-ansible-core py39-ansible-core 2.11.2 py36-ansible-base py37-ansible-base py38-ansible-base py39-ansible-base 2.10.11 py36-ansible2 py37-ansible2 py38-ansible2 py39-ansible2 2.9.23 py36-ansible py37-ansible py38-ansible py39-ansible 2.9.23

Ansible developers report:

Templating engine fix for not preserving usnafe status when trying to preserve newlines.

CVE-2021-3583 https://github.com/ansible/ansible/blob/stable-2.11/changelogs/CHANGELOG-v2.11.rst#security-fixes https://github.com/ansible/ansible/blob/stable-2.10/changelogs/CHANGELOG-v2.10.rst#security-fixes https://github.com/ansible/ansible/pull/74960 https://groups.google.com/g/ansible-announce/c/tmIgD1DpZJg 2021-06-10 2021-06-24 2021-06-25
dovecot-pigeonhole -- Sieve excessive resource usage dovecot-pigeonhole 0.5.15

Dovecot team reports reports:

Sieve interpreter is not protected against abusive scripts that claim excessive resource usage. Fixed by limiting the user CPU time per single script execution and cumulatively over several script runs within a configurable timeout period. Sufficiently large CPU time usage is summed in the Sieve script binary and execution is blocked when the sum exceeds the limit within that time. The block is lifted when the script is updated after the resource usage times out.

CVE-2020-28200 https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html 2020-09-23 2021-06-22
dovecot -- multiple vulnerabilities dovecot 2.3.112.3.14.1

Dovecot team reports:

CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens in some configurations. This requires attacker to be able to write files to local disk.

CVE-2021-33515: On-path attacker could inject plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the client. Only the SMTP submission service is affected.

CVE-2021-29157 https://dovecot.org/pipermail/dovecot-news/2021-June/000461.html CVE-2021-33515 https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html 2021-03-22 2021-06-22
gitea -- multiple vulnerabilities gitea 1.14.3

The Gitea Team reports for release 1.14.3:

  • Encrypt migration credentials at rest (#15895) (#16187)
  • Only check access tokens if they are likely to be tokens (#16164) (#16171)
  • Add missing SameSite settings for the i_like_gitea cookie (#16037) (#16039)
  • Fix setting of SameSite on cookies (#15989) (#15991)
https://github.com/go-gitea/gitea/releases/tag/v1.14.3 ports/256720 2021-05-16 2021-06-19
chromium -- multiple vulnerabilities chromium 91.0.4472.114

Chrome Releases reports:

This release includes 4 security fixes, including:

  • [1219857] High CVE-2021-30554: Use after free in WebGL. Reported by anonymous on 2021-06-15
  • [1215029] High CVE-2021-30555: Use after free in Sharing. Reported by David Erceg on 2021-06-01
  • [1212599] High CVE-2021-30556: Use after free in WebAudio. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-05-24
  • [1202102] High CVE-2021-30557: Use after free in TabGroups. Reported by David Erceg on 2021-04-23
CVE-2021-30554 CVE-2021-30555 CVE-2021-30556 CVE-2021-30557 https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html 2021-06-17 2021-06-18
ircII -- denial of service ircii 20210314

Michael Ortmann reports:

ircii has a bug in parsing CTCP UTC messages.

Its unknown if this could also be used for arbitrary code execution.

CVE-2021-29376 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29376 2021-03-02 2021-03-30
Apache httpd -- Multiple vulnerabilities apache24 2.4.48

The Apache httpd reports:

  • moderate: mod_proxy_wstunnel tunneling of non Upgraded connections (CVE-2019-17567)
  • moderate: Improper Handling of Insufficient Privileges (CVE-2020-13938)
  • low: mod_proxy_http NULL pointer dereference (CVE-2020-13950)
  • low: mod_auth_digest possible stack overflow by one nul byte (CVE-2020-35452)
  • low: mod_session NULL pointer dereference (CVE-2021-26690)
  • low: mod_session response handling heap overflow (CVE-2021-26691)
  • moderate: Unexpected URL matching with 'MergeSlashes OFF' (CVE-2021-30641)
  • important: NULL pointer dereference on specially crafted HTTP/2 request (CVE-2021-31618)
CVE-2019-17567 CVE-2020-13938 CVE-2020-13950 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641 CVE-2021-31618 https://httpd.apache.org/security/vulnerabilities_24.html 2021-06-09 2021-06-10
dragonfly -- argument injection rubygem-dragonfly 2.4.0

NVD reports:

An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.

CVE-2021-33564 https://nvd.nist.gov/vuln/detail/CVE-2021-33564 https://github.com/mlr0p/CVE-2021-33564 https://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33564 2021-05-24 2021-06-11
cacti -- SQL Injection was possible due to incorrect validation order cacti 1.21.2.17

Cati team reports:

Due to a lack of validation, data_debug.php can be the source of a SQL injection.

CVE-2020-35701 https://github.com/Cacti/cacti/issues/4022 2020-12-24 2021-06-10 2021-06-24
chromium -- multiple vulnerabilities chromium 91.0.4472.101

Chrome Releases reports:

This release contains 14 security fixes, including:

  • [1212618] Critical CVE-2021-30544: Use after free in BFCache. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-05-24
  • [1201031] High CVE-2021-30545: Use after free in Extensions. Reported by kkwon with everpall and kkomdal on 2021-04-21
  • [1206911] High CVE-2021-30546: Use after free in Autofill. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-05-08
  • [1210414] High CVE-2021-30547: Out of bounds write in ANGLE. Reported by Seong-Hwan Park (SeHwa) of SecunologyLab on 2021-05-18
  • [1210487] High CVE-2021-30548: Use after free in Loader. Reported by Yangkang(@dnpushme) & Wanglu of Qihoo360 Qex Team on 2021-05-18
  • [1212498] High CVE-2021-30549: Use after free in Spell check. Reported by David Erceg on 2021-05-23
  • [1212500] High CVE-2021-30550: Use after free in Accessibility. Reported by David Erceg on 2021-05-23
  • [1216437] High CVE-2021-30551: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2021-06-04
  • [1200679] Medium CVE-2021-30552: Use after free in Extensions. Reported by David Erceg on 2021-04-20
  • [1209769] Medium CVE-2021-30553: Use after free in Network service. Reported by Anonymous on 2021-05-17

Google is aware that an exploit for CVE-2021-30551 exists in the wild.

CVE-2021-30544 CVE-2021-30545 CVE-2021-30546 CVE-2021-30547 CVE-2021-30548 CVE-2021-30549 CVE-2021-30550 CVE-2021-30551 CVE-2021-30552 CVE-2021-30553 https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.html 2021-06-10 2021-06-10
dino -- Path traversal in Dino file transfers dino 0.2.1

Dino team reports:

It was discovered that when a user receives and downloads a file in Dino, URI-encoded path separators in the file name will be decoded, allowing an attacker to traverse directories and create arbitrary files in the context of the user.

CVE-2021-33896 https://marc.info/?l=oss-security&m=162308719412719 https://dino.im/security/cve-2021-33896/ 2021-06-07 2021-06-08
pglogical -- shell command injection in pglogical.create_subscription() pglogical 2.3.4

2ndQuadrant reports:

  • Fix pg_dump/pg_restore execution (CVE-2021-3515)

    Correctly escape the connection string for both pg_dump and pg_restore so that exotic database and user names are handled correctly.

    Reported by Pedro Gallegos
CVE-2021-3515 https://github.com/2ndQuadrant/pglogical/releases/tag/REL2_3_4 https://bugzilla.redhat.com/show_bug.cgi?id=1954112 2021-06-01 2021-06-06
drupal7 -- fix possible CSS drupal7 7.07.80

Drupal Security team reports:

Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. Not all sites and users are affected, but configuration changes to prevent the exploit might be impractical and will vary between sites. Therefore, we recommend all sites update to this release as soon as possible.

CVE-2020-13672 2021-04-21 2021-06-06
polkit -- local privilege escalation using polkit_system_bus_name_get_creds_sync polkit 0.119

Cedric Buissart reports:

The function polkit_system_bus_name_get_creds_sync is used to get the uid and pid of the process requesting the action. It does this by sending the unique bus name of the requesting process, which is typically something like ":1.96", to dbus-daemon. These unique names are assigned and managed by dbus-daemon and cannot be forged, so this is a good way to check the privileges of the requesting process.

The vulnerability happens when the requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts. In this scenario, the unique bus name is no longer valid, so dbus-daemon sends back an error reply. This error case is handled in polkit_system_bus_name_get_creds_sync by setting the value of the error parameter, but it still returns TRUE, rather than FALSE. This behavior means that all callers of polkit_system_bus_name_get_creds_sync need to carefully check whether an error was set. If the calling function forgets to check for errors then it will think that the uid of the requesting process is 0 (because the AsyncGetBusNameCredsData struct is zero initialized). In other words, it will think that the action was requested by a root process, and will therefore allow it.

CVE-2021-3560 https://seclists.org/oss-sec/2021/q2/180 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3560 https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13a 2021-06-03 2021-06-04
SOGo -- SAML user authentication impersonation sogo 5.1.1 sogo-activesync 5.1.1 sogo2 2.4.1 sogo2-activesync 2.4.1

sogo.nu reports:

SOGo was not validating the signatures of any SAML assertions it received.

This means any actor with network access to the deployment could impersonate

users when SAML was the authentication method.

CVE-2021-33054 https://www.sogo.nu/news/2021/saml-vulnerability.html https://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html 2021-06-01 2021-06-02
tauthon -- Regular Expression Denial of Service tauthon 2.8.3

The :class:`~urllib.request.AbstractBasicAuthHandler` class of the :mod:`urllib.request` module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service

CVE-2020-8492 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8492 2020-01-30 2021-06-04
lasso -- signature checking failure lasso 2.7.0

entrouvert reports:

When AuthnResponse messages are not signed (which is permitted by the specifiation), all assertion's signatures should be checked, but currently after the first signed assertion is checked all following assertions are accepted without checking their signature, and the last one is considered the main assertion.

CVE-2021-28091 https://git.entrouvert.org/lasso.git/tree/NEWS?id=v2.7.0 2021-06-01 2021-06-01
go -- multiple vulnerabilities go 1.16.5,1

The Go project reports:

The SetString and UnmarshalText methods of math/big.Rat may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents.

ReverseProxy in net/http/httputil could be made to forward certain hop-by-hop headers, including Connection. In case the target of the ReverseProxy was itself a reverse proxy, this would let an attacker drop arbitrary headers, including those set by the ReverseProxy.Director.

The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in net, and their respective methods on the Resolver type may return arbitrary values retrieved from DNS which do not follow the established RFC 1035 rules for domain names. If these names are used without further sanitization, for instance unsafely included in HTML, they may allow for injection of unexpected content. Note that LookupTXT may still return arbitrary values that could require sanitization before further use.

The NewReader and OpenReader functions in archive/zip can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size.

CVE-2021-33198 https://github.com/golang/go/issues/45910 CVE-2021-33197 https://github.com/golang/go/issues/46313 CVE-2021-33195 https://github.com/golang/go/issues/46241 CVE-2021-33196 https://github.com/golang/go/issues/46242 2021-05-01 2021-06-03
aiohttp -- open redirect vulnerability py36-aiohttp py37-aiohttp py38-aiohttp py39-aiohttp 3.7.3

Sviatoslav Sydorenko reports:

Open redirect vulnerability — a maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website.

It is caused by a bug in the aiohttp.web_middlewares.normalize_path_middleware middleware.

CVE-2021-21330 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg https://nvd.nist.gov/vuln/detail/CVE-2021-21330 2021-02-25 2021-06-03 2021-06-23
zeek -- several potential DoS vulnerabilities zeek 4.0.2

Tim Wojtulewicz of Corelight reports:

Fix potential Undefined Behavior in decode_netbios_name() and decode_netbios_name_type() BIFs. The latter has a possibility of a remote heap-buffer-overread, making this a potential DoS vulnerability.

Add some extra length checking when parsing mobile ipv6 packets. Due to the possibility of reading invalid headers from remote sources, this is a potential DoS vulnerability.

https://github.com/zeek/zeek/releases/tag/v4.0.2 2021-04-30 2021-06-02
PyYAML -- arbitrary code execution py36-yaml py37-yaml py38-yaml py39-yaml 5.4

A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.

CVE-2020-14343 https://github.com/yaml/pyyaml/issues/420 https://access.redhat.com/security/cve/CVE-2020-14343 https://bugzilla.redhat.com/show_bug.cgi?id=1860466 2020-07-22 2021-06-02
isc-dhcp -- remotely exploitable vulnerability isc-dhcp44-relay 4.4.2-P1 isc-dhcp44-server 4.4.2-P1 isc-dhcp44-client 4.4.2-P1

Michael McNally reports:

Program code used by the ISC DHCP package to read and parse stored leases

has a defect that can be exploited by an attacker to cause one of several undesirable outcomes

CVE-2021-25217 https://kb.isc.org/docs/cve-2021-25217 2021-05-26 2021-06-02
Gitlab -- Multiple Vulnerabilities gitlab-ce 13.12.013.12.2 13.11.013.11.5 7.10.013.10.5

Gitlab reports:

Stealing GitLab OAuth access tokens using XSLeaks in Safari

Denial of service through recursive triggered pipelines

Unauthenticated CI lint API may lead to information disclosure and SSRF

Server-side DoS through rendering crafted Markdown documents

Issue and merge request length limit is not being enforced

Insufficient Expired Password Validation

XSS in blob viewer of notebooks

Logging of Sensitive Information

On-call rotation information exposed when removing a member

Spoofing commit author for signed commits

Enable qsh verification for Atlassian Connect

CVE-2021-22181 https://about.gitlab.com/releases/2021/06/01/security-release-gitlab-13-12-2-released/ 2021-06-01 2021-06-01
redis -- integer overflow redis 6.0.06.0.14 redis-devel 6.2.06.2.4

Redis development team reports:

An integer overflow bug in Redis version 6.0 or newer can be exploited using the STRALGO LCS command to corrupt the heap and potentially result with remote code execution. This is a result of an incomplete fix by CVE-2021-29477.

