svn commit: r450911 - head/security/vuxml
Ryan Steinmetz
zi at FreeBSD.org
Fri Sep 29 16:28:30 UTC 2017
Author: zi
Date: Fri Sep 29 16:28:22 2017
New Revision: 450911
URL: https://svnweb.freebsd.org/changeset/ports/450911
Log:
- Condense additional entries where description >4500 characters
Approved by: ports-secteam (with hat)
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Fri Sep 29 16:06:29 2017 (r450910)
+++ head/security/vuxml/vuln.xml Fri Sep 29 16:28:22 2017 (r450911)
@@ -1070,64 +1070,17 @@ Notes:
<topic>GitLab -- multiple vulnerabilities</topic>
<affects>
<package>
- <name>gitlab</name>
- <range><ge>1.0.0</ge><le>9.3.10</le></range>
- <range><ge>9.4.0</ge><le>9.4.5</le></range>
- <range><ge>9.5.0</ge><le>9.5.3</le></range>
+ <name>gitlab</name>
+ <range><ge>1.0.0</ge><le>9.3.10</le></range>
+ <range><ge>9.4.0</ge><le>9.4.5</le></range>
+ <range><ge>9.5.0</ge><le>9.5.3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GitLab reports:</p>
<blockquote cite="https://about.gitlab.com/2017/09/07/gitlab-9-dot-5-dot-4-security-release/">
- <h1>Cross-Site Scripting (XSS) vulnerability in profile names</h1>
- <p>An external security audit performed by Madison Gurkha disclosed a
- Cross-Site Scripting (XSS) vulnerability in user names that could be
- exploited in several locations.</p>
- <h1>Open Redirect in go-get middleware</h1>
- <p>Tim Goddard via HackerOne reported that GitLab was vulnerable to an open
- redirect vulnerability caused when a specific flag is passed to the go-get
- middleware. This vulnerability could also possibly be used to conduct
- Cross-Site Scripting attacks.</p>
- <h1>Race condition in project uploads</h1>
- <p>Jobert Abma from HackerOne reported that GitLab was vulnerable to a race
- condition in project uploads. While very difficult to exploit this race
- condition could potentially allow an attacker to overwrite a victim's
- uploaded project if the attacker can guess the name of the uploaded file
- before it is extracted.</p>
- <h1>Cross-Site Request Forgery (CSRF) token leakage</h1>
- <p>naure via HackerOne reported that GitLab was vulnerable to CSRF token
- leakage via improper filtering of external URLs in relative URL creation. A
- specially crafted link configured in a project's environments settings could
- be used to steal a visiting user's CSRF token.</p>
- <h1>Potential project disclosure via project deletion bug</h1>
- <p>An internal code review discovered that removed projects were not always
- being deleted from the file system. This could allow an attacker who knew
- the full path to a previously deleted project to steal a copy of the
- repository. These releases prevent the leftover repository from being
- accessed when creating a new project. The project deletion bug will be fixed
- in a later release.</p>
- <h1>White-listed style attribute for table contents in MD enables UI
- redressing</h1>
- <p>An external security audit performed by Recurity-Labs discovered a UI
- redressing vulnerability in the GitLab markdown sanitization library.</p>
- <h1>DOM clobbering in sanitized MD causes errors</h1>
- <p>An external security audit performed by Recurity-Labs discovered a DOM
- clobbering vulnerability in the GitLab markdown sanitization library that
- could be used to render project pages unreadable.</p>
- <h1>Nokogiri vendored libxslt library vulnerable to potential integer
- overflow (CVE-2017-5029 and CVE-2016-4738)</h1>
- <p>The bundled Nokogiri library has been updated to patch an integer
- overflow vulnerability. Details are available in the Nokogiri issue.</p>
- <h1>Security risk in recommended Geo configuration could give all users
- access to all repositories</h1>
- <p>An internal code review discovered that GitLab Geo instances could be
- vulnerable to an attack that would allow any user on the primary Geo
- instance to clone any repository on a secondary Geo instance.</p>
- <h1>GitLab Pages private certificate disclosure via symlinks</h1>
- <p>An external security review conducted by Recurity-Labs discovered a
- vulnerability in GitLab Pages that could be used to disclose the contents of
- private SSL keys.</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -2183,47 +2136,9 @@ Notes:
<p>The cURL project reports:</p>
<blockquote cite="https://curl.haxx.se/docs/security.html">
<ul>
- <li><h2>FILE buffer read out of bounds</h2>
- <p>When asking to get a file from a file:// URL, libcurl provides
- a feature that outputs meta-data about the file using HTTP-like
- headers.</p>
- <p>The code doing this would send the wrong buffer to the user
- (stdout or the application's provide callback), which could
- lead to other private data from the heap to get inadvertently
- displayed.</p>
- <p>The wrong buffer was an uninitialized memory area allocated on
- the heap and if it turned out to not contain any zero byte, it
- would continue and display the data following that buffer in
- memory.</p>
- </li>
- <li><h2>TFTP sends more than buffer size</h2>
- <p>When doing a TFTP transfer and curl/libcurl is given a URL that
- contains a very long file name (longer than about 515 bytes),
- the file name is truncated to fit within the buffer boundaries,
- but the buffer size is still wrongly updated to use the
- untruncated length. This too large value is then used in the
- sendto() call, making curl attempt to send more data than what
- is actually put into the buffer. The sendto() function will then
- read beyond the end of the heap based buffer.</p>
- <p>A malicious HTTP(S) server could redirect a vulnerable libcurl-
- using client to a crafted TFTP URL (if the client hasn't
- restricted which protocols it allows redirects to) and trick it
- to send private memory contents to a remote server over UDP.
- Limit curl's redirect protocols with --proto-redir and libcurl's
- with CURLOPT_REDIR_PROTOCOLS.</p>
- </li>
- <li><h2>URL globbing out of bounds read</h2>
- <p>curl supports "globbing" of URLs, in which a user can pass a
- numerical range to have the tool iterate over those numbers to
- do a sequence of transfers.</p>
- <p>In the globbing function that parses the numerical range, there
- was an omission that made curl read a byte beyond the end of the
- URL if given a carefully crafted, or just wrongly written, URL.