CVE-2021-32625 https://groups.google.com/g/redis-db/c/RLTwi1kKsCI 2021-06-01 2021-06-01
libX11 -- Arbitrary code execution libX11 1.7.1,1

The X.org project reports:

XLookupColor() and other X libraries function lack proper validation of the length of their string parameters. If those parameters can be controlled by an external application (for instance a color name that can be emitted via a terminal control sequence) it can lead to the emission of extra X protocol requests to the X server.

CVE-2021-31535 https://lists.freedesktop.org/archives/xorg/2021-May/060699.html https://nvd.nist.gov/vuln/detail/CVE-2021-31535 2021-05-11 2021-06-01 2022-02-08
Prometheus -- arbitrary redirects prometheus2 2.23.02.26.1 2.27.0

Prometheus reports:

Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.

CVE-2021-29622 https://nvd.nist.gov/vuln/detail/CVE-2021-29622 2021-05-18 2021-06-01
wayland -- integer overflow wayland 1.19.0_1

Tobias Stoeckmann reports:

The libXcursor fix for CVE-2013-2003 has never been imported into wayland, leaving it vulnerable to it.

CVE-2013-2003 https://gitlab.freedesktop.org/wayland/wayland/-/merge_requests/133 ports/256273 2021-05-02 2021-05-31
FreeBSD -- Missing message validation in libradius(3) FreeBSD 13.013.0_1 12.212.2_7 11.411.4_10

Problem Description:

libradius did not perform sufficient validation of received messages.

rad_get_attr(3) did not verify that the attribute length is valid before subtracting the length of the Type and Length fields. As a result, it could return success while also providing a bogus length of SIZE_T_MAX - 2 for the Value field.

When processing attributes to find an optional authenticator, is_valid_response() failed to verify that each attribute length is non-zero and could thus enter an infinite loop.

Impact:

A server may use libradius(3) to process messages from RADIUS clients. In this case, a malicious client could trigger a denial-of-service in the server. A client using libradius(3) to process messages from a server is susceptible to the same problem.

The impact of the rad_get_attr(3) bug depends on how the returned length is validated and used by the consumer. It is possible that libradius(3) applications will crash or enter an infinite loop when calling rad_get_attr(3) on untrusted RADIUS messages.

CVE-2021-29629 SA-21:12.libradius 2021-05-27 2021-05-27
FreeBSD-kernel -- SMAP bypass FreeBSD-kernel 13.013.0_1 12.212.2_7

Problem Description:

The FreeBSD kernel enables SMAP during boot when the CPU reports that the SMAP capability is present. Subroutines such as copyin() and copyout() are responsible for disabling SMAP around the sections of code that perform user memory accesses.

Such subroutines must handle page faults triggered when user memory is not mapped. The kernel's page fault handler checks the validity of the fault, and if it is indeed valid it will map a page and resume copying. If the fault is invalid, the fault handler returns control to a trampoline which aborts the operation and causes an error to be returned. In this second scenario, a bug in the implementation of SMAP support meant that SMAP would remain disabled until the thread returns to user mode.

Impact:

This bug may be used to bypass the protections provided by SMAP for the duration of a system call. It could thus be combined with other kernel bugs to craft an exploit.

CVE-2021-29628 SA-21:11.smap 2021-05-27 2021-05-27
chromium -- multiple vulnerabilities chromium 91.0.4472.77

Chrome Releases reports:

This release contains 32 security fixes, including:

  • [1208721] High CVE-2021-30521: Heap buffer overflow in Autofill. Reported by ZhanJia Song on 2021-05-13
  • [1176218] High CVE-2021-30522: Use after free in WebAudio. Reported by Piotr Bania of Cisco Talos on 2021-02-09
  • [1187797] High CVE-2021-30523: Use after free in WebRTC. Reported by Tolyan Korniltsev on 2021-03-13
  • [1197146] High CVE-2021-30524: Use after free in TabStrip. Reported by David Erceg on 2021-04-08
  • [1197888] High CVE-2021-30525: Use after free in TabGroups. Reported by David Erceg on 2021-04-11
  • [1198717] High CVE-2021-30526: Out of bounds write in TabStrip. Reported by David Erceg on 2021-04-13
  • [1199198] High CVE-2021-30527: Use after free in WebUI. Reported by David Erceg on 2021-04-15
  • [1206329] High CVE-2021-30528: Use after free in WebAuthentication. Reported by Man Yue Mo of GitHub Security Lab on 2021-05-06
  • [1195278] Medium CVE-2021-30529: Use after free in Bookmarks. Reported by koocola (@alo_cook) and Nan Wang (@eternalsakura13) of 360 Alpha Lab on 2021-04-02
  • [1201033] Medium CVE-2021-30530: Out of bounds memory access in WebAudio. Reported by kkwon on 2021-04-21
  • [1115628] Medium CVE-2021-30531: Insufficient policy enforcement in Content Security Policy. Reported by Philip Papurt on 2020-08-12
  • [1117687] Medium CVE-2021-30532: Insufficient policy enforcement in Content Security Policy. Reported by Philip Papurt on 2020-08-18
  • [1145553] Medium CVE-2021-30533: Insufficient policy enforcement in PopupBlocker. Reported by Eliya Stein on 2020-11-04
  • [1151507] Medium CVE-2021-30534: Insufficient policy enforcement in iFrameSandbox. Reported by Alesandro Ortiz on 2020-11-20
  • [1194899] Medium CVE-2021-30535: Double free in ICU. Reported by nocma, leogan, cheneyxu of WeChat Open Platform Security Team on 2021-04-01
  • [1145024] Medium CVE-2021-21212: Insufficient data validation in networking. Reported by Hugo Hue and Sze Yiu Chau of the Chinese University of Hong Kong on 2020-11-03
  • [1194358] Low CVE-2021-30536: Out of bounds read in V8. Reported by Chris Salls (@salls) on 2021-03-31
  • [830101] Low CVE-2021-30537: Insufficient policy enforcement in cookies. Reported by Jun Kokatsu (@shhnjk) on 2018-04-06
  • [1115045] Low CVE-2021-30538: Insufficient policy enforcement in content security policy. Reported by Tianze Ding (@D1iv3) of Tencent Security Xuanwu Lab on 2020-08-11
  • [971231] Low CVE-2021-30539: Insufficient policy enforcement in content security policy. Reported by unnamed researcher on 2019-06-05
  • [1184147] Low CVE-2021-30540: Incorrect security UI in payments. Reported by @retsew0x01 on 2021-03-03
CVE-2021-30521 CVE-2021-30522 CVE-2021-30523 CVE-2021-30524 CVE-2021-30525 CVE-2021-30526 CVE-2021-30527 CVE-2021-30528 CVE-2021-30529 CVE-2021-30530 CVE-2021-30531 CVE-2021-30532 CVE-2021-30533 CVE-2021-30534 CVE-2021-30535 CVE-2021-21212 CVE-2021-30536 CVE-2021-30537 CVE-2021-30538 CVE-2021-30539 CVE-2021-30540 https://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop_25.html 2021-05-25 2021-05-26
libzmq4 -- Denial of Service libzmq4 4.3.3

Google's oss-fuzz project reports:

Denial-of-Service on CURVE/ZAP-protected servers by unauthenticated clients. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them.

CVE-2020-15166 https://github.com/zeromq/libzmq/releases/tag/v4.3.3 https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m ports/255102 2020-09-07 2021-05-25
libzmq4 -- Stack overflow libzmq4 4.3.2

Fang-Pen Lin reports:

A remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library. Users running public servers with the above configuration are highly encouraged to upgrade as soon as possible, as there are no known mitigations.

CVE-2019-13132 https://github.com/zeromq/libzmq/releases/tag/v4.3.2 https://github.com/zeromq/libzmq/issues/3558 ports/255102 2019-06-27 2021-05-25
NGINX -- 1-byte memory overwrite in resolver nginx 1.20.1,2 nginx-devel 1.21.0

NGINX team reports:

1-byte memory overwrite might occur during DNS server response processing if the "resolver" directive was used, allowing an attacker who is able to forge UDP packets from the DNS server to cause worker process crash or, potentially, arbitrary code execution.

CVE-2021-23017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23017 2021-05-25 2021-05-25
PG Partition Manager -- arbitrary code execution pg_partman 4.5.1

PG Partition Manager reports:

In the pg_partman (aka PG Partition Manager) extension before 4.5.1 for PostgreSQL, arbitrary code execution can be achieved via SECURITY DEFINER functions because an explicit search_path is not set.

CVE-2021-33204 https://nvd.nist.gov/vuln/detail/CVE-2021-33204 2021-05-21 2021-05-24
texproc/expat2 -- billion laugh attack expat 2.4.1

Kurt Seifried reports:

So here are the CVE's for the two big ones, libxml2 and expat. Both are affected by the expansion of internal entities (which can be used to consume resources) and external entities (which can cause a denial of service against other services, be used to port scan, etc.).

A billion laughs attack is a type of denial-of-service attack which is aimed at parsers of XML documents.

CVE-2013-0340 https://www.openwall.com/lists/oss-security/2013/02/22/3 https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0/ https://nvd.nist.gov/vuln/detail/CVE-2013-0340 2013-02-21 2021-05-24
libxml2 -- Possible denial of service libxml2 2.9.10_4

Daniel Veillard reports:

A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.

CVE-2021-3541 https://ubuntu.com/security/CVE-2021-3541 https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e 2021-05-18 2021-05-23
PostgreSQL server -- two security issues postgresql13-server 13.3 postgresql12-server 12.7 postgresql11-server 11.12 postgresql10-server 10.17 postgresql96-server 9.6.22

The PostgreSQL project reports:

Memory disclosure in INSERT ... ON CONFLICT ... DO UPDATE

Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an attacker can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can create prerequisite objects and complete this attack at will. A user lacking the CREATE and TEMPORARY privileges on all databases and the CREATE privilege on all schemas cannot use this attack at will..

Buffer overrun from integer overflow in array subscripting calculations

While modifying certain SQL array values, missing bounds checks let authenticated database users write arbitrary bytes to a wide area of server memory.

https://www.postgresql.org/support/security/CVE-2021-32027/ https://www.postgresql.org/support/security/CVE-2021-32028/ 2021-05-13 2021-05-14
PostgreSQL -- Memory disclosure in partitioned-table UPDATE ... RETURNING postgresql13-server 13.3 postgresql12-server 12.7 postgresql11-server 11.12

The PostgreSQL project reports:

Using an UPDATE ... RETURNING on a purpose-crafted partitioned table, an attacker can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can create prerequisite objects and complete this attack at will. A user lacking the CREATE and TEMPORARY privileges on all databases and the CREATE privilege on all schemas typically cannot use this attack at will.

https://www.postgresql.org/support/security/CVE-2021-32029/ 2021-05-13 2021-05-14
Prosody -- multiple vulnerabilities prosody 0.11.9

The Prosody security advisory 2021-05-12 reports:

This advisory details 5 new security vulnerabilities discovered in the Prosody.im XMPP server software. All issues are fixed in the 0.11.9 release default configuration.

  • CVE-2021-32918: DoS via insufficient memory consumption controls
  • CVE-2021-32920: DoS via repeated TLS renegotiation causing excessive CPU consumption
  • CVE-2021-32921: Use of timing-dependent string comparison with sensitive values
  • CVE-2021-32917: Use of mod_proxy65 is unrestricted in default configuration
  • CVE-2021-32919: Undocumented dialback-without-dialback option insecure
CVE-2021-32918 CVE-2021-32920 CVE-2021-32921 CVE-2021-32917 CVE-2021-32919 2021-05-12 2021-05-13
ImageMagick6 -- multiple vulnerabilities ImageMagick6 ImageMagick6-nox11 6.9.12.12,1

CVE reports:

Several vulnerabilities have been discovered in ImageMagick:

  • CVE-2021-20309: A flaw was found in ImageMagick in versions before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick.
  • CVE-2021-20176: A divide-by-zero flaw was found in ImageMagick 6.9.11-57 in gem.c. This flaw allows an attacker who submits a crafted file that is processed by ImageMagick to trigger undefined behavior through a division by zero.
  • CVE-2020-29599: ImageMagick before 6.9.11-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files.
  • And maybe some others…
CVE-2020-29599 CVE-2021-20176 CVE-2021-20309 2020-12-17 2021-05-13
ImageMagick7 -- multiple vulnerabilities ImageMagick7 ImageMagick7-nox11 7.0.11.12

CVE reports:

Several vulnerabilities have been discovered in ImageMagick:

  • CVE-2021-20313: A flaw was found in ImageMagick in versions before 7.0.11. A potential cipher leak when the calculate signatures in TransformSignature is possible.
  • CVE-2021-20312: A flaw was found in ImageMagick in versions 7.0.11, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick.
  • CVE-2021-20311: A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero in sRGBTransformImage() in the MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker processed by an application using ImageMagick.
  • CVE-2021-20310: A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero ConvertXYZToJzazbz() of MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick.
  • CVE-2021-20309: A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick.
  • And several others…
CVE-2020-27829 CVE-2020-29599 CVE-2021-20176 CVE-2021-20241 CVE-2021-20243 CVE-2021-20244 CVE-2021-20245 CVE-2021-20246 CVE-2021-20309 CVE-2021-20310 CVE-2021-20311 CVE-2021-20312 CVE-2021-20313 2020-10-27 2021-05-13
Pillow -- multiple vulnerabilities py38-pillow 8.2.0

python-pillow reports:

This release fixes several vulnerabilities found with `OSS-Fuzz`.

  • `CVE-2021-25288`: Fix OOB read in Jpeg2KDecode. This dates to Pillow 2.4.0.
  • `CVE-2021-28675`: Fix DOS in PsdImagePlugin. This dates to the PIL fork.
  • `CVE-2021-28676`: Fix FLI DOS. This dates to the PIL fork.
  • `CVE-2021-28677`: Fix EPS DOS on _open. This dates to the PIL fork.
  • `CVE-2021-28678`: Fix BLP DOS. This dates to Pillow 5.1.0.
  • Fix memory DOS in ImageFont. This dates to the PIL fork.
CVE-2021-25288 CVE-2021-28675 CVE-2021-28676 CVE-2021-28677 CVE-2021-28678 2021-04-01 2021-05-12
chromium -- multiple vulnerabilities chromium 90.0.4430.212

Chrome Releases reports:

This release contains 19 security fixes, including:

  • [1180126] High CVE-2021-30506: Incorrect security UI in Web App Installs. Reported by @retsew0x01 on 2021-02-19
  • [1178202] High CVE-2021-30507: Inappropriate implementation in Offline. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2021-02-14
  • [1195340] High CVE-2021-30508: Heap buffer overflow in Media Feeds. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-04-02
  • [1196309] High CVE-2021-30509: Out of bounds write in Tab Strip. Reported by David Erceg on 2021-04-06
  • [1197436] High CVE-2021-30510: Race in Aura. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2021-04-09
  • [1197875] High CVE-2021-30511: Out of bounds read in Tab Groups. Reported by David Erceg on 2021-04-10
  • [1200019] High CVE-2021-30512: Use after free in Notifications. Reported by ZhanJia Song on 2021-04-17
  • [1200490] High CVE-2021-30513: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2021-04-19
  • [1200766] High CVE-2021-30514: Use after free in Autofill. Reported by koocola (@alo_cook) and Nan Wang (@eternalsakura13) of 360 Alpha Lab on 2021-04-20
  • [1201073] High CVE-2021-30515: Use after free in File API. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-04-21
  • [1201446] High CVE-2021-30516: Heap buffer overflow in History. Reported by ZhanJia Song on 2021-04-22
  • [1203122] High CVE-2021-30517: Type Confusion in V8. Reported by laural on 2021-04-27
  • [1203590] High CVE-2021-30518: Heap buffer overflow in Reader Mode. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2021-04-28
  • [1194058] Medium CVE-2021-30519: Use after free in Payments. Reported by asnine on 2021-03-30
  • [1193362] Medium CVE-2021-30520: Use after free in Tab Strip. Reported by Khalil Zhani on 2021-04-03
CVE-2021-30506 CVE-2021-30507 CVE-2021-30508 CVE-2021-30509 CVE-2021-30510 CVE-2021-30511 CVE-2021-30512 CVE-2021-30513 CVE-2021-30514 CVE-2021-30515 CVE-2021-30516 CVE-2021-30517 CVE-2021-30518 CVE-2021-30519 CVE-2021-30520 https://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop.html 2021-05-10 2021-05-11
py-matrix-synapse -- malicious push rules may be used for a denial of service attack. py36-matrix-synapse py37-matrix-synapse py38-matrix-synapse py39-matrix-synapse 1.33.2

Matrix developers report:

"Push rules" can specify conditions under which they will match, including event_match, which matches event content against a pattern including wildcards. Certain patterns can cause very poor performance in the matching engine, leading to a denial-of-service when processing moderate length events.

CVE-2021-29471 https://github.com/matrix-org/synapse/security/advisories/GHSA-x345-32rc-8h85 2021-05-11 2021-05-11
cyrus-imapd -- Remote authenticated users could bypass intended access restrictions on certain server annotations. cyrus-imapd34 3.4.03.4.1 cyrus-imapd32 3.2.03.2.7

Cyrus IMAP 3.4.1 Release Notes states:

Fixed CVE-2021-32056: Remote authenticated users could bypass intended access restrictions on certain server annotations. Additionally, a long-standing bug in replication did not allow server annotations to be replicated. Combining these two bugs, a remote authenticated user could stall replication, requiring administrator intervention.

CVE-2021-32056 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32056 2021-05-05 2021-05-10
FLAC -- out-of-bounds read flac 1.3.3_1

Oss-Fuzz reports:

There is a possible out of bounds read due to a heap buffer overflow in FLAC__bitreader_read_rice_signed_block of bitreader.c.

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17069 CVE-2020-0499 2019-09-08 2021-05-08
Rails -- multiple vulnerabilities rubygem-actionpack52 5.2.6 rubygem-actionpack60 6.0.3.7 rubygem-actionpack61 6.1.3.2

Ruby on Rails blog:

Rails versions 6.1.3.2, 6.0.3.7, and 5.2.6 have been released! These releases contain important security fixes. Here is a list of the issues fixed:

CVE-2021-22885: Possible Information Disclosure / Unintended Method Execution in Action Pack

CVE-2021-22902: Possible Denial of Service vulnerability in Action Dispatch

CVE-2021-22903: Possible Open Redirect Vulnerability in Action Pack

CVE-2021-22904: Possible DoS Vulnerability in Action Controller Token Authentication

https://weblog.rubyonrails.org/2021/5/5/Rails-versions-6-1-3-2-6-0-3-7-5-2-4-6-and-5-2-6-have-been-released/ https://discuss.rubyonrails.org/t/cve-2021-22885-possible-information-disclosure-unintended-method-execution-in-action-pack/77868 https://discuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866 https://discuss.rubyonrails.org/t/cve-2021-22903-possible-open-redirect-vulnerability-in-action-pack/77867 https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869 CVE-2021-22885 CVE-2021-22902 CVE-2021-22903 CVE-2021-22904 2021-05-05 2021-05-07
go -- net/http: ReadRequest can stack overflow due to recursion with very large headers go 1.16.4,1

The Go project reports:

http.ReadRequest can stack overflow due to recursion when given a request with a very large header (~8-10MB depending on the architecture). A http.Server which overrides the default max header of 1MB by setting Server.MaxHeaderBytes to a much larger value could also be vulnerable in the same way.

CVE-2021-31525 https://github.com/golang/go/issues/45710 2021-04-22 2021-05-06
Ansible -- Insecure Temporary File py36-ansible py37-ansible py38-ansible py39-ansible py36-ansible27 2.9.02.9.9 py37-ansible27 py38-ansible27 py39-ansible27 2.7.02.7.18 py36-ansible28 py37-ansible28 py38-ansible28 py39-ansible28 2.8.02.8.12

NVD reports:

An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems..

https://nvd.nist.gov/vuln/detail/CVE-2020-10744 CVE-2020-10744 2020-05-15 2021-05-05
Django -- multiple vulnerabilities py36-django22 py37-django22 py38-django22 py39-django22 2.2.21 py36-django31 py37-django31 py38-django31 py39-django31 3.1.9 py36-django32 py37-django32 py38-django32 py39-django32 3.2.1

Django Release reports:

CVE-2021-31542:Potential directory-traversal via uploaded files.

MultiPartParser, UploadedFile, and FieldFile allowed directory-traversal via uploaded files with suitably crafted file names.

https://www.djangoproject.com/weblog/2021/may/04/security-releases/ CVE-2021-31542 2021-04-22 2021-05-05
Python -- multiple vulnerabilities python38 3.8.10 python39 3.9.5

Python reports:

bpo-43434: Creating a sqlite3.Connection object now also produces a sqlite3.connect auditing event. Previously this event was only produced by sqlite3.connect() calls. Patch by Erlend E. Aasland.

bpo-43882: The presence of newline or tab characters in parts of a URL could allow some forms of attacks.Following the controlling specification for URLs defined by WHATWG urllib.parse() now removes A SCII newlines and tabs from URLs, preventing such attacks.

bpo-43472: Ensures interpreter-level audit hooks receive the cpython. PyInterpreterState_New event when called through the _xxsubinterpreters module.

bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4 address strings. Leading zeros are ambiguous and interpreted as octal notation by some libraries. For example the legacy function socket.inet_aton() treats leading zeros as octal notatation. glibc implementation of modern inet_pton() does not accept any leading zeros. For a while the ipaddress module used to accept ambiguous leading zeros.

bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.

bpo-42800: Audit hooks are now fired for frame.f_code, traceback.tb_frame, and generator code/frame attribute access.

https://docs.python.org/3/whatsnew/changelog.html#changelog https://docs.python.org/3.8/whatsnew/changelog.html#changelog 2021-03-08 2021-05-05
redis -- multiple vulnerabilities redis 6.0.06.0.13 redis-devel 6.2.06.2.3

Redis project reports:

Vulnerability in the STRALGO LCS command
An integer overflow bug in Redis version 6.0 or newer could be exploited using the STRALGO LCS command to corrupt the heap and potentially result with remote code execution.
Vulnerability in the COPY command for large intsets
An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves changing the default set-max-intset-entries configuration value, creating a large set key that consists of integer values and using the COPY command to duplicate it. The integer overflow bug exists in all versions of Redis starting with 2.6, where it could result with a corrupted RDB or DUMP payload, but not exploited through COPY (which did not exist before 6.2).
CVE-2021-29477 CVE-2021-29478 https://groups.google.com/g/redis-db/c/6GSWzTW0PR8 2021-05-03 2021-05-03
RDoc -- command injection vulnerability rubygem-rdoc 6.3.1

Alexandr Savca reports:

RDoc used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with | and ends with tags, the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run rdoc command.

CVE-2021-31799 https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/ 2021-05-02 2021-05-02
sympa -- Unauthorised full access via SOAP API due to illegal cookie sympa 6.2.60

Sympa community reports:

Unauthorised full access via SOAP API due to illegal cookie

CVE-2020-29668 https://sympa-community.github.io/security/2020-003.html 2020-11-24 2021-02-06
samba -- negative idmap cache entries vulnerability samba412 4.12.15 samba413 4.13.8 samba414 4.14.4

The Samba Team reports:

  • CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries in the Samba file server process token.
https://www.samba.org/samba/security/CVE-2021-20254.html CVE-2021-20254 2021-04-29 2021-05-01
Gitlab -- Vulnerabilities gitlab-ce 13.11.013.11.2 13.10.013.10.4 11.6.013.9.7

Gitlab reports:

Read API scoped tokens can execute mutations

Pull mirror credentials were exposed

Denial of Service when querying repository branches API

Non-owners can set system_note_timestamp when creating / updating issues

DeployToken will impersonate a User with the same ID when using Dependency Proxy

https://about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/ CVE-2021-22209 CVE-2021-22206 CVE-2021-22210 CVE-2021-22208 CVE-2021-22211 2021-04-28 2021-04-28
Carrierwave -- Multiple vulnerabilities rubygem-carrierwave 1.3.2

Community reports:

Fix Code Injection vulnerability in CarrierWave::RMagick

Fix SSRF vulnerability in the remote file download feature

https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08 CVE-2021-21288 CVE-2021-21305 2021-02-08 2021-04-28
sympa -- Inappropriate use of the cookie parameter can be a security threat. This parameter may also not provide sufficient security. sympa 6.2.62

Earlier versions of Sympa require a parameter named cookie in sympa.conf configuration file.

This parameter was used to make some identifiers generated by the system unpredictable. For example, it was used as following:

  • To be used as a salt to encrypt passwords stored in the database by the RC4 symmetric key algorithm.

    Note that RC4 is no longer considered secure enough and is not supported in the current version of Sympa.

  • To prevent attackers from sending crafted messages to achieve XSS and so on in message archives.

There were the following problems with the use of this parameter.

  1. This parameter, for its purpose, should be different for each installation, and once set, it cannot be changed. As a result, some sites have been operating without setting this parameter. This completely invalidates the security measures described above.
  2. Even if this parameter is properly set, it may be considered not being strong enough against brute force attacks.
https://sympa-community.github.io/security/2021-001.html 2021-04-27 2021-04-27
chromium -- multiple vulnerabilities chromium 90.0.4430.93

Chrome Releases reports:

This release contains 9 security fixes, including:

  • [1199345] High CVE-2021-21227: Insufficient data validation in V8. Reported by Gengming Liu of Singular Security Lab on 2021-04-15
  • [1175058] High CVE-2021-21232: Use after free in Dev Tools. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-02-05
  • [1182937] High CVE-2021-21233: Heap buffer overflow in ANGLE. Reported by Omair on 2021-02-26
  • [1139156] Medium CVE-2021-21228: Insufficient policy enforcement in extensions. Reported by Rob Wu on 2020-10-16
  • [$TBD][1198165] Medium CVE-2021-21229: Incorrect security UI in downloads. Reported by Mohit Raj (shadow2639) on 2021-04-12
  • [1198705] Medium CVE-2021-21230: Type Confusion in V8. Reported by Manfred Paul on 2021-04-13
  • [1198696] Low CVE-2021-21231: Insufficient data validation in V8. Reported by Sergei Glazunov of Google Project Zero on 2021-04-13
CVE-2021-21227 CVE-2021-21228 CVE-2021-21229 CVE-2021-21230 CVE-2021-21231 CVE-2021-21232 CVE-2021-21233 https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_26.html 2021-04-26 2021-04-27
sbibboleth-sp -- denial of service vulnerability shibboleth-sp 3.0.0 3.2.1_1

Shibboleth project reports:

Session recovery feature contains a null pointer deference.

The cookie-based session recovery feature added in V3.0 contains a flaw that is exploitable on systems *not* using the feature if a specially crafted cookie is supplied.

This manifests as a crash in the shibd daemon/service process.