- The URL is stored in a heap based buffer, so it could then be
- made to wrongly read something else instead of crashing.</p>
- <p>An example of a URL that triggers the flaw would be
- http://ur%20[0-60000000000000000000.</p>
- </li>
+ <li>FILE buffer read out of bounds</li>
+ <li>TFTP sends more than buffer size</li>
+ <li>URL globbing out of bounds read</li>
</ul>
</blockquote>
</body>
@@ -2300,34 +2215,7 @@ Notes:
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/">
- <p>CVE-2017-7798: XUL injection in the style editor in devtools</p>
- <p>CVE-2017-7800: Use-after-free in WebSockets during disconnection</p>
- <p>CVE-2017-7801: Use-after-free with marquee during window resizing</p>
- <p>CVE-2017-7784: Use-after-free with image observers</p>
- <p>CVE-2017-7802: Use-after-free resizing image elements</p>
- <p>CVE-2017-7785: Buffer overflow manipulating ARIA attributes in DOM</p>
- <p>CVE-2017-7786: Buffer overflow while painting non-displayable SVG</p>
- <p>CVE-2017-7806: Use-after-free in layer manager with SVG</p>
- <p>CVE-2017-7753: Out-of-bounds read with cached style data and pseudo-elements</p>
- <p>CVE-2017-7787: Same-origin policy bypass with iframes through page reloads</p>
- <p>CVE-2017-7807: Domain hijacking through AppCache fallback</p>
- <p>CVE-2017-7792: Buffer overflow viewing certificates with an extremely long OID</p>
- <p>CVE-2017-7804: Memory protection bypass through WindowsDllDetourPatcher</p>
- <p>CVE-2017-7791: Spoofing following page navigation with data: protocol and modal alerts</p>
- <p>CVE-2017-7808: CSP information leak with frame-ancestors containing paths</p>
- <p>CVE-2017-7782: WindowsDllDetourPatcher allocates memory without DEP protections</p>
- <p>CVE-2017-7781: Elliptic curve point addition error when using mixed Jacobian-affine coordinates</p>
- <p>CVE-2017-7794: Linux file truncation via sandbox broker</p>
- <p>CVE-2017-7803: CSP containing 'sandbox' improperly applied</p>
- <p>CVE-2017-7799: Self-XSS XUL injection in about:webrtc</p>
- <p>CVE-2017-7783: DOS attack through long username in URL</p>
- <p>CVE-2017-7788: Sandboxed about:srcdoc iframes do not inherit CSP directives</p>
- <p>CVE-2017-7789: Failure to enable HSTS when two STS headers are sent for a connection</p>
- <p>CVE-2017-7790: Windows crash reporter reads extra memory for some non-null-terminated registry values</p>
- <p>CVE-2017-7796: Windows updater can delete any file named update.log</p>
- <p>CVE-2017-7797: Response header name interning leaks across origins</p>
- <p>CVE-2017-7780: Memory safety bugs fixed in Firefox 55</p>
- <p>CVE-2017-7779: Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -2441,52 +2329,8 @@ Notes:
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html">
- <p>40 security fixes in this release, including:</p>
- <ul>
- <li>[728887] High CVE-2017-5091: Use after free in IndexedDB. Reported by
- Ned Williamson on 2017-06-02</li>
- <li>[733549] High CVE-2017-5092: Use after free un PPAPI. Reported by
- Yu Zhou, Yuan Deng of Ant-financial Light-Year Security Lab on 2017-06-15</li>
- <li>[550017] High CVE-2017-5093: UI spoofing in Blink. Reported by
- Luan Herrera on 2015-10-31</li>
- <li>[702946] High CVE-2017-5094: Type confusion in extensions. Reported by
- Anonymous on 2017-03-19</li>
- <li>[732661] High CVE-2017-5095: Out-of-bounds write in PDFium. Reported by
- Anonymous on 2017-06-13</li>
- <li>[714442] High CVE-2017-5096: User information leak via Android intents. Reported by
- Takeshi Terada on 2017-04-23</li>
- <li>[740789] High CVE-2017-5097: Out-of-bounds read in Skia. Reported by
- Anonymous on 2017-07-11</li>
- <li>[740803] High CVE-2017-5098: Use after free in V8. Reported by
- Jihoon Kim on 2017-07-11</li>
- <li>[733548] High CVE-2017-5099: Out-of-bounds write in PPAPI. Reported by
- Yuan Deng, Yu Zhou of Ant-financial Light-Year Security Lab on 2017-06-15</li>
- <li>[718292] Medium CVE-2017-5100: Use after free in Chrome Apps. Reported by
- Anonymous on 2017-05-04</li>
- <li>[681740] Medium CVE-2017-5101: URL spoofing in OmniBox. Reported by
- Luan Herrera on 2017-01-17</li>
- <li>[727678] Medium CVE-2017-5102: Uninitialized use in Skia. Reported by
- Anonymous on 2017-05-30</li>
- <li>[726199] Medium CVE-2017-5103: Uninitialized use in Skia. Reported by
- Anonymous on 2017-05-25</li>
- <li>[729105] Medium CVE-2017-5104: UI spoofing in browser. Reported by
- Khalil Zhani on 2017-06-02</li>
- <li>[742407] Medium CVE-2017-7000: Pointer disclosure in SQLite. Reported by
- Chaitin Security Research Lab working with Trend Micro's Zero Day Initiative</li>
- <li>[729979] Low CVE-2017-5105: URL spoofing in OmniBox. Reported by
- Rayyan Bijoora on 2017-06-06</li>
- <li>[714628] Medium CVE-2017-5106: URL spoofing in OmniBox. Reported by
- Jack Zac on 2017-04-24</li>
- <li>[686253] Low CVE-2017-5107: User information leak via SVG. Reported by
- David Kohlbrenner of UC San Diego on 2017-01-27</li>
- <li>[695830] Low CVE-2017-5108: Type of confusion in PDFium. Reported by
- Guang Gong of Alpha Team, Qihoo 360 on 2017-02-24</li>
- <li>[710400] Low CVE-2017-5109: UI spoofing in browser. Reported by
- Jose Maria Acunia Morgado on 2017-04-11</li>
- <li>[717476] Low CVE-2017-5110: UI spoofing in payments dialog. Reported by
- xisigr of Tencent's Xuanwu Lab on 2017-05-02</li>
- <li>[748565] Various fixes from internal audits, fuzzing and other initiatives</li>
- </ul>
+ <p>40 security fixes in this release</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -2698,60 +2542,19 @@ Notes:
<topic>GitLab -- Various security issues</topic>
<affects>
<package>
- <name>gitlab</name>
- <range><ge>8.0.0</ge><le>8.17.6</le></range>
+ <name>gitlab</name>
+ <range><ge>8.0.0</ge><le>8.17.6</le></range>
<range><ge>9.0.0</ge><le>9.0.10</le></range>
<range><ge>9.1.0</ge><le>9.1.7</le></range>
<range><ge>9.2.0</ge><le>9.2.7</le></range>
- <range><ge>9.3.0</ge><le>9.3.7</le></range>
+ <range><ge>9.3.0</ge><le>9.3.7</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GitLab reports:</p>
<blockquote cite="https://about.gitlab.com/2017/07/19/gitlab-9-dot-3-dot-8-released/">
- <h1>Projects in subgroups authorization bypass with SQL wildcards
- (CVE-2017-11438)</h1>
- <p>An internal code review disclosed that by choosing a namespace with
- underscores an authenticated user could take advantage of a badly written
- SQL query to add themselves to any project inside a subgroup with
- permissions of their choice.<br/>
- This vulnerability was caused by a SQL query that automatically adjusts
- project permissions but does not escape wildcards. This vulnerability was
- coincidentally patched when the affected code was rewritten for
- 9.3. Therefore, versions 9.3 and above are not vulnerable.<br/>
- <br/>
- This issue has been assigned CVE-2017-11438.<br/>
- <br/>
- Note: GitLab-CE+EE 8.17 is not vulnerable to this issue, however patches
- have been included to improve the security of the SQL queries in 8.17.7.</p>
- <h1>Symlink cleanup from a previous security release</h1>
- <p>The 9.2.5 security release contained a fix for a data corruption
- vulnerability involving file uploads. This fix utilized symlinks to migrate
- file uploads to a new directory. Due to a typo in the included migration a
- symlink was accidentally left behind after the migration finished. This
- symlink can cause problems with instance backups. A fix is included with
- these releases to remove the problematic symlink.</p>
- <h1>Accidental or malicious use of reserved names in group names could cause
- deletion of all snippet uploads</h1>
- <p>The 9.2.5 security release contained a fix for a data corruption
- vulnerability involving file uploads. After the release of 9.2.5 an internal
- code review determined that the recently introduced snippet file uploads
- feature was also vulnerable to file deletion. Snippet uploads have now been
- moved into the protected system namespace.</p>
- <h1>Project name leak on todos page</h1>
- <p>An internal code review discovered that forceful browsing could be
- utilized to disclose the names of private projects.</p>
- <h1>Denial of Service via regular expressions in CI process</h1>
- <p>Lukas Svoboda reported that regular expressions (regex) included with CI
- scripts could be utilized to perform a denial-of-service attack on GitLab
- instances. GitLab now uses the re2 Regex library to limit regex execution
- time.</p>
- <h1>Issue title leakage when external issue tracker is enabled</h1>
- <p>An internal code review determined that when an external issue tracker is
- configured it was possible to discover the titles of all issues in a given
- GitLab instance, including issues in private projects and confidential
- issues.</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -2814,45 +2617,7 @@ Notes:
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Oracle reports:</p>
<blockquote cite="http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html#AppendixMSQL">
- <ul>
- <li>Reserved [CVE-2017-3629]</li>
- <li>A remote user can exploit a flaw in the Server: Memcached component to partially
- modify data and cause denial of service conditions [CVE-2017-3633].</li>
- <li>A remote authenticated user can exploit a flaw in the Server: DML component to
- cause denial of service conditions [CVE-2017-3634].</li>
- <li>A remote authenticated user can exploit a flaw in the Connector/C component to
- cause denial of service conditions [CVE-2017-3635].</li>
- <li>A remote authenticated user can exploit a flaw in the C API component to cause
- denial of service conditions [CVE-2017-3635].</li>
- <li>A local user can exploit a flaw in the Client programs component to partially
- access data, partially modify data, and partially deny service
- [CVE-2017-3636].</li>
- <li>A remote authenticated user can exploit a flaw in the Server: UDF component to
- cause denial of service conditions [CVE-2017-3529].</li>
- <li>A remote authenticated user can exploit a flaw in the X Plugin component to
- cause denial of service conditions [CVE-2017-3637].</li>
- <li>A remote authenticated user can exploit a flaw in the Server: DML component to
- cause denial of service conditions [CVE-2017-3639, CVE-2017-3640, CVE-2017-3641,
- CVE-2017-3643, CVE-2017-3644].</li>
- <li>A remote authenticated user can exploit a flaw in the Server: Optimizer
- component to cause denial of service conditions [CVE-2017-3638, CVE-2017-3642,
- CVE-2017-3645].</li>
- <li>A remote authenticated user can exploit a flaw in the X Plugin component to
- cause denial of service conditions [CVE-2017-3646].</li>
- <li>A remote authenticated user can exploit a flaw in the Server: Charsets component
- to cause denial of service conditions [CVE-2017-3648].</li>
- <li>A remote authenticated user can exploit a flaw in the Server: Replication
- component to cause denial of service conditions [CVE-2017-3647,
- CVE-2017-3649].</li>
- <li>A remote authenticated user can exploit a flaw in the Client mysqldump component
- to partially modify data [CVE-2017-3651].</li>
- <li>A remote authenticated user can exploit a flaw in the Server: DDL component to
- partially access and partially modify data [CVE-2017-3652].</li>
- <li>A remote user can exploit a flaw in the C API component to partially access data
- [CVE-2017-3650].</li>
- <li>A remote authenticated user can exploit a flaw in the Server: DDL component to
- partially modify data [CVE-2017-3653].</li>
- </ul>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -3455,46 +3220,7 @@ Notes:
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GitLab reports:</p>
<blockquote cite="https://about.gitlab.com/2017/06/07/gitlab-9-dot-2-dot-5-security-release/">
- <h1>Cross-Site Scripting (XSS) vulnerability when editing comments</h1>
- <p>A GitLab.com user reported that recent changes to Markdown rendering
- designed to improve performance by allowing comments to be rendered
- client-side opened a persistent Cross-Site Scripting (XSS) vulnerability
- when comments are edited and then re-saved. This vulnerability is difficult
- to exploit because a victim must be tricked into editing and then saving
- another user's comment.</p>