Because it is very simple to trigger this condition remotely, it results in a potential denial of service condition exploitable by a remote, unauthenticated attacker.

https://shibboleth.net/community/advisories/secadv_20210426.txt 2021-04-23 2021-04-26
zeek -- null-pointer dereference vulnerability zeek 4.0.1

Jon Siwek of Corelight reports:

Fix null-pointer dereference when encountering an invalid enum name in a config/input file that tries to read it into a set[enum]. For those that have such an input feed whose contents may come from external/remote sources, this is a potential DoS vulnerability.

https://github.com/zeek/zeek/releases/tag/v4.0.1 2021-04-01 2021-04-21
openvpn -- deferred authentication can be bypassed in specific circumstances openvpn 2.5.2 openvpn-mbedtls 2.5.2

Gert Döring reports:

OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.

https://community.openvpn.net/openvpn/wiki/CVE-2020-15078 https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst#overview-of-changes-in-252 CVE-2020-15078 2021-03-02 2021-04-21
chromium -- multiple vulnerabilities chromium 90.0.4430.85

Chrome Reelases reports:

This release includes 7 security fixes, including:

  • 1194046] High CVE-2021-21222: Heap buffer overflow in V8. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2021-03-30
  • [1195308] High CVE-2021-21223: Integer overflow in Mojo. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2021-04-02
  • [1195777] High CVE-2021-21224: Type Confusion in V8. Reported by Jose Martinez (tr0y4) from VerSprite Inc. on 2021-04-05
  • [1195977] High CVE-2021-21225: Out of bounds memory access in V8. Reported by Brendon Tiszka (@btiszka) supporting the EFF on 2021-04-05
  • [1197904] High CVE-2021-21226: Use after free in navigation. Reported by Brendon Tiszka (@btiszka) supporting the EFF on 2021-04-11
CVE-2021-21222 CVE-2021-21223 CVE-2021-21224 CVE-2021-21225 CVE-2021-21226 https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.html 2021-04-20 2021-04-21
jenkins -- Denial of service vulnerability in bundled Jetty jenkins 2.286 jenkins-lts 2.277.3

Jenkins Security Advisory:

Description

(High) JENKINS-65280 / CVE-2021-28165

Denial of service vulnerability in bundled Jetty

https://www.jenkins.io/security/advisory/2021-04-20/ CVE-2021-28165 2021-04-20 2021-04-20
MySQL -- Multiple vulnerabilities mariadb103-server 10.3.29 mariadb104-server 10.4.19 mariadb105-server 10.5.10 mysql56-server 5.6.52 mysql57-server 5.7.34 mysql80-server 8.0.24

Oracle reports:

This Critical Patch Update contains 49 new security patches for Oracle MySQL. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 9.8.

MariaDB is affected by CVE-2021-2166 and CVE-2021-2154 only

https://www.oracle.com/security-alerts/cpuapr2021.html https://mariadb.com/kb/en/mariadb-10510-release-notes/ CVE-2020-8277 CVE-2020-1971 CVE-2021-3449 CVE-2020-28196 CVE-2021-23841 CVE-2021-2144 CVE-2021-2172 CVE-2021-2298 CVE-2021-2178 CVE-2021-2202 CVE-2021-2307 CVE-2021-2304 CVE-2021-2180 CVE-2021-2194 CVE-2021-2154 CVE-2021-2166 CVE-2021-2196 CVE-2021-2300 CVE-2021-2305 CVE-2021-2179 CVE-2021-2226 CVE-2021-2160 CVE-2021-2164 CVE-2021-2169 CVE-2021-2170 CVE-2021-2193 CVE-2021-2203 CVE-2021-2212 CVE-2021-2213 CVE-2021-2278 CVE-2021-2299 CVE-2021-2230 CVE-2021-2146 CVE-2021-2201 CVE-2021-2208 CVE-2021-2215 CVE-2021-2217 CVE-2021-2293 CVE-2021-2174 CVE-2021-2171 CVE-2021-2162 CVE-2021-2301 CVE-2021-2308 CVE-2021-2232 2021-04-20 2021-04-20 2021-05-04
All versions of Apache OpenOffice through 4.1.9 can open non-http(s) hyperlinks. If the link is specifically crafted this could lead to untrusted code execution. apache-openoffice 4.1.10 apache-openoffice-devel 4.2.1619649022,4

The Apache Openofffice project reports:

The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks. The problem has existed since about 2006 and the issue is also in 4.1.9. If the link is specifically crafted this could lead to untrusted code execution. It is always best practice to be careful opening documents from unknown and unverified sources. The mitigation in Apache OpenOffice 4.1.10 (unreleased) assures that a security warning is displayed giving the user the option of continuing to open the hyperlink.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30245 CVE-2021-30245 2021-01-25 2021-04-20
Apache Maven -- multiple vulnerabilities maven 3.8.1

The Apache Maven project reports:

We received a report from Jonathan Leitschuh about a vulnerability of custom repositories in dependency POMs. We've split this up into three separate issues:

  • Possible Man-In-The-Middle-Attack due to custom repositories using HTTP. More and more repositories use HTTPS nowadays, but this hasn't always been the case. This means that Maven Central contains POMs with custom repositories that refer to a URL over HTTP. This makes downloads via such repository a target for a MITM attack. At the same time, developers are probably not aware that for some downloads an insecure URL is being used. Because uploaded POMs to Maven Central are immutable, a change for Maven was required. To solve this, we extended the mirror configuration with blocked parameter, and we added a new external:http:* mirror selector (like existing external:*), meaning "any external URL using HTTP". The decision was made to block such external HTTP repositories by default: this is done by providing a mirror in the conf/settings.xml blocking insecure HTTP external URLs.
  • Possible Domain Hijacking due to custom repositories using abandoned domains Sonatype has analyzed which domains were abandoned and has claimed these domains.
  • Possible hijacking of downloads by redirecting to custom repositories This one was the hardest to analyze and explain. The short story is: you're safe, dependencies are only downloaded from repositories within their context. So there are two main questions: what is the context and what is the order? The order is described on the Repository Order page. The first group of repositories are defined in the settings.xml (both user and global). The second group of repositories are based on inheritence, with ultimately the super POM containing the URL to Maven Central. The third group is the most complex one but is important to understand the term context: repositories from the effective POMs from the dependency path to the artifact. So if a dependency was defined by another dependency or by a Maven project, it will also include their repositories. In the end this is not a bug, but a design feature.
http://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291 CVE-2021-26291 CVE-2020-13956 2021-04-04 2021-04-19
Consul -- Multiple vulnerabilities consul 1.9.5

Hashicorp reports:

Add content-type headers to raw KV responses to prevent XSS attacks (CVE-2020-25864). audit-logging: Parse endpoint URL to prevent requests from bypassing the audit log (CVE-2021-28156).

https://github.com/hashicorp/consul/releases/tag/v1.9.5 CVE-2020-25864 CVE-2021-28156 2021-04-15 2021-04-17
AccountsService -- Insufficient path check in user_change_icon_file_authorized_cb() accountsservice 0.6.50

NVD reports:

Directory Traversal with ../ sequences occurs in AccountsService before 0.6.50 because of an insufficient path check in user_change_icon_file_authorized_cb() in user.c.

http://www.openwall.com/lists/oss-security/2018/07/02/2 https://nvd.nist.gov/vuln/detail/CVE-2018-14036 https://www.securityfocus.com/bid/104757 https://bugs.freedesktop.org/show_bug.cgi?id=107085 https://bugzilla.suse.com/show_bug.cgi?id=1099699 https://cgit.freedesktop.org/accountsservice/commit/?id=f9abd359f71a5bce421b9ae23432f539a067847a CVE-2018-14036 2018-07-13 2021-04-15
mdbook -- XSS in mdBook's search page mdbook 0.4.5

Rust Security Response Working Group reports:

The search feature of mdBook (introduced in version 0.1.4) was affected by a cross site scripting vulnerability that allowed an attacker to execute arbitrary JavaScript code on an user's browser by tricking the user into typing a malicious search query, or tricking the user into clicking a link to the search page with the malicious search query prefilled. mdBook 0.4.5 fixes the vulnerability by properly escaping the search query.

https://github.com/rust-lang/mdBook/blob/master/CHANGELOG.md#mdbook-045 https://github.com/rust-lang/mdBook/commit/32abeef088e98327ca0dfccdad92e84afa9d2e9b https://github.com/rust-lang/mdBook/security/advisories/GHSA-gx5w-rrhp-f436 https://groups.google.com/g/rustlang-security-announcements/c/3-sO6of29O0?pli=1 https://nvd.nist.gov/vuln/detail/CVE-2020-26297 CVE-2020-26297 2021-04-01 2021-04-15
Gitlab -- Vulnerabilities gitlab-ce 13.10.013.10.3 13.9.013.9.6 7.1213.8.8

SO-AND-SO reports:

Remote code execution when uploading specially crafted image files

Update Rexml

https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/ CVE-2021-28965 2021-04-14 2021-04-15
chromium -- multiple vulnerabilities chromium 90.0.4430.72

Chrome Releases reports:

This release contains 37 security fixes, including:

  • [1025683] High CVE-2021-21201: Use after free in permissions. Reported by Gengming Liu, Jianyu Chen at Tencent Keen Security Lab on 2019-11-18
  • [1188889] High CVE-2021-21202: Use after free in extensions. Reported by David Erceg on 2021-03-16
  • [1192054] High CVE-2021-21203: Use after free in Blink. Reported by asnine on 2021-03-24
  • [1189926] High CVE-2021-21204: Use after free in Blink. Reported by Chelse Tsai-Simek, Jeanette Ulloa, and Emily Voigtlander of Seesaw on 2021-03-19
  • [1165654] High CVE-2021-21205: Insufficient policy enforcement in navigation. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2021-01-12
  • [1195333] High CVE-2021-21221: Insufficient validation of untrusted input in Mojo. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2021-04-02
  • [1185732] Medium CVE-2021-21207: Use after free in IndexedDB. Reported by koocola (@alo_cook) and Nan Wang (@eternalsakura13) of 360 Alpha Lab on 2021-03-08
  • [1039539] Medium CVE-2021-21208: Insufficient data validation in QR scanner. Reported by Ahmed Elsobky (@0xsobky) on 2020-01-07
  • [1143526] Medium CVE-2021-21209: Inappropriate implementation in storage. Reported by Tom Van Goethem (@tomvangoethem) on 2020-10-29
  • [1184562] Medium CVE-2021-21210: Inappropriate implementation in Network. Reported by @bananabr on 2021-03-04
  • [1103119] Medium CVE-2021-21211: Inappropriate implementation in Navigation. Reported by Akash Labade (m0ns7er) on 2020-07-08
  • [1145024] Medium CVE-2021-21212: Incorrect security UI in Network Config UI. Reported by Hugo Hue and Sze Yiu Chau of the Chinese University of Hong Kong on 2020-11-03
  • [1161806] Medium CVE-2021-21213: Use after free in WebMIDI. Reported by raven (@raid_akame) on 2020-12-25
  • [1170148] Medium CVE-2021-21214: Use after free in Network API. Reported by Anonymous on 2021-01-24
  • [1172533] Medium CVE-2021-21215: Inappropriate implementation in Autofill. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-01-30
  • [1173297] Medium CVE-2021-21216: Inappropriate implementation in Autofill. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-02-02
  • [1166462] Low CVE-2021-21217: Uninitialized Use in PDFium. Reported by Zhou Aiting (@zhouat1) of Qihoo 360 Vulcan Team on 2021-01-14
  • [1166478] Low CVE-2021-21218: Uninitialized Use in PDFium. Reported by Zhou Aiting (@zhouat1) of Qihoo 360 Vulcan Team on 2021-01-14
  • [1166972] Low CVE-2021-21219: Uninitialized Use in PDFium. Reported by Zhou Aiting (@zhouat1) of Qihoo 360 Vulcan Team on 2021-01-15
CVE-2021-21201 CVE-2021-21202 CVE-2021-21203 CVE-2021-21204 CVE-2021-21205 CVE-2021-21221 CVE-2021-21207 CVE-2021-21208 CVE-2021-21209 CVE-2021-21210 CVE-2021-21211 CVE-2021-21212 CVE-2021-21213 CVE-2021-21214 CVE-2021-21215 CVE-2021-21216 CVE-2021-21217 CVE-2021-21218 CVE-2021-21219 https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_14.html 2021-04-14 2021-04-15
chromium -- multiple vulnerabilities chromium 89.0.4389.128

Chrome Releases reports:

This release contains two security fixes:

  • [1196781] High CVE-2021-21206: Use after free in Blink. Reported by Anonymous on 2021-04-07
  • [1196683] High CVE-2021-21220: Insufficient validation of untrusted input in V8 for x86_64. Reported by Bruno Keith (@bkth_) and Niklas Baumstark (@_niklasb) of Dataflow Security (@dfsec_it) via ZDI (ZDI-CAN-13569) on 2021-04-07>
CVE-2021-21206 CVE-2021-21220 https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop.html 2021-04-13 2021-04-14
xorg-server -- Input validation failures in X server XInput extension xorg-server 1.20.11,1 xwayland 1.20.11,1 xwayland-devel 1.20.0.877

X.Org server security reports for release 1.20.11:

  • Fix XChangeFeedbackControl() request underflow

.

https://gitlab.freedesktop.org/xorg/xserver/-/tags/xorg-server-1.20.11 2021-04-13 2021-04-13
gitea -- multiple vulnerabilities gitea 1.14.0

The Gitea Team reports for release 1.14.0:

  • Validate email in external authenticator registration form
  • Ensure validation occurs on clone addresses too
https://github.com/go-gitea/gitea/releases/tag/v1.14.0 ports/254976 2021-03-11 2021-04-11
syncthing -- crash due to malformed relay protocol message syncthing 1.15.0

syncthing developers report:

syncthing can be caused to crash and exit if sent a malformed relay protocol message message with a negative length field.

The relay server strelaysrv can be caused to crash and exit if sent a malformed relay protocol message with a negative length field.

CVE-2021-21404 https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h 2021-04-06 2021-04-12
python -- Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem python38 3.8.9 python39 3.9.3

David Schwörer reports:

Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords.

CVE-2021-3426 https://pythoninsider.blogspot.com/2021/04/python-393-and-389-are-now-available.html https://bugs.python.org/issue42988 2021-01-21 2021-04-10
curl -- TLS 1.3 session ticket proxy host mixup curl 7.63.07.76.0

Daniel Stenberg reports:

Enabled by default, libcurl supports the use of TLS 1.3 session tickets to resume previous TLS sessions to speed up subsequent TLS handshakes.