- <h1>API vulnerable to embedding in iFrames using Session Auth</h1>
- <p>A tip from a Twitter user led to an internal code audit that discovered a
- malicious website could embed a GitLab API URL inside an iFrame, possibly
- tricking a user into thinking that the website had access to the user's
- GitLab user information. This attack would not disclose the user's data to
- the malicious website, but it could cause confusion and the API has added an
- X-Frame-Options header to prevent content from the API being included in
- iFrames.</p>
- <h1>Accidental or malicious use of reserved names in group names could cause
- deletion of all project avatars</h1>
- <p>A GitLab.com user reported that creating a group named project and then
- renaming the group would cause all project avatars to be deleted. This was
- due to an improperly constructed path variable when renaming files. To help
- prevent this from happening again all avatar uploads have been moved from
- /public/uploads/(user|group|project) to
- /public/uploads/system/(user|group|project) and system has been made a
- reserved namespace. A migration included with this release will rename any
- existing top-level system namespace to be system0 (or system1, system2,
- etc.)</p>
- <h1>Unauthenticated disclosure of usernames in autocomplete controller</h1>
- <p>HackerOne reporter Evelyn Lee reported that usernames could be enumerated
- using the autocomplete/users.json endpoint without authenticating. This
- could allow an unauthenticated attacker to gather a list of all valid
- usernames from a GitLab instance.</p>
- <h1>Information leakage with references to private project snippets</h1>
- <p>GitLab.com user Patrick Fiedler reported that titles of private project
- snippets could leak when they were referenced in other issues, merge
- requests, or comments.</p>
- <h1>Elasticsearch does not implement external user checks correctly</h1>
- <p>An internal code review discovered that on instances with Elasticsearch
- enabled GitLab allowed external users to view internal project data. This
- could unintentionally expose sensitive information to external users. This
- vulnerability only affects EE installations with Elasticsearch enabled.</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -3824,68 +3550,7 @@ maliciously crafted GET request to the Horde server.</
<body xmlns="http://www.w3.org/1999/xhtml">
<p>BestPractical reports:</p>
<blockquote cite="http://lists.bestpractical.com/pipermail/rt-announce/2017-June/000297.html">
- <p>RT 4.0.0 and above are vulnerable to an information
- leak of cross-site request forgery (CSRF) verification
- tokens if a user visits a specific URL crafted by an
- attacker. This vulnerability is assigned CVE-2017-5943. It
- was discovered by a third-party security researcher.</p>
-
- <p>RT 4.0.0 and above are vulnerable to a cross-site
- scripting (XSS) attack if an attacker uploads a malicious
- file with a certain content type. Installations which use
- the AlwaysDownloadAttachments config setting are
- unaffected. This fix addresses all existant and future
- uploaded attachments. This vulnerability is assigned
- CVE-2016-6127. This was responsibly disclosed to us first
- by Scott Russo and the GE Application Security Assessment
- Team.</p>
-
- <p>One of RT's dependencies, a Perl module named
- Email::Address, has a denial of service vulnerability
- which could induce a denial of service of RT itself. We
- recommend administrators install Email::Address version
- 1.908 or above, though we additionally provide a new
- workaround within RT. Tss vulnerability was assigned
- CVE-2015-7686. This vulnerability's application to RT was
- brought to our attention by Pali Rohár.</p>
-
- <p>RT 4.0.0 and above are vulnerable to timing
- side-channel attacks for user passwords. By carefully
- measuring millions or billions of login attempts, an
- attacker could crack a user's password even over the
- internet. RT now uses a constant-time comparison algorithm
- for secrets to thwart such attacks. This vulnerability is
- assigned CVE-2017-5361. This was responsibly disclosed to
- us by Aaron Kondziela.</p>
-
- <p>RT's ExternalAuth feature is vulnerable to a similar
- timing side-channel attack. Both RT 4.0/4.2 with the
- widely-deployed RT::Authen::ExternalAuth extension, as
- well as the core ExternalAuth feature in RT 4.4 are
- vulnerable. Installations which don't use ExternalAuth, or
- which use ExternalAuth for LDAP/ActiveDirectory
- authentication, or which use ExternalAuth for cookie-based
- authentication, are unaffected. Only ExternalAuth in DBI
- (database) mode is vulnerable.</p>
-
- <p>RT 4.0.0 and above are potentially vulnerable to a
- remote code execution attack in the dashboard subscription
- interface. A privileged attacker can cause unexpected code
- to be executed through carefully-crafted saved search
- names. Though we have not been able to demonstrate an
- actual attack owing to other defenses in place, it could
- be possible. This fix addresses all existant and future
- saved searches. This vulnerability is assigned
- CVE-2017-5944. It was discovered by an internal security
- audit.</p>
-
- <p>RT 4.0.0 and above have misleading documentation which
- could reduce system security. The RestrictLoginReferrer
- config setting (which has security implications) was
- inconsistent with its implementation, which checked for a
- slightly different variable name. RT will now check for
- the incorrect name and produce an error message. This was
- responsibly disclosed to us by Alex Vandiver.</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -3975,29 +3640,7 @@ maliciously crafted GET request to the Horde server.</
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/">
- <p>CVE-2017-5472: Use-after-free using destroyed node when regenerating trees</p>
- <p>CVE-2017-7749: Use-after-free during docshell reloading</p>
- <p>CVE-2017-7750: Use-after-free with track elements</p>
- <p>CVE-2017-7751: Use-after-free with content viewer listeners</p>
- <p>CVE-2017-7752: Use-after-free with IME input</p>
- <p>CVE-2017-7754: Out-of-bounds read in WebGL with ImageInfo object</p>
- <p>CVE-2017-7755: Privilege escalation through Firefox Installer with same directory DLL files</p>
- <p>CVE-2017-7756: Use-after-free and use-after-scope logging XHR header errors</p>
- <p>CVE-2017-7757: Use-after-free in IndexedDB</p>
- <p>CVE-2017-7778: Vulnerabilities in the Graphite 2 library</p>
- <p>CVE-2017-7758: Out-of-bounds read in Opus encoder</p>
- <p>CVE-2017-7759: Android intent URLs can cause navigation to local file system</p>
- <p>CVE-2017-7760: File manipulation and privilege escalation via callback parameter in Mozilla Windows Updater and Maintenance Service</p>
- <p>CVE-2017-7761: File deletion and privilege escalation through Mozilla Maintenance Service helper.exe application</p>
- <p>CVE-2017-7762: Addressbar spoofing in Reader mode</p>
- <p>CVE-2017-7763: Mac fonts render some unicode characters as spaces</p>
- <p>CVE-2017-7764: Domain spoofing with combination of Canadian Syllabics and other unicode blocks</p>
- <p>CVE-2017-7765: Mark of the Web bypass when saving executable files</p>
- <p>CVE-2017-7766: File execution and privilege escalation through updater.ini, Mozilla Windows Updater, and Mozilla Maintenance Service</p>
- <p>CVE-2017-7767: Privilege escalation and arbitrary file overwrites through Mozilla Windows Updater and Mozilla Maintenance Service</p>
- <p>CVE-2017-7768: 32 byte arbitrary file read through Mozilla Maintenance Service</p>
- <p>CVE-2017-5471: Memory safety bugs fixed in Firefox 54</p>
- <p>CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -4135,42 +3778,8 @@ maliciously crafted GET request to the Horde server.</
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2017/06/stable-channel-update-for-desktop.html">
- <p>30 security fixes in this release, including:</p>
- <ul>
- <li>[722756] High CVE-2017-5070: Type confusion in V8. Reported by
- Zhao Qixun of Qihoo 360 Vulcan Team on 2017-05-16</li>
- <li>[715582] High CVE-2017-5071: Out of bounds read in V8. Reported by
- Choongwood Han on 2017-04-26</li>
- <li>[709417] High CVE-2017-5072: Address spoofing in Omnibox. Reported by
- Rayyan Bijoora on 2017-04-07</li>
- <li>[716474] High CVE-2017-5073: Use after free in print preview. Reported by
- Khalil Zhani on 2017-04-28</li>
- <li>[700040] High CVE-2017-5074: Use after free in Apps Bluetooth. Reported by
- anonymous on 2017-03-09</li>
- <li>[678776] Medium CVE-2017-5075: Information leak in CSP reporting. Reported by
- Emmanuel Gil Peyrot on 2017-01-05</li>
- <li>[722639] Medium CVE-2017-5086: Address spoofing in Omnibox. Reported by
- Rayyan Bijoora on 2017-05-16</li>
- <li>[719199] Medium CVE-2017-5076: Address spoofing in Omnibox. Reported by
- Samuel Erb on 2017-05-06</li>
- <li>[716311] Medium CVE-2017-5077: Heap buffer overflow in Skia. Reported by
- Sweetchip on 2017-04-28</li>
- <li>[711020] Medium CVE-2017-5078: Possible command injection in mailto handling.
- Reported by Jose Carlos Exposito Bueno on 2017-04-12</li>
- <li>[713686] Medium CVE-2017-5079: UI spoofing in Blink. Reported by
- Khalil Zhani on 2017-04-20</li>
- <li>[708819] Medium CVE-2017-5080: Use after free in credit card autofill.
- Reported by Khalil Zhani on 2017-04-05</li>
- <li>[672008] Medium CVE-2017-5081: Extension verification bypass. Reported by
- Andrey Kovalev of Yandex Security Team on 2016-12-07</li>
- <li>[721579] Low CVE-2017-5082: Insufficient hardening in credit card editor.
- Reported by Nightwatch Cybersecurity Research on 2017-05-11</li>
- <li>[714849] Low CVE-2017-5083: UI spoofing in Blink. Reported by
- Khalil Zhani on 2017-04-24</li>
- <li>[692378] Low CVE-2017-5085: Inappropriate javascript execution on WebUI pages.
- Reported by Zhiyang Zeng of Tencent security platform department on 2017-02-15</li>
- <li>[729639] Various fixes from internal audits, fuzzing and other initiatives</li>
- </ul>
+ <p>30 security fixes in this release</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -4831,57 +4440,7 @@ maliciously crafted GET request to the Horde server.</
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GitLab reports:</p>
<blockquote cite="https://about.gitlab.com/2017/05/08/gitlab-9-dot-1-dot-3-security-release/">
- <h1>Cross-Site Scripting (XSS) vulnerability in project import file names
- for gitlab_project import types</h1>
- <p>Timo Schmid from ERNW reported a persistent Cross-Site Scripting
- vulnerability in the new project import view for gitlab_project import
- types. This XSS vulnerability was caused by the use of Hamlit filters inside
- HAML views without manually escaping HTML. Unlike content outside of a
- filter, content inside Hamlit filters (:css, :javascript, :preserve, :plain)
- is not automatically escaped.</p>
- <h1>Cross-Site Scripting (XSS) vulnerability in git submodule support</h1>
- <p>Jobert Abma from HackerOne reported a persistent XSS vulnerability in the
- GitLab repository files view that could be exploited by injecting malicious
- script into a git submodule.</p>
- <h1>Cross-Site Scripting (XSS) vulnerability in repository "new branch"
- view</h1>
- <p>A GitLab user reported a persistent XSS vulnerability in the repository
- new branch view that allowed malicious branch names or git references to
- execute arbitrary Javascript.</p>
- <h1>Cross-Site Scripting (XSS) vulnerability in mirror errors display</h1>
- <p>While investigating Timo Schmid's previously reported XSS vulnerability
- in import filenames another persistent XSS vulnerability was discovered in
- the GitLab Enterprise Edition's (EE) mirror view. This vulnerability was
- also caused by the misuse of Hamlit filters.</p>
- <h1>Potential XSS vulnerability in DropLab</h1>
- <p>An internal code audit disclosed a vulnerability in DropLab's templating
- that, while not currently exploitable, could become exploitable depending on
- how the templates were used in the future.</p>
- <h1>Tab Nabbing vulnerabilities in mardown link filter, Asciidoc files, and
- other markup files</h1>
- <p>edio via HackerOne reported two tab nabbing vulnerabilities. The first