When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. The reason for this confusion is the modified sequence from TLS 1.2 when the session ids would provided only during the TLS handshake, while in TLS 1.3 it happens post hand-shake and the code was not updated to take that changed behavior into account.

When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed.

This flaw can allow a malicious HTTPS proxy to MITM the traffic. Such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.

CVE-2021-22890 https://curl.se/docs/CVE-2021-22890.html 2021-03-31 2021-04-10
curl -- Automatic referer leaks credentials curl 7.1.17.76.0

Daniel Stenberg reports:

libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

libcurl automatically sets the Referer: HTTP request header field in outgoing HTTP requests if the CURLOPT_AUTOREFERER option is set. With the curl tool, it is enabled with --referer ";auto".

CVE-2021-22876 https://curl.se/docs/CVE-2021-22876.html 2021-03-31 2021-04-10
gitea -- multiple vulnerabilities gitea 1.13.7

The Gitea Team reports for release 1.13.7:

  • Update to bluemonday-1.0.6
  • Clusterfuzz found another way
https://github.com/go-gitea/gitea/releases/tag/v1.13.7 ports/254930 2021-04-07 2021-04-09
clamav -- Multiple vulnerabilites clamav 0.103.2,1

Micah Snyder reports:

CVE-2021-1252
Excel XLM parser infinite loop
CVE-2021-1404
PDF parser buffer over-read; possible crash.
CVE-2021-1405
Mail parser NULL-dereference crash.
CVE-2021-1252 CVE-2021-1404 CVE-2021-1405 https://blog.clamav.net/2021/04/clamav-01032-security-patch-release.html 2021-04-07 2021-04-07
jenkins -- multiple vulnerabilities jenkins 2.287 jenkins-lts 2.277.2

Jenkins Security Advisory:

Description

(Low) SECURITY-1721 / CVE-2021-21639

Lack of type validation in agent related REST API

(Medium) SECURITY-1871 / CVE-2021-21640

View name validation bypass

https://www.jenkins.io/security/advisory/2021-04-07/ 2021-04-07 2021-04-08
Node.js -- April 2021 Security Releases node10 10.24.1 node12 12.22.1 node14 14.16.1 node 15.14.0

Node.js reports:

OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High) (CVE-2021-3450)

This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt

OpenSSL - NULL pointer deref in signature_algorithms processing (High) (CVE-2021-3449)

This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt

npm upgrade - Update y18n to fix Prototype-Pollution (High) (CVE-2020-7774)

This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in https://github.com/advisories/GHSA-c4w7-xm78-47vh

https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/ https://www.openssl.org/news/secadv/20210325.txt https://github.com/advisories/GHSA-c4w7-xm78-47vh CVE-2021-3450 CVE-2021-3449 CVE-2020-7774 2021-04-06 2021-04-07
FreeBSD -- jail escape possible by mounting over jail root FreeBSD-kernel 12.212.2_6 11.411.4_9

Problem Description:

Due to a race condition between lookup of ".." and remounting a filesystem, a process running inside a jail might access filesystem hierarchy outside of jail.

Impact:

A process with superuser privileges running inside a jail configured with the allow.mount permission (not enabled by default) could change the root directory outside of the jail, and thus gain full read and write access to all files and directories in the system.

CVE-2020-25584 SA-21:10.jail_mount 2021-04-06 2021-04-07
FreeBSD -- double free in accept_filter(9) socket configuration interface FreeBSD-kernel 12.212.2_6

Problem Description:

An unprivileged process can configure an accept filter on a listening socket. This is done using the setsockopt(2) system call. The process supplies the name of the accept filter which is to be attached to the socket, as well as a string containing filter-specific information.

If the filter implements the accf_create callback, the socket option handler attempts to preserve the process-supplied argument string. A bug in the socket option handler caused this string to be freed prematurely, leaving a dangling pointer. Additional operations on the socket can turn this into a double free or a use-after-free.

Impact:

The bug may be exploited to trigger local privilege escalation or kernel memory disclosure.

CVE-2021-29627 SA-21:09.accept_filter 2021-04-06 2021-04-07
FreeBSD -- Memory disclosure by stale virtual memory mapping FreeBSD-kernel 12.212.2_6 11.411.4_9

Problem Description:

A particular case of memory sharing is mishandled in the virtual memory system. It is possible and legal to establish a relationship where multiple descendant processes share a mapping which shadows memory of an ancestor process. In this scenario, when one process modifies memory through such a mapping, the copy-on-write logic fails to invalidate other mappings of the source page. These stale mappings may remain even after the mapped pages have been reused for another purpose.

Impact:

An unprivileged local user process can maintain a mapping of a page after it is freed, allowing that process to read private data belonging to other processes or the kernel.

CVE-2021-29626 SA-21:08.vm 2021-04-06 2021-04-07
upnp -- stack overflow vulnerability upnp 1.14.5,1

Mitre reports:

A stack overflow in pupnp 1.16.1 can cause the denial of service through the Parser_parseDocument() function. ixmlNode_free() will release a child node recursively, which will consume stack space and lead to a crash.

CVE-2021-28302 https://github.com/pupnp/pupnp/issues/249 2021-03-12 2021-04-06
ruby -- XML round-trip vulnerability in REXML ruby 2.5.0,12.5.9,1 2.6.0,12.6.7,1 2.7.0,12.7.3,1 3.0.0.p1,13.0.1,1 rubygem-rexml 3.2.5

Juho Nurminen reports:

When parsing and serializing a crafted XML document, REXML gem (including the one bundled with Ruby) can create a wrong XML document whose structure is different from the original one. The impact of this issue highly depends on context, but it may lead to a vulnerability in some programs that are using REXML.

CVE-2021-28965 https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/ 2021-04-05 2021-04-05
chromium -- multiple vulnerabilities chromium 89.0.4389.114

Chrome Releases reports:

This update contains 8 security fixes, including:

  • [1181228] High CVE-2021-21194: Use after free in screen capture. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-02-23
  • [1182647] High CVE-2021-21195: Use after free in V8. Reported by Bohan Liu (@P4nda20371774) and Moon Liang of Tencent Security Xuanwu Lab on 2021-02-26
  • [1175992] High CVE-2021-21196: Heap buffer overflow in TabStrip. Reported by Khalil Zhani on 2021-02-08
  • [1173903] High CVE-2021-21197: Heap buffer overflow in TabStrip. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-02-03
  • [1184399] High CVE-2021-21198: Out of bounds read in IPC. Reported by Mark Brand of Google Project Zero on 2021-03-03
  • [1179635] High CVE-2021-21199: Use Use after free in Aura. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group and Evangelos Foutras
CVE-2021-21194 CVE-2021-21195 CVE-2021-21196 CVE-2021-21197 CVE-2021-21198 CVE-2021-21199 https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_30.html 2021-03-31 2021-03-31
Gitlab -- Multiple vulnerabilities gitlab-ce 13.10.013.10.1 13.9.013.9.5 913.8.7

Gitlab reports:

Arbitrary File Read During Project Import

Kroki Arbitrary File Read/Write

Stored Cross-Site-Scripting in merge requests

Access data of an internal project through a public project fork as an anonymous user

Incident metric images can be deleted by any user

Infinite Loop When a User Access a Merge Request

Stored XSS in scoped labels

Admin CSRF in System Hooks Execution Through API

Update OpenSSL dependency

Update PostgreSQL dependency

https://about.gitlab.com/releases/2021/03/31/security-release-gitlab-13-10-1-released/ 2021-03-31 2021-04-06
samba -- Multiple Vulnerabilities samba411 4.11.15 samba412 4.12.14 samba413 4.13.7 samba414 4.14.2

The Samba Team reports:

  • CVE-2020-27840: An anonymous attacker can crash the Samba AD DC LDAP server by sending easily crafted DNs as part of a bind request. More serious heap corruption is likely also possible.
  • CVE-2021-20277: User-controlled LDAP filter strings against the AD DC LDAP server may crash the LDAP server.
https://www.samba.org/samba/security/CVE-2020-27840.html https://www.samba.org/samba/security/CVE-2021-20277.html CVE-2020-27840 CVE-2021-20277 2021-03-24 2021-03-28
nettle 3.7.2 -- fix serious ECDSA signature verify bug nettle 3.7.2 linux-c7-nettle 3.7.2

Niels Möller reports:

I've prepared a new bug-fix release of Nettle, a low-level cryptographics library, to fix a serious bug in the function to verify ECDSA signatures. Implications include an assertion failure, which could be used for denial-of-service, when verifying signatures on the secp_224r1 and secp521_r1 curves.

Even when no assert is triggered in ecdsa_verify, ECC point multiplication may get invalid intermediate values as input, and produce incorrect results. [...] It appears difficult to construct an alleged signature that makes the function misbehave in such a way that an invalid signature is accepted as valid, but such attacks can't be ruled out without further analysis.

https://lists.lysator.liu.se/pipermail/nettle-bugs/2021/009458.html 2021-03-21 2021-03-27
OpenSSL -- Multiple vulnerabilities openssl 1.1.1k,1 FreeBSD 12.212.2_5

The OpenSSL project reports:

High: CA certificate check bypass with X509_V_FLAG_X509_STRICT (CVE-2021-3450)
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default.

High: NULL pointer deref in signature_algorithms processing (CVE-2021-3449)
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack.

https://www.openssl.org/news/secadv/20210325.txt CVE-2021-3449 CVE-2021-3450 SA-21:07.openssl 2021-03-25 2021-03-26 2021-04-07
spamassassin -- Malicious rule configuration (.cf) files can be configured to run system commands spamassassin 3.4.5

The Apache SpamAssassin project reports:

Apache SpamAssassin 3.4.5 was recently released [1], and fixes an issue of security note where malicious rule configuration (.cf) files can be configured to run system commands.

In Apache SpamAssassin before 3.4.5, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.

https://spamassassin.apache.org/news.html https://mail-archives.apache.org/mod_mbox/spamassassin-announce/202103.mbox/%3C5b7cfd35-27b7-584b-1b39-b7ff0a55f586%40apache.org%3E https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1946 CVE-2020-1946 2021-03-24 2021-03-24
gitea -- multiple vulnerabilities gitea 1.13.6

The Gitea Team reports for release 1.13.6:

  • Fix bug on avatar middleware
  • Fix another clusterfuzz identified issue
https://github.com/go-gitea/gitea/releases/tag/v1.13.5 ports/254515 2021-03-21 2021-03-23
gitea -- quoting in markdown text gitea 1.13.5

The Gitea Team reports for release 1.13.5:

  • Update to goldmark 1.3.3
https://github.com/go-gitea/gitea/releases/tag/v1.13.5 ports/254130 2021-03-20 2021-03-21
OpenSSH -- Double-free memory corruption in ssh-agent openssh-portable openssh-portable-hpn openssh-portable-gssapi 8.2.p1,18.4.p1_4,1

OpenBSD Project reports:

ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket.

On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions.

The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access.

CVE-2021-28041 https://www.openssh.com/txt/release-8.5 2021-03-03 2021-03-13 2021-04-20
Gitlab -- Multiple vulnerabilities gitlab-ce 13.9.013.9.4 13.8.013.8.6 13.2.013.7.9

Gigtlab reports:

Remote code execution via unsafe user-controlled markdown rendering options

https://about.gitlab.com/releases/2021/03/17/security-release-gitlab-13-9-4-released/ 2021-03-17 2021-03-18
dnsmasq -- cache poisoning vulnerability in certain configurations dnsmasq 2.85.r1,1 dnsmasq-devel 2.85.r1,3

Simon Kelley reports:

[In configurations where the forwarding server address contains an @ character for specifying a sending interface or source address, the] random source port behavior was disabled, making cache poisoning attacks possible.

This only affects configurations of the form server=1.1.1.1@em0 or server=1.1.1.1@192.0.2.1, i. e. those that specify an interface to send through, or an IP address to send from, or use together with NetworkManager.

https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014835.html CVE-2021-3448 2021-03-17 2021-03-18
minio -- MITM attack minio 2021.03.17.02.33.02

minio developer report:

This is a security issue because it enables MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures.

In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk. This check can be skipped if the client sends a false chunk size that is much greater than the actual data sent: the server accepts and completes the request without ever reaching the end of the chunk + thereby without ever checking the chunk signature.

https://github.com/minio/minio/security/advisories/GHSA-xr7r-7gpj-5pgp 2021-03-17 2021-03-17
LibreSSL -- use-after-free libressl 3.2.4_1

OpenBSD reports:

A TLS client using session resumption may cause a use-after-free.

https://marc.info/?l=openbsd-announce&m=161582456312832&w=2 https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/017_libssl.patch.sig 2021-03-15 2021-03-16
chromium -- multiple vulnerabilities chromium 89.0.4389.90

Chrome Releases reports:

This release includes 5 security fixes, including:

  • [1167357] High CVE-2021-21191: Use after free in WebRTC. Reported by raven (@raid_akame) on 2021-01-15
  • [1181387] High CVE-2021-21192: Heap buffer overflow in tab groups. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-02-23
  • [1186287] High CVE-2021-21193: Use after free in Blink. Reported by Anonymous on 2021-03-09
CVE-2021-11191 CVE-2021-11192 CVE-2021-11193 https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html 2021-03-12 2021-03-16
squashfs-tools -- Integer overflow squashfs-tools 4.4

Phillip Lougher reports:

Integer overflow in the read_fragment_table_4 function in unsquash-4.c in Squashfs and sasquatch allows remote attackers to cause a denial of service (application crash) via a crafted input, which triggers a stack-based buffer overflow.

CVE-2015-4645 https://nvd.nist.gov/vuln/detail/CVE-2015-4645 2017-03-17 2021-03-15
go -- encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader; archive/zip: panic when calling Reader.Open go 1.16.1,1

The Go project reports:

The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by xml.NewTokenDecoder may enter an infinite loop when operating on a custom xml.TokenReader which returns an EOF in the middle of an open XML element.

The Reader.Open API, new in Go 1.16, will panic when used on a ZIP archive containing files that start with "../".