- tab nabbing vulnerability was caused by improper hostname filtering when
- identifying user-supplied external links. GitLab did not properly filter
- usernames from the URL. An attacker could construct a specially crafted link
- including a username to bypass GitLab's external link filter. This allowed
- an attacker to post links in Markdown that did not include the appropriate
- "noreferrer noopener" options, allowing tab nabbing attacks.</p>
- <p>The second vulnerability was in the AsciiDoctor markup
- library. AsciiDoctor was not properly including the "noreferrer noopener"
- options with external links. An internal investigation discovered other
- markup libraries that were also vulnerable.</p>
- <h1>Unauthorized disclosure of wiki pages in search</h1>
- <p>M. Hasbini reported a flaw in the project search feature that allowed
- authenticated users to disclose the contents of private wiki pages inside
- public projects.</p>
- <h1>External users can view internal snippets</h1>
- <p>Christian Kühn discovered a vulnerability in GitLab snippets that allowed
- an external user to view the contents of internal snippets.</p>
- <h1>Subgroup visibility for private subgroups under a public parent
- group</h1>
- <p>Matt Harrison discovered a vulnerability with subgroups that allowed
- private subgroup names to be disclosed when they belong to a parent group
- that is public.</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -5538,81 +5097,8 @@ maliciously crafted GET request to the Horde server.</
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NVD reports:</p>
<blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-5225">
- <p>LibTIFF version 4.0.7 is vulnerable to a heap buffer
- overflow in the tools/tiffcp resulting in DoS or code
- execution via a crafted BitsPerSample value.</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
- <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7592">
- <p>The putagreytile function in tif_getimage.c in LibTIFF
- 4.0.7 has a left-shift undefined behavior issue, which
- might allow remote attackers to cause a denial of service
- (application crash) or possibly have unspecified other
- impact via a crafted image.</p>
- </blockquote>
- <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7593">
- <p>tif_read.c in LibTIFF 4.0.7 does not ensure that
- tif_rawdata is properly initialized, which might allow
- remote attackers to obtain sensitive information from
- process memory via a crafted image.</p>
- </blockquote>
- <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7594">
- <p>The OJPEGReadHeaderInfoSecTablesDcTable function in
- tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to
- cause a denial of service (memory leak) via a crafted
- image.</p>
- </blockquote>
- <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7595">
- <p>The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF
- 4.0.7 allows remote attackers to cause a denial of service
- (divide-by-zero error and application crash) via a crafted
- image.</p>
- </blockquote>
- <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7596">
- <p>LibTIFF 4.0.7 has an "outside the range of
- representable values of type float" undefined behavior
- issue, which might allow remote attackers to cause a
- denial of service (application crash) or possibly have
- unspecified other impact via a crafted image.</p>
- </blockquote>
- <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7597">
- <p>tif_dirread.c in LibTIFF 4.0.7 has an "outside the
- range of representable values of type float" undefined
- behavior issue, which might allow remote attackers to
- cause a denial of service (application crash) or possibly
- have unspecified other impact via a crafted image.</p>
- </blockquote>
- <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7598">
- <p>tif_dirread.c in LibTIFF 4.0.7 might allow remote
- attackers to cause a denial of service (divide-by-zero
- error and application crash) via a crafted image.</p>
- </blockquote>
- <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7599">
- <p>LibTIFF 4.0.7 has an "outside the range of
- representable values of type short" undefined behavior
- issue, which might allow remote attackers to cause a
- denial of service (application crash) or possibly have
- unspecified other impact via a crafted image.</p>
- </blockquote>
- <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7600">
- <p>LibTIFF 4.0.7 has an "outside the range of
- representable values of type unsigned char" undefined
- behavior issue, which might allow remote attackers to
- cause a denial of service (application crash) or possibly
- have unspecified other impact via a crafted image.</p>
- </blockquote>
- <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7601">
- <p>LibTIFF 4.0.7 has a "shift exponent too large for
- 64-bit type long" undefined behavior issue, which might
- allow remote attackers to cause a denial of service
- (application crash) or possibly have unspecified other
- impact via a crafted image.</p>
- </blockquote>
- <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2017-7602">
- <p>LibTIFF 4.0.7 has a signed integer overflow, which
- might allow remote attackers to cause a denial of service
- (application crash) or possibly have unspecified other
- impact via a crafted image.</p>
- </blockquote>
</body>
</description>
<references>
@@ -5934,45 +5420,7 @@ maliciously crafted GET request to the Horde server.</
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/">
- <p>CVE-2017-5433: Use-after-free in SMIL animation functions</p>
- <p>CVE-2017-5435: Use-after-free during transaction processing in the editor</p>
- <p>CVE-2017-5436: Out-of-bounds write with malicious font in Graphite 2</p>
- <p>CVE-2017-5461: Out-of-bounds write in Base64 encoding in NSS</p>
- <p>CVE-2017-5459: Buffer overflow in WebGL</p>
- <p>CVE-2017-5466: Origin confusion when reloading isolated data:text/html URL</p>
- <p>CVE-2017-5434: Use-after-free during focus handling</p>
- <p>CVE-2017-5432: Use-after-free in text input selection</p>
- <p>CVE-2017-5460: Use-after-free in frame selection</p>
- <p>CVE-2017-5438: Use-after-free in nsAutoPtr during XSLT processing</p>
- <p>CVE-2017-5439: Use-after-free in nsTArray Length() during XSLT processing</p>
- <p>CVE-2017-5440: Use-after-free in txExecutionState destructor during XSLT processing</p>
- <p>CVE-2017-5441: Use-after-free with selection during scroll events</p>
- <p>CVE-2017-5442: Use-after-free during style changes</p>
- <p>CVE-2017-5464: Memory corruption with accessibility and DOM manipulation</p>
- <p>CVE-2017-5443: Out-of-bounds write during BinHex decoding</p>
- <p>CVE-2017-5444: Buffer overflow while parsing application/http-index-format content</p>
- <p>CVE-2017-5446: Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data</p>
- <p>CVE-2017-5447: Out-of-bounds read during glyph processing</p>
- <p>CVE-2017-5465: Out-of-bounds read in ConvolvePixel</p>
- <p>CVE-2017-5448: Out-of-bounds write in ClearKeyDecryptor</p>
- <p>CVE-2017-5437: Vulnerabilities in Libevent library</p>
- <p>CVE-2017-5454: Sandbox escape allowing file system read access through file picker</p>
- <p>CVE-2017-5455: Sandbox escape through internal feed reader APIs</p>
- <p>CVE-2017-5456: Sandbox escape allowing local file system access</p>
- <p>CVE-2017-5469: Potential Buffer overflow in flex-generated code</p>
- <p>CVE-2017-5445: Uninitialized values used while parsing application/http-index-format content</p>
- <p>CVE-2017-5449: Crash during bidirectional unicode manipulation with animation</p>
- <p>CVE-2017-5450: Addressbar spoofing using javascript: URI on Firefox for Android</p>
- <p>CVE-2017-5451: Addressbar spoofing with onblur event</p>
- <p>CVE-2017-5462: DRBG flaw in NSS</p>
- <p>CVE-2017-5463: Addressbar spoofing through reader view on Firefox for Android</p>
- <p>CVE-2017-5467: Memory corruption when drawing Skia content</p>
- <p>CVE-2017-5452: Addressbar spoofing during scrolling with editable content on Firefox for Android</p>
- <p>CVE-2017-5453: HTML injection into RSS Reader feed preview page through TITLE element</p>
- <p>CVE-2017-5458: Drag and drop of javascript: URLs can allow for self-XSS</p>
- <p>CVE-2017-5468: Incorrect ownership model for Private Browsing information</p>
- <p>CVE-2017-5430: Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1</p>
- <p>CVE-2017-5429: Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -6984,46 +6432,8 @@ maliciously crafted GET request to the Horde server.</
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html">
- <p>36 security fixes in this release, including:</p>
- <ul>
- <li>[682194] High CVE-2017-5030: Memory corruption in V8. Credit to
- Brendon Tiszka</li>
- <li>[682020] High CVE-2017-5031: Use after free in ANGLE. Credit to
- Looben Yang</li>
- <li>[668724] High CVE-2017-5032: Out of bounds write in PDFium. Credit to
- Ashfaq Ansari - Project Srishti</li>
- <li>[676623] High CVE-2017-5029: Integer overflow in libxslt. Credit to
- Holger Fuhrmannek</li>
- <li>[678461] High CVE-2017-5034: Use after free in PDFium. Credit to
- Ke Liu of Tencent's Xuanwu Lab</li>
- <li>[688425] High CVE-2017-5035: Incorrect security UI in Omnibox. Credit to
- Enzo Aguado</li>
- <li>[691371] High CVE-2017-5036: Use after free in PDFium. Credit to
- Anonymous</li>
- <li>[679640] High CVE-2017-5037: Multiple out of bounds writes in ChunkDemuxer.
- Credit to Yongke Wang of Tecent's Xuanwu Lab</li>
- <li>[679649] High CVE-2017-5039: Use after free in PDFium. Credit to
- jinmo123</li>
- <li>[691323] Medium CVE-2017-5040: Information disclosure in V8. Credit to
- Choongwoo Han</li>
- <li>[642490] Medium CVE-2017-5041: Address spoofing in Omnibox. Credit to
- Jordi Chancel</li>
- <li>[669086] Medium CVE-2017-5033: Bypass of Content Security Policy in Blink.
- Credit to Nicolai Grodum</li>
- <li>[671932] Medium CVE-2017-5042: Incorrect handling of cookies in Cast.
- Credit to Mike Ruddy</li>
- <li>[695476] Medium CVE-2017-5038: Use after free in GuestView. Credit to
- Anonymous</li>
- <li>[683523] Medium CVE-2017-5043: Use after free in GuestView. Credit to
- Anonymous</li>
- <li>[688987] Medium CVE-2017-5044: Heap overflow in Skia. Credit to
- Kushal Arvind Shah of Fortinet's FortiGuard Labs</li>
- <li>[667079] Medium CVE-2017-5045: Information disclosure in XSS Auditor.
- Credit to Dhaval Kapil</li>
- <li>[680409] Medium CVE-2017-5046: Information disclosure in Blink. Credit to
- Masato Kinugawa</li>
- <li>[699618] Various fixes from internal audits, fuzzing and other initiatives</li>
- </ul>
+ <p>36 security fixes in this release</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -7257,34 +6667,7 @@ maliciously crafted GET request to the Horde server.</
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/">
- <p>CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP</p>
- <p>CVE-2017-5401: Memory Corruption when handling ErrorResult</p>
- <p>CVE-2017-5402: Use-after-free working with events in FontFace objects</p>
- <p>CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object</p>
- <p>CVE-2017-5404: Use-after-free working with ranges in selections</p>
- <p>CVE-2017-5406: Segmentation fault in Skia with canvas operations</p>
- <p>CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters</p>
- <p>CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping</p>
- <p>CVE-2017-5411: Use-after-free in Buffer Storage in libGLES</p>
- <p>CVE-2017-5409: File deletion via callback parameter in Mozilla Windows Updater and Maintenance Service</p>
- <p>CVE-2017-5408: Cross-origin reading of video captions in violation of CORS</p>
- <p>CVE-2017-5412: Buffer overflow read in SVG filters</p>
- <p>CVE-2017-5413: Segmentation fault during bidirectional operations</p>
- <p>CVE-2017-5414: File picker can choose incorrect default directory</p>
- <p>CVE-2017-5415: Addressbar spoofing through blob URL</p>
- <p>CVE-2017-5416: Null dereference crash in HttpChannel</p>
- <p>CVE-2017-5417: Addressbar spoofing by draging and dropping URLs</p>
- <p>CVE-2017-5425: Overly permissive Gecko Media Plugin sandbox regular expression access</p>
- <p>CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running</p>
- <p>CVE-2017-5427: Non-existent chrome.manifest file loaded during startup</p>
- <p>CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses</p>
- <p>CVE-2017-5419: Repeated authentication prompts lead to DOS attack</p>
- <p>CVE-2017-5420: Javascript: URLs can obfuscate addressbar location</p>
- <p>CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports</p>
- <p>CVE-2017-5421: Print preview spoofing</p>
- <p>CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink</p>
- <p>CVE-2017-5399: Memory safety bugs fixed in Firefox 52</p>
- <p>CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -8059,43 +7442,7 @@ maliciously crafted GET request to the Horde server.</
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jenkins Security Advisory:</p>
<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01">
- <h1>Description</h1>
- <h5>SECURITY-304 / CVE-2017-2598</h5>
- <p>Use of AES ECB block cipher mode without IV for encrypting secrets</p>
- <h5>SECURITY-321 / CVE-2017-2599</h5>
- <p>Items could be created with same name as existing item</p>
- <h5>SECURITY-343 / CVE-2017-2600</h5>
- <p>Node monitor data could be viewed by low privilege users</p>
- <h5>SECURITY-349 / CVE-2011-4969</h5>
- <p>Possible cross-site scripting vulnerability in jQuery bundled with timeline widget</p>
- <h5>SECURITY-353 / CVE-2017-2601</h5>
- <p>Persisted cross-site scripting vulnerability in parameter names and descriptions</p>
- <h5>SECURITY-354 / CVE-2015-0886</h5>
- <p>Outdated jbcrypt version bundled with Jenkins</p>
- <h5>SECURITY-358 / CVE-2017-2602</h5>
- <p>Pipeline metadata files not blacklisted in agent-to-master security subsystem</p>
- <h5>SECURITY-362 / CVE-2017-2603</h5>
- <p>User data leak in disconnected agents' config.xml API</p>
- <h5>SECURITY-371 / CVE-2017-2604</h5>
- <p>Low privilege users were able to act on administrative monitors</p>
- <h5>SECURITY-376 / CVE-2017-2605</h5>
- <p>Re-key admin monitor leaves behind unencrypted credentials in upgraded installations</p>
- <h5>SECURITY-380 / CVE-2017-2606</h5>
- <p>Internal API allowed access to item names that should not be visible</p>
- <h5>SECURITY-382 / CVE-2017-2607</h5>
- <p>Persisted cross-site scripting vulnerability in console notes</p>
- <h5>SECURITY-383 / CVE-2017-2608</h5>
- <p>XStream remote code execution vulnerability</p>
- <h5>SECURITY-385 / CVE-2017-2609</h5>
- <p>Information disclosure vulnerability in search suggestions</p>
- <h5>SECURITY-388 / CVE-2017-2610</h5>
- <p>Persisted cross-site scripting vulnerability in search suggestions</p>
- <h5>SECURITY-389 / CVE-2017-2611</h5>
- <p>Insufficient permission check for periodic processes</p>
- <h5>SECURITY-392 / CVE-2017-2612</h5>
- <p>Low privilege users were able to override JDK download credentials</p>
- <h5>SECURITY-406 / CVE-2017-2613</h5>
- <p>User creation CSRF using GET by admins</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -8217,51 +7564,8 @@ maliciously crafted GET request to the Horde server.</
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2017/01/stable-channel-update-for-desktop.html">
- <p>51 security fixes in this release, including:</p>
- <ul>
- <li>[671102] High CVE-2017-5007: Universal XSS in Blink. Credit to
- Mariusz Mlynski</li>
- <li>[673170] High CVE-2017-5006: Universal XSS in Blink. Credit to
- Mariusz Mlynski</li>
- <li>[668552] High CVE-2017-5008: Universal XSS in Blink. Credit to
- Mariusz Mlynski</li>
- <li>[663476] High CVE-2017-5010: Universal XSS in Blink. Credit to
- Mariusz Mlynski</li>
- <li>[662859] High CVE-2017-5011: Unauthorised file access in Devtools.
- Credit to Khalil Zhani</li>
- <li>[667504] High CVE-2017-5009: Out of bounds memory access in WebRTC.
- Credit to Sean Stanek and Chip Bradford</li>
- <li>[681843] High CVE-2017-5012: Heap overflow in V8. Credit to
- Gergely Nagy (Tresorit)</li>
- <li>[677716] Medium CVE-2017-5013: Address spoofing in Omnibox.
- Credit to Haosheng Wang (@gnehsoah)</li>
- <li>[675332] Medium CVE-2017-5014: Heap overflow in Skia. Credit to
- sweetchip</li>
- <li>[673971] Medium CVE-2017-5015: Address spoofing in Omnibox.
- Credit to Armin Razmdjou</li>
- <li>[666714] Medium CVE-2017-5019: Use after free in Renderer.
- Credit to Wadih Matar</li>
- <li>[673163] Medium CVE-2017-5016: UI spoofing in Blink. Credit to
- Haosheng Wang (@gnehsoah)</li>
- <li>[676975] Medium CVE-2017-5017: Uninitialised memory access in webm video.
- Credit to danberm</li>
- <li>[668665] Medium CVE-2017-5018: Universal XSS in chrome://apps.
- Credit to Rob Wu</li>
- <li>[668653] Medium CVE-2017-5020: Universal XSS in chrome://downloads.
- Credit to Rob Wu</li>
- <li>[663726] Low CVE-2017-5021: Use after free in Extensions. Credit to
- Rob Wu</li>
- <li>[663620] Low CVE-2017-5022: Bypass of Content Security Policy in Blink.
- Credit to Pujun Li of PKAV Team</li>
- <li>[651443] Low CVE-2017-5023: Type confunsion in metrics. Credit to the
- UK's National Cyber Security Centre (NCSC)</li>
- <li>[643951] Low CVE-2017-5024: Heap overflow in FFmpeg. Credit to
- Paul Mehta</li>
- <li>[643950] Low CVE-2017-5025: Heap overflow in FFmpeg. Credit to
- Paul Mehta</li>
- <li>[634108] Low CVE-2017-5026: UI spoofing. Credit to Ronni Skansing</li>
- <li>[685349] Various fixes from internal audits, fuzzing and other initiatives</li>
- </ul>
+ <p>51 security fixes in this release</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -8325,38 +7629,10 @@ maliciously crafted GET request to the Horde server.</
<p>The OpenSSL project reports:</p>
<blockquote cite="https://www.openssl.org/news/secadv/20170126.txt">
<ul>
- <li>Truncated packet could crash via OOB read (CVE-2017-3731)<br/>
- Severity: Moderate<br/>
- If an SSL/TLS server or client is running on a 32-bit host, and a specific
- cipher is being used, then a truncated packet can cause that server or client
- to perform an out-of-bounds read, usually resulting in a crash.</li>
- <li>Bad (EC)DHE parameters cause a client crash (CVE-2017-3730)<br/>
- Severity: Moderate<br/>
- If a malicious server supplies bad parameters for a DHE or ECDHE