CVE-2021-27918 http://golang.org/issue/44913 CVE-2021-27919 http://golang.org/issue/44916 2021-03-05 2021-03-10
gitea -- multiple vulnerabilities gitea 1.13.4

The Gitea Team reports for release 1.13.3:

  • Turn default hash password algorithm back to pbkdf2 from argon2 until we find a better one

The Gitea Team reports for release 1.13.4:

  • Fix issue popups
https://github.com/go-gitea/gitea/releases/tag/v1.13.3 https://github.com/go-gitea/gitea/releases/tag/v1.13.4 ports/254130 2021-01-07 2021-02-06
mantis -- multiple vulnerabilities mantis-php72 mantis-php73 mantis-php74 mantis-php80 2.24.4,1

Mantis 2.24.4 release reports:

Security and maintenance release, addressing 6 CVEs:

  • 0027726: CVE-2020-29603: disclosure of private project name
  • 0027727: CVE-2020-29605: disclosure of private issue summary
  • 0027728: CVE-2020-29604: full disclosure of private issue contents, including bugnotes and attachments
  • 0027361: Private category can be access/used by a non member of a private project (IDOR)
  • 0027779: CVE-2020-35571: XSS in helper_ensure_confirmed() calls
  • 0026794: User Account - Takeover
  • 0027363: Fixed in version can be changed to a version that doesn't exist
  • 0027350: When updating an issue, a Viewer user can be set as Reporter
  • 0027370: CVE-2020-35849: Revisions allow viewing private bugnotes id and summary
  • 0027495: CVE-2020-28413: SQL injection in the parameter "access" on the mc_project_get_users function throught the API SOAP.
  • 0027444: Printing unsanitized user input in install.php
CVE-2020-28413 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28413 CVE-2020-35849 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35849 2020-11-10 2021-03-10
Node.js -- February 2021 Security Releases node10 10.24.0 node12 12.21.0 node14 14.16.0 node 15.10.0

Node.js reports:

HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion (Critical) (CVE-2021-22883)

Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.

DNS rebinding in --inspect (CVE-2021-22884)

Affected Node.js versions are vulnerable to a DNS rebinding attack when the whitelist includes "localhost6". When "localhost6" is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the "localhost6" domain. As long as the attacker uses the "localhost6" domain, they can still apply the attack described in CVE-2018-7160.

OpenSSL - Integer overflow in CipherUpdate (CVE-2021-23840)

This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210216.txt

https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/ CVE-2021-22883 CVE-2021-22884 CVE-2021-23840 2021-02-23 2021-03-09
Gitlab -- Multiple vulnerabilities gitlab-ce 13.9.013.9.2 13.8.013.8.5 13.7.8

Gitlab reports:

JWT token leak via Workhorse

Stored XSS in wiki pages

Group Maintainers are able to use the Group CI/CD Variables API

Insecure storage of GitLab session keys

https://about.gitlab.com/releases/2021/03/04/security-release-gitlab-13-9-2-released/ CVE-2021-22185 CVE-2021-22186 2021-03-04 2021-03-05
asterisk -- Crash when negotiating T.38 with a zero port asterisk16 16.16.2 asterisk18 18.2.2

The Asterisk project reports:

When Asterisk sends a re-invite initiating T.38 faxing and the endpoint responds with a m=image line and zero port, a crash will occur in Asterisk. This is a reoccurrence of AST-2019-004.

CVE-2019-15297 https://downloads.asterisk.org/pub/security/AST-2021-006.html 2021-02-20 2021-03-04
chromium -- multiple vulnerabilities chromium 89.0.4389.72

Chrome Releases reports:

This release includes 47 security fixes, including the below. Google is aware of reports that an exploit for CVE-2021-21166 exists in the wild. Please see URL for details.

CVE-2021-21159 CVE-2021-21160 CVE-2021-21161 CVE-2021-21162 CVE-2021-21163 CVE-2021-21164 CVE-2021-21165 CVE-2021-21166 CVE-2021-21167 CVE-2021-21168 CVE-2021-21169 CVE-2021-21170 CVE-2021-21171 CVE-2021-21172 CVE-2021-21173 CVE-2021-21174 CVE-2021-21175 CVE-2021-21176 CVE-2021-21177 CVE-2021-21178 CVE-2021-21179 CVE-2021-21180 CVE-2021-21181 CVE-2021-21182 CVE-2021-21183 CVE-2021-21184 CVE-2021-21185 CVE-2021-21186 CVE-2021-21187 CVE-2021-21188 CVE-2021-21189 CVE-2021-21190 CVE-2020-27844 https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html 2021-03-02 2021-03-04
jasper -- multiple vulnerabilities jasper 2.0.25

JasPer Releases:

- Fix memory-related bugs in the JPEG-2000 codec resulting from attempting to decode invalid code streams. (#264, #265)

This fix is associated with CVE-2021-26926 and CVE-2021-26927.

- Fix wrong return value under some compilers (#260)

- Fix CVE-2021-3272 heap buffer overflow in jp2_decode (#259)

https://github.com/jasper-software/jasper/releases CVE-2021-26926 CVE-2021-26927 CVE-2021-3272 2021-02-07 2021-03-03
salt -- multiple vulnerabilities py36-salt-2019 py37-salt-2019 py38-salt-2019 py36-salt py37-salt py38-salt py39-salt 2019.2.8 30003002.5

SaltStack reports multiple security vulnerabilities in Salt

  • CVE-2021-3197: The Salt-API.s SSH client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.
  • CVE-2021-25281: The Salt-API does not have eAuth credentials for the wheel_async client.
  • CVE-2021-25282: The salt.wheel.pillar_roots.write method is vulnerable to directory traversal.
  • CVE-2021-25283: The jinja renderer does not protect against server-side template injection attacks.
  • CVE-2021-25284: webutils write passwords in cleartext to /var/log/salt/minion
  • CVE-2021-3148: command injection in salt.utils.thin.gen_thin()
  • CVE-2020-35662: Several places where Salt was not verifying the SSL cert by default.
  • CVE-2021-3144: eauth Token can be used once after expiration.
  • CVE-2020-28972: Code base not validating SSL/TLS certificate of the server, which might allow attackers to obtain sensitive information via a man-in-the-middle attack
  • CVE-2020-28243: Local Privilege Escalation in the Minion.
"https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/" CVE-2021-3197 CVE-2021-25281 CVE-2021-25282 CVE-2021-25283 CVE-2021-25284 CVE-2021-3148 CVE-2020-35662 CVE-2021-3144 CVE-2020-28972 CVE-2020-28243 2021-02-25 2021-03-03
vault -- unauthenticated license read vault 1.6.3

vault developers report:

Limited Unauthenticated License Read: We addressed a security vulnerability that allowed for the unauthenticated reading of Vault licenses from DR Secondaries.

CVE-2021-27668 https://github.com/hashicorp/vault/releases/tag/v1.6.3 2021-02-26 2021-02-27
FreeBSD -- jail_remove(2) fails to kill all jailed processes FreeBSD-kernel 12.212.2_4 11.411.4_8

Problem Description:

Due to a race condition in the jail_remove(2) implementation, it may fail to kill some of the processes.

Impact:

A process running inside a jail can avoid being killed during jail termination. If a jail is subsequently started with the same root path, a lingering jailed process may be able to exploit the window during which a devfs filesystem is mounted but the jail's devfs ruleset has not been applied, to access device nodes which are ordinarily inaccessible. If the process is privileged, it may be able to escape the jail and gain full access to the system.

CVE-2020-25581 SA-21:04.jail_remove 2021-02-24 2021-02-25
FreeBSD -- Xen grant mapping error handling issues FreeBSD-kernel 12.212.2_4 11.411.4_8

Problem Description:

Grant mapping operations often occur in batch hypercalls, where a number of operations are done in a single hypercall, the success or failure of each one reported to the backend driver, and the backend driver then loops over the results, performing follow-up actions based on the success or failure of each operation.

Unfortunately, when running in HVM/PVH mode, the FreeBSD backend drivers mishandle this: Some errors are ignored, effectively implying their success from the success of related batch elements. In other cases, errors resulting from one batch element lead to further batch elements not being inspected, and hence successful ones to not be possible to properly unmap upon error recovery.

Impact:

A malicious or buggy frontend driver may be able to cause resource leaks in the domain running the corresponding backend driver.

CVE-2021-26932 SA-21:06.xen 2021-02-24 2021-02-25
FreeBSD -- jail_attach(2) relies on the caller to change the cwd FreeBSD-kernel 12.212.2_4 11.411.4_8

Problem Description:

When a process, such as jexec(8) or killall(1), calls jail_attach(2) to enter a jail, the jailed root can attach to it using ptrace(2) before the current working directory is changed.

Impact:

A process with superuser privileges running inside a jail could change the root directory outside of the jail, thereby gaining full read and writing access to all files and directories in the system.

CVE-2020-25582 SA-21:05.jail_chdir 2021-02-24 2021-02-25
FreeBSD -- login.access fails to apply rules FreeBSD 12.212.2_4 11.411.4_8

Problem Description:

A regression in the login.access(5) rule processor has the effect of causing rules to fail to match even when they should not. This means that rules denying access may be ignored.

Impact:

The configuration in login.access(5) may not be applied, permitting login access to users even when the system is configured to deny it.

CVE-2020-25580 SA-21:03.pam_login_access 2021-02-24 2021-02-25
redis -- Integer overflow on 32-bit systems redis-devel 6.2.0 redis 6.0.11 redis5 5.0.11

Redis Development team reports:

Redis 4.0 or newer uses a configurable limit for the maximum supported bulk input size. By default, it is 512MB which is a safe value for all platforms. If the limit is significantly increased, receiving a large request from a client may trigger several integer overflow scenarios, which would result with buffer overflow and heap corruption.

CVE-2021-21309 2021-02-22 2021-02-23
zeek -- Remote crash vulnerability zeek 3.0.13

Jon Siwek of Corelight reports:

Fix ASCII Input reader's treatment of input files containing null-bytes. An input file containing null-bytes could lead to a buffer-over-read, crash Zeek, and be exploited to cause Denial of Service.

https://github.com/zeek/zeek/releases/tag/v3.0.13 2021-02-10 2021-02-22
raptor2 -- malformed input file can lead to a segfault raptor2 2.0.15_17

Redland Issue Tracker reports:

due to an out of bounds array access in raptor_xml_writer_start_element_common.

https://bugs.librdf.org/mantis/view.php?id=650 2020-11-24 2021-02-20
jenkins -- Privilege escalation vulnerability in bundled Spring Security library jenkins 2.280

Jenkins Security Advisory:

Description

(high) SECURITY-2195 / CVE-2021-22112

Privilege escalation vulnerability in bundled Spring Security library

https://www.jenkins.io/security/advisory/2021-02-19/ 2021-02-19 2021-02-20
asterisk -- Remote Crash Vulnerability in PJSIP channel driver asterisk13 13.38.2 asterisk16 16.16.1 asterisk18 18.2.1

The Asterisk project reports:

Given a scenario where an outgoing call is placed from Asterisk to a remote SIP server it is possible for a crash to occur.

CVE-2021-26906 https://downloads.asterisk.org/pub/security/AST-2021-005.html 2021-02-08 2021-02-18
asterisk -- An unsuspecting user could crash Asterisk with multiple hold/unhold requests asterisk16 16.16.016.16.1 asterisk18 18.2.018.2.1

The Asterisk project reports:

Due to a signedness comparison mismatch, an authenticated WebRTC client could cause a stack overflow and Asterisk crash by sending multiple hold/unhold requests in quick succession.

CVE-2021-26714 https://downloads.asterisk.org/pub/security/AST-2021-004.html 2021-02-11 2021-02-18
asterisk -- Remote attacker could prematurely tear down SRTP calls asterisk13 13.38.113.38.2 asterisk16 16.16.016.16.1 asterisk18 18.2.018.2.1

The Asterisk project reports:

An unauthenticated remote attacker could replay SRTP packets which could cause an Asterisk instance configured without strict RTP validation to tear down calls prematurely.

CVE-2021-26712 https://downloads.asterisk.org/pub/security/AST-2021-003.html 2021-02-18 2021-02-18
asterisk -- Remote crash possible when negotiating T.38 asterisk16 16.15.016.16.1 asterisk18 18.1.018.2.1

The Asterisk project reports:

When re-negotiating for T.38 if the initial remote response was delayed just enough Asterisk would send both audio and T.38 in the SDP. If this happened, and the remote responded with a declined T.38 stream then Asterisk would crash.

CVE-2021-26717 https://downloads.asterisk.org/pub/security/AST-2021-002.html 2021-02-05 2021-02-18
asterisk -- Remote crash in res_pjsip_diversion asterisk13 13.38.113.38.2 asterisk16 16.15.116.16.1 asterisk18 18.1.118.2.1

The Asterisk project reports:

If a registered user is tricked into dialing a malicious number that sends lots of 181 responses to Asterisk, each one will cause a 181 to be sent back to the original caller with an increasing number of entries in the "Supported" header. Eventually the number of entries in the header exceeds the size of the entry array and causes a crash.

CVE-2020-35776 https://downloads.asterisk.org/pub/security/AST-2021-001.html 2021-01-04 2021-02-18
Rails -- multiple vulnerabilities rubygem-activerecord52 5.2.4.5 rubygem-actionpack60 rubygem-activerecord60 6.0.3.5 rubygem-actionpack61 rubygem-activerecord61 6.1.2.1

Ruby on Rails blog:

Rails version 5.2.4.5, 6.0.3.5 and 6.1.2.1 have been released! Those version are security releases and addresses two issues:

CVE-2021-22880: Possible DoS Vulnerability in Active Record PostgreSQL adapter.

CVE-2021-22881: Possible Open Redirect in Host Authorization Middleware.

https://weblog.rubyonrails.org/2021/2/10/Rails-5-2-4-5-6-0-3-5-and-6-1-2-1-have-been-released/ https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129 https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130 CVE-2021-22880 CVE-2021-22881 2021-02-10 2021-02-17
chromium -- multiple vulnerabilities chromium 88.0.4324.182

Chrome Releases reports:

This release contains 10 security fixes, including:

  • [1138143] High CVE-2021-21149: Stack overflow in Data Transfer. Reported by Ryoya Tsukasaki on 2020-10-14
  • [1172192] High CVE-2021-21150: Use after free in Downloads. Reported by Woojin Oh(@pwn_expoit) of STEALIEN on 2021-01-29
  • [1165624] High CVE-2021-21151: Use after free in Payments. Reported by Khalil Zhani on 2021-01-12
  • [1166504] High CVE-2021-21152: Heap buffer overflow in Media. Reported by Anonymous on 2021-01-14
  • [1155974] High CVE-2021-21153: Stack overflow in GPU Process. Reported by Jan Ruge of ERNW GmbH on 2020-12-06
  • [1173269] High CVE-2021-21154: Heap buffer overflow in Tab Strip. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-02-01
  • [1175500] High CVE-2021-21155: Heap buffer overflow in Tab Strip. Reported by Khalil Zhani on 2021-02-07
  • [1177341] High CVE-2021-21156: Heap buffer overflow in V8. Reported by Sergei Glazunov of Google Project Zero on 2021-02-11
  • [1170657] Medium CVE-2021-21157: Use after free in Web Sockets. Reported by Anonymous on 2021-01-26
CVE-2021-21149 CVE-2021-21150 CVE-2021-21151 CVE-2021-21152 CVE-2021-21153 CVE-2021-21154 CVE-2021-21155 CVE-2021-21156 CVE-2021-21157 https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_16.html 2021-02-16 2021-02-17
OpenSSL -- Multiple vulnerabilities openssl 1.1.1j,1 openssl-devel 3.0.0.a12 FreeBSD 12.212.2_10 11.411.4_13

The OpenSSL project reports:

Null pointer deref in X509_issuer_and_serial_hash() CVE-2021-23841
(Moderate) The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack.

Integer overflow in CipherUpdate CVE-2021-23840
(Low) Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash.

https://www.openssl.org/news/secadv/20210216.txt CVE-2021-23841 CVE-2021-23840 CVE-2021-23839 SA-21:17.openssl 2021-02-16 2021-02-16 2021-08-25
openexr, ilmbase -- security fixes related to reading corrupted input files ilmbase 2.5.5 openexr 2.5.5

Cary Phillips reports:

Patch release with various bug/sanitizer/security fixes, primarily related to reading corrupted input files[...].

https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.5.5 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.5.4 CVE-2021-20296 CVE-2021-3479 CVE-2021-3478 CVE-2021-3477 CVE-2021-3476 CVE-2021-3475 CVE-2021-3474 2021-02-12 2021-02-12
Gitlab -- Multiple Vulnerabilities gitlab-ce 13.8.013.8.4 13.7.013.7.7 10.513.6.7

Gitlab reports:

Improper Certificate Validation for Fortinet OTP

Denial of Service Attack on gitlab-shell

Resource exhaustion due to pending jobs

Confidential issue titles were exposed

Improper access control allowed demoted project members to access authored merge requests

Improper access control allowed unauthorized users to access analytic pages

Unauthenticated CI lint API may lead to information disclosure and SSRF

Prometheus integration in Gitlab may lead to SSRF

https://about.gitlab.com/releases/2021/02/11/security-release-gitlab-13-8-4-released/ 2021-02-11 2021-02-12
oauth2-proxy -- domain whitelist could be used as redirect oauth2-proxy 7.0.0

SO-AND-SO reports:

In OAuth2 Proxy before version 7.0.0, for users that use the whitelist domain feature, a domain that ended in a similar way to the intended domain could have been allowed as a redirect.

https://nvd.nist.gov/vuln/detail/CVE-2021-21291 2021-02-02 2021-02-12
mod_dav_svn -- server crash mod_dav_svn 1.9.01.10.6 1.11.01.14.0

Subversion project reports:

Subversion's mod_authz_svn module will crash if the server is using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a client sends a request for a non-existing repository URL.

https://subversion.apache.org/security/CVE-2020-17525-advisory.txt 2021-01-29 2021-02-10
gitea -- multiple vulnerabilities gitea 1.13.2

The Gitea Team reports for release 1.13.2:

  • Prevent panic on fuzzer provided string
  • Add secure/httpOnly attributes to the lang cookie
https://github.com/go-gitea/gitea/releases/tag/v1.13.2 ports/253295 2021-01-07 2021-02-06
chromium -- heap buffer overflow in V8 chromium 88.0.4324.150

Chrome Releases reports:

[1170176] High CVE-2021-21148: Heap buffer overflow in V8. Reported by Mattias Buelens on 2021-01-24. Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild.

CVE-2021-21148 https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html 2021-02-04 2021-02-05
www/chromium -- multiple vulnerabilities chromium 88.0.4324.146

Chrome Releases reports:

This update include 6 security fixes:

  • 1169317] Critical CVE-2021-21142: Use after free in Payments. Reported by Khalil Zhani on 2021-01-21
  • [1163504] High CVE-2021-21143: Heap buffer overflow in Extensions. Reported by Allen Parker and Alex Morgan of MU on 2021-01-06
  • [1163845] High CVE-2021-21144: Heap buffer overflow in Tab Groups. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-01-07
  • [1154965] High CVE-2021-21145: Use after free in Fonts. Reported by Anonymous on 2020-12-03
  • [1161705] High CVE-2021-21146: Use after free in Navigation. Reported by Alison Huffman and Choongwoo Han of Microsoft Browser Vulnerability Research on 2020-12-24
  • [1162942] Medium CVE-2021-21147: Inappropriate implementation in Skia. Reported by Roman Starkov on 2021-01-04
CVE-2021-21142 CVE-2021-21143 CVE-2021-21144 CVE-2021-21145 CVE-2021-21146 CVE-2021-21147 https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop.html 2021-02-02 2021-02-03
Gitlab -- Multiple vulnerabilities gitlab-ce 13.8.013.8.2 13.7.013.7.6 11.813.6.6

Gitlab reports:

Stored XSS in merge request

Stored XSS in epic's pages

Sensitive GraphQL variables exposed in structured log

Guest user can see tag names in private projects

Information disclosure via error message

DNS rebinding protection bypass

Validate existence of private project

https://about.gitlab.com/blog/2021/02/01/security-release-gitlab-13-8-2-released/ CVE-2021-22172 CVE-2021-22169 2021-02-01 2021-02-02
minio -- Server Side Request Forgery minio 2021.01.30.00.20.58

Minio developers report:

Thanks to @phith0n from our community upon a code review, discovered an SSRF (Server Side Request Forgery) in our Browser API implementation. We have not observed this report/attack in the wild or reported elsewhere in the community at large.

All users are advised to upgrade ASAP.

The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.).

In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed.

https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q 2021-01-29 2021-01-31
FreeBSD -- Xen guests can triger backend Out Of Memory FreeBSD-kernel 12.212.2_3 12.112.1_13 11.411.4_7

Problem Description:

Some OSes (including Linux, FreeBSD, and NetBSD) are processing watch events using a single thread. If the events are received faster than the thread is able to handle, they will get queued.

As the queue is unbound, a guest may be able to trigger a OOM in the backend.

CVE-2020-29568 SA-21:02.xenoom 2021-01-29 2021-01-29
FreeBSD -- Uninitialized kernel stack leaks in several file systems FreeBSD-kernel 12.212.2_3 12.112.1_13 11.411.4_7

Problem Description:

Several file systems were not properly initializing the d_off field of the dirent structures returned by VOP_READDIR. In particular, tmpfs(5), smbfs(5), autofs(5) and mqueuefs(5) were failing to do so. As a result, eight uninitialized kernel stack bytes may be leaked to userspace by these file systems. This problem is not present in FreeBSD 11.

Additionally, msdosfs(5) was failing to zero-fill a pair of padding fields in the dirent structure, resulting in a leak of three uninitialized bytes.

Impact:

Kernel stack disclosures may leak sensitive information which could be used to compromise the security of the system.

CVE-2020-25578 CVE-2020-25579 SA-21:01.fsdisclosure 2021-01-29 2021-01-29
pngcheck -- Buffer-overrun vulnerability pngcheck 3.0.1

The libpng project reports:

pngcheck versions 3.0.0 and earlier have a pair of buffer-overrun bugs related to the sPLT and PPLT chunks (the latter is a MNG-only chunk, but it gets noticed even in PNG files if the -s option is used). Both bugs are fixed in version 3.0.1, released on 24 January 2021. Again, while all known vulnerabilities are fixed in this version, the code is quite crufty, so it would be safest to assume there are still some problems hidden in there. As always, use at your own risk.

http://www.libpng.org/pub/png/apps/pngcheck.html 2021-01-24 2021-01-28
sudo -- Multiple vulnerabilities sudo 1.9.5p2

Todd C. Miller reports:

When invoked as sudoedit, the same set of command line options are now accepted as for sudo -e. The -H and -P options are now rejected for sudoedit and sudo -e which matches the sudo 1.7 behavior. This is part of the fix for CVE-2021-3156.

Fixed a potential buffer overflow when unescaping backslashes in the command's arguments. Normally, sudo escapes special characters when running a command via a shell (sudo -s or sudo -i). However, it was also possible to run sudoedit with the -s or -i flags in which case no escaping had actually been done, making a buffer overflow possible. This fixes CVE-2021-3156.

https://www.sudo.ws/stable.html#1.9.5p2 CVE-2021-3156 2021-01-26 2021-01-26
pysaml2 -- multiple vulnerabilities py36-pysaml2 py37-pysaml2 py38-pysaml2 py39-pysaml2 6.5.0

pysaml2 Releases:

Fix processing of invalid SAML XML documents - CVE-2021-21238

Fix unspecified xmlsec1 key-type preference - CVE-2021-21239

https://github.com/IdentityPython/pysaml2/releases https://github.com/IdentityPython/pysaml2/security/advisories/GHSA-f4g9-h89h-jgv9 https://github.com/IdentityPython/pysaml2/security/advisories/GHSA-5p3x-r448-pc62 CVE-2021-21238 CVE-2021-21239 2021-01-20 2021-01-26
jenkins -- Arbitrary file read vulnerability in workspace browsers jenkins 2.276 jenkins-lts 2.263.3

Jenkins Security Advisory:

Description

(Medium) SECURITY-2197 / CVE-2021-21615

Arbitrary file read vulnerability in workspace browsers

https://www.jenkins.io/security/advisory/2021-01-26/ 2021-01-26 2021-01-26
mutt -- denial of service mutt 2.0.5

Tavis Ormandy reports:

rfc822.c in Mutt through 2.0.4 allows remote attackers to cause a denial of service (mailbox unavailability) by sending email messages with sequences of semicolon characters in RFC822 address fields (aka terminators of empty groups). A small email message from the attacker can cause large memory consumption, and the victim may then be unable to see email messages from other persons.

https://gitlab.com/muttmua/mutt/-/issues/323 CVE-2021-3181 2021-01-17 2021-01-23
MySQL -- Multiple vulnerabilities mysql56-client 5.6.51 mysql57-client 5.7.33 mysql80-client 8.0.23 mysql56-server 5.6.51 mysql57-server 5.7.33 mysql80-server 8.0.23

Oracle reports:

This Critical Patch Update contains 34 new security patches for Oracle MySQL Server and 4 for MySQL Client.

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 6.8.

https://www.oracle.com/security-alerts/cpujan2021.html#AppendixMSQL CVE-2021-2046 CVE-2021-2020 CVE-2021-2024 CVE-2021-2011 CVE-2021-2006 CVE-2021-2048 CVE-2021-2028 CVE-2021-2122 CVE-2021-2058 CVE-2021-2001 CVE-2021-2016 CVE-2021-2021 CVE-2021-2030 CVE-2021-2031 CVE-2021-2036 CVE-2021-2055 CVE-2021-2060 CVE-2021-2070 CVE-2021-2076 CVE-2021-2065 CVE-2021-2014 CVE-2021-2002 CVE-2021-2012 CVE-2021-2009 CVE-2021-2072 CVE-2021-2081 CVE-2021-2022 CVE-2021-2038 CVE-2021-2061 CVE-2021-2056 CVE-2021-2087 CVE-2021-2088 CVE-2021-2032 CVE-2021-2010 CVE-2021-1998 CVE-2021-2007 CVE-2021-2019 CVE-2021-2042 2021-01-23 2021-01-23
chromium -- multiple vulnerabilities chromium 88.0.4324.96

Chrome Releases reports:

This release contains 36 security fixes, including:

  • [1137179] Critical CVE-2021-21117: Insufficient policy enforcement in Cryptohome. Reported by Rory McNamara on 2020-10-10
  • [1161357] High CVE-2021-21118: Insufficient data validation in V8. Reported by Tyler Nighswander (@tylerni7) of Theori on 2020-12-23
  • [1160534] High CVE-2021-21119: Use after free in Media. Reported by Anonymous on 2020-12-20
  • [1160602] High CVE-2021-21120: Use after free in WebSQL. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2020-12-21
  • [1161143] High CVE-2021-21121: Use after free in Omnibox. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-12-22
  • [1162131] High CVE-2021-21122: Use after free in Blink. Reported by Renata Hodovan on 2020-12-28
  • [1137247] High CVE-2021-21123: Insufficient data validation in File System API. Reported by Maciej Pulikowski on 2020-10-11
  • [1131346] High CVE-2021-21124: Potential user after free in Speech Recognizer. Reported by Chaoyang Ding(@V4kst1z) from Codesafe Team of Legendsec at Qi'anxin Group on 2020-09-23
  • [1152327] High CVE-2021-21125: Insufficient policy enforcement in File System API. Reported by Ron Masas (Imperva) on 2020-11-24
  • [1163228] High CVE-2020-16044: Use after free in WebRTC. Reported by Ned Williamson of Project Zero on 2021-01-05
  • [1108126] Medium CVE-2021-21126: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-07-22
  • [1115590] Medium CVE-2021-21127: Insufficient policy enforcement in extensions. Reported by Jasminder Pal Singh, Web Services Point WSP, Kotkapura on 2020-08-12
  • [1138877] Medium CVE-2021-21128: Heap buffer overflow in Blink. Reported by Liang Dong on 2020-10-15
  • [1140403] Medium CVE-2021-21129: Insufficient policy enforcement in File System API. Reported by Maciej Pulikowski on 2020-10-20
  • [1140410] Medium CVE-2021-21130: Insufficient policy enforcement in File System API. Reported by Maciej Pulikowski on 2020-10-20
  • [1140417] Medium CVE-2021-21131: Insufficient policy enforcement in File System API. Reported by Maciej Pulikowski on 2020-10-20
  • [1128206] Medium CVE-2021-21132: Inappropriate implementation in DevTools. Reported by David Erceg on 2020-09-15
  • [1157743] Medium CVE-2021-21133: Insufficient policy enforcement in Downloads. Reported by wester0x01 (https://twitter.com/wester0x01) on 2020-12-11
  • [1157800] Medium CVE-2021-21134: Incorrect security UI in Page Info. Reported by wester0x01 (https://twitter.com/wester0x01) on 2020-12-11
  • [1157818] Medium CVE-2021-21135: Inappropriate implementation in Performance API. Reported by ndevtk on 2020-12-11
  • [1038002] Low CVE-2021-21136: Insufficient policy enforcement in WebView. Reported by Shiv Sahni, Movnavinothan V and Imdad Mohammed on 2019-12-27
  • [1093791] Low CVE-2021-21137: Inappropriate implementation in DevTools. Reported by bobblybear on 2020-06-11
  • [1122487] Low CVE-2021-21138: Use after free in DevTools. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2020-08-27
  • [1136327] Low CVE-2021-21140: Uninitialized Use in USB. Reported by David Manouchehri on 2020-10-08
  • [1140435] Low CVE-2021-21141: Insufficient policy enforcement in File System API. Reported by Maciej Pulikowski on 2020-10-20
CVE-2020-16044 CVE-2021-21117 CVE-2021-21118 CVE-2021-21119 CVE-2021-21120 CVE-2021-21121 CVE-2021-21122 CVE-2021-21123 CVE-2021-21124 CVE-2021-21125 CVE-2021-21126 CVE-2021-21127 CVE-2021-21128 CVE-2021-21129 CVE-2021-21130 CVE-2021-21131 CVE-2021-21132 CVE-2021-21133 CVE-2021-21134 CVE-2021-21135 CVE-2021-21136 CVE-2021-21137 CVE-2021-21138 CVE-2021-21139 CVE-2021-21140 CVE-2021-21141 https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html 2021-01-19 2021-01-22
chocolate-doom -- Arbitrary code execution chocolate-doom 3.0.1 crispy-doom 5.9.0

Michal Dardas from LogicalTrust reports:

The server in Chocolate Doom 3.0.0 and Crispy Doom 5.8.0 doesn't validate the user-controlled num_players value, leading to a buffer overflow. A malicious user can overwrite the server's stack.

https://github.com/chocolate-doom/chocolate-doom/issues/1293 CVE-2020-14983 2020-06-22 2021-01-22
nokogiri -- Security vulnerability rubygem-nokogiri rubygem-nokogiri18 1.11.0.rc3

Nokogiri reports:

In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by Nokogiri::XML::Schema were trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks.

https://nokogiri.org/CHANGELOG.html CVE-2020-26247 2021-01-22 2021-01-22
dnsmasq -- DNS cache poisoning, and DNSSEC buffer overflow, vulnerabilities dnsmasq 2.83 dnsmasq-devel 2.83

Simon Kelley reports:

There are broadly two sets of problems. The first is subtle errors in dnsmasq's protections against the chronic weakness of the DNS protocol to cache-poisoning attacks; the Birthday attack, Kaminsky, etc.[...]

the second set of errors is a good old fashioned buffer overflow in dnsmasq's DNSSEC code. If DNSSEC validation is enabled, an installation is at risk.

https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014599.html https://www.jsof-tech.com/disclosures/dnspooq/ CVE-2020-25684 CVE-2020-25685 CVE-2020-25686 CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25687 2020-09-16 2021-01-20
go -- cmd/go: packages using cgo can cause arbitrary code execution at build time; crypto/elliptic: incorrect operations on the P-224 curve go 1.15.7,1

The Go project reports:

The go command may execute arbitrary code at build time when cgo is in use on Windows. This may occur when running "go get", or any other command that builds code. Only users who build untrusted code (and don't execute it) are affected. In addition to Windows users, this can also affect Unix users who have "." listed explicitly in their PATH and are running "go get" or build commands outside of a module or with module mode disabled.

The P224() Curve implementation can in rare circumstances generate incorrect outputs, including returning invalid points from ScalarMult. The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages support P-224 ECDSA keys, but they are not supported by publicly trusted certificate authorities. No other standard library or golang.org/x/crypto package supports or uses the P-224 curve.

CVE-2021-3115 http://golang.org/issue/43783 CVE-2021-3114 http://golang.org/issue/43786 2021-01-13 2021-01-19
cloud-init -- Wrong access permissions of authorized keys cloud-init 20.420.4.1

cloud-init reports:

cloud-init release 20.4.1 is now available. This is a hotfix release, that contains a single patch to address a security issue in cloud-init 20.4.

Briefly, for users who provide more than one unique SSH key to cloud-init and have a shared AuthorizedKeysFile configured in sshd_config, cloud-init 20.4 started writing all of these keys to such a file, granting all such keys SSH access as root.

It's worth restating this implication: if you are using the default AuthorizedKeysFile setting in /etc/ssh/sshd_config, as most will be, then you are _not_ affected by this issue.

https://bugs.launchpad.net/cloud-init/+bug/1911680 2021-01-14 2021-01-19
moinmoin -- multiple vulnerabilities moinmoin 1.9.11

MoinMoin reports:

  • Security fix for CVE-2020-25074: fix remote code execution via cache action

  • Security fix for CVE-2020-15275: fix malicious SVG attachment causing stored XSS vulnerability

https://github.com/moinwiki/moin-1.9/blob/1.9.11/docs/CHANGES#L13 CVE-2020-25074 CVE-2020-15275 2020-11-08 2021-01-18
Ghostscript -- SAFER Sandbox Breakout ghostscript9-agpl-base 9.509.52_8

SO-AND-SO reports:

A memory corruption issue was found in Artifex Ghostscript 9.50 and 9.52. Use of a non-standard PostScript operator can allow overriding of file access controls. The 'rsearch' calculation for the 'post' size resulted in a size that was too large, and could underflow to max uint32_t. This was fixed in commit 5d499272b95a6b890a1397e11d20937de000d31b.

https://nvd.nist.gov/vuln/detail/CVE-2020-15900 2020-07-28 2021-01-17
Node.js -- January 2021 Security Releases node10 10.23.1 node12 12.20.1 node14 14.15.4 node 15.5.1

Node.js reports:

use-after-free in TLSWrap (High) (CVE-2020-8265)

Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.

HTTP Request Smuggling in nodejs (Low) (CVE-2020-8287)

Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

OpenSSL - EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)

iThis is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20201208.txt.

https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/ https://www.openssl.org/news/secadv/20201208.txt CVE-2020-8265 CVE-2020-8287 CVE-2020-1971 2021-01-04 2021-01-14
Gitlab -- vulnerability gitlab-ce 13.7.013.7.4 13.6.013.6.5 12.213.5.7

SO-AND-SO reports:

Ability to steal a user's API access token through GitLab Pages

https://about.gitlab.com/releases/2021/01/14/critical-security-release-gitlab-13-7-4-released/ 2021-01-14 2021-01-14
wavpack -- integer overflow in pack_utils.c wavpack 5.4.0

The wavpack project reports:

src/pack_utils.c - issue #91: fix integer overflows resulting in buffer overruns (CVE-2020-35738) - sanitize configuration parameters better (improves clarity and aids debugging)

https://github.com/dbry/WavPack/blob/733616993d53cc1f9a7ffb88a858447ba51eb0ee/ChangeLog CVE-2020-35738 2020-12-29 2021-01-14
jenkins -- multiple vulnerabilities jenkins 2.275 jenkins-lts 2.263.2

Jenkins Security Advisory:

Description

(Medium) SECURITY-1452 / CVE-2021-21602

Arbitrary file read vulnerability in workspace browsers

(High) SECURITY-1889 / CVE-2021-21603

XSS vulnerability in notification bar

(High) SECURITY-1923 / CVE-2021-21604

Improper handling of REST API XML deserialization errors

(High) SECURITY-2021 / CVE-2021-21605

Path traversal vulnerability in agent names

(Medium) SECURITY-2023 / CVE-2021-21606

Arbitrary file existence check in file fingerprints

(Medium) SECURITY-2025 / CVE-2021-21607

Excessive memory allocation in graph URLs leads to denial of service

(High) SECURITY-2035 / CVE-2021-21608

Stored XSS vulnerability in button labels

(Low) SECURITY-2047 / CVE-2021-21609

Missing permission check for paths with specific prefix

(High) SECURITY-2153 / CVE-2021-21610

Reflected XSS vulnerability in markup formatter preview

(High) SECURITY-2171 / CVE-2021-21611

Stored XSS vulnerability on new item page

https://www.jenkins.io/security/advisory/2021-01-13/ 2021-01-13 2021-01-13
phpmyfaq -- XSS vulnerability phpmyfaq 3.0.6

phpmyfaq developers report:

phpMyFAQ does not implement sufficient checks to avoid XSS injection for displaying tags.

https://www.phpmyfaq.de/security/advisory-2020-12-23 2020-12-23 2021-01-12
sudo -- Potential information leak in sudoedit sudo 1.9.5

Todd C. Miller reports:

A potential information leak in sudoedit that could be used to test for the existence of directories not normally accessible to the user in certain circumstances. When creating a new file, sudoedit checks to make sure the parent directory of the new file exists before running the editor. However, a race condition exists if the invoking user can replace (or create) the parent directory. If a symbolic link is created in place of the parent directory, sudoedit will run the editor as long as the target of the link exists.If the target of the link does not exist, an error message will be displayed. The race condition can be used to test for the existence of an arbitrary directory. However, it _cannot_ be used to write to an arbitrary location.

https://www.sudo.ws/stable.html#1.9.5 CVE-2021-23239 2021-01-11 2021-01-11
CairoSVG -- Regular Expression Denial of Service vulnerability py36-cairosvg py37-cairosvg py38-cairosvg py39-cairosvg 2.0.02.5.1

CairoSVG security advisories:

When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS).

If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time.

https://github.com/Kozea/CairoSVG/security/advisories/GHSA-hq37-853p-g5cf 2020-12-30 2021-01-10
Gitlab -- multiple vulnerabilities gitlab-ce 13.7.013.7.2 13.6.013.6.4 12.213.5.6

Gitlab reports:

Ability to steal a user's API access token through GitLab Pages

Prometheus denial of service via HTTP request with custom method

Unauthorized user is able to access private repository information under specific conditions

Regular expression denial of service in NuGet API

Regular expression denial of service in package uploads

Update curl dependency

CVE-2019-3881 mitigation

https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-released/ CVE-2021-22166 CVE-2020-26414 CVE-2019-3881 2021-01-07 2021-01-09
chromium -- multiple vulnerabilities chromium 87.0.4280.141

Chrome Releases reports:

This release includes 16 security fixes, including:

  • [1148749] High CVE-2021-21106: Use after free in autofill. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2020-11-13
  • [1153595] High CVE-2021-21107: Use after free in drag and drop. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-11-30
  • [1155426] High CVE-2021-21108: Use after free in media. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-12-04
  • [1152334] High CVE-2021-21109: Use after free in payments. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2020-11-24
  • [1152451] High CVE-2021-21110: Use after free in safe browsing. Reported by Anonymous on 2020-11-24
  • [1149125] High CVE-2021-21111: Insufficient policy enforcement in WebUI. Reported by Alesandro Ortiz on 2020-11-15
  • [1151298] High CVE-2021-21112: Use after free in Blink. Reported by YoungJoo Lee(@ashuu_lee) of Raon Whitehat on 2020-11-20
  • [1155178] High CVE-2021-21113: Heap buffer overflow in Skia. Reported by tsubmunu on 2020-12-03
  • [1148309] High CVE-2020-16043: Insufficient data validation in networking. Reported by Samy Kamkar, Ben Seri at Armis, Gregory Vishnepolsky at Armis on 2020-11-12
  • [1150065] High CVE-2021-21114: Use after free in audio. Reported by Man Yue Mo of GitHub Security Lab on 2020-11-17
  • [1157790] High CVE-2020-15995: Out of bounds write in V8. Reported by Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu Lab on 2020-12-11
  • [1157814] High CVE-2021-21115: Use after free in safe browsing. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-12-11
  • [1151069] Medium CVE-2021-21116: Heap buffer overflow in audio. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2020-11-19
CVE-2020-15995 CVE-2020-16043 CVE-2021-21106 CVE-2021-21107 CVE-2021-21108 CVE-2021-21109 CVE-2021-21110 CVE-2021-21111 CVE-2021-21112 CVE-2021-21113 CVE-2021-21114 CVE-2021-21115 CVE-2021-21116 https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop.html 2021-01-06 2021-01-07
mail/dovecot -- multiple vulnerabilities dovecot 2.3.13

Aki Tuomi reports:

When imap hibernation is active, an attacker can cause Dovecot to discover file system directory structure and access other users' emails using specially crafted command. The attacker must have valid credentials to access the mail server.

Mail delivery / parsing crashed when the 10 000th MIME part was message/rfc822 (or if parent was multipart/digest). This happened due to earlier MIME parsing changes for CVE-2020-12100.

https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html CVE-2020-24386 CVE-2020-25275 2020-08-17 2021-01-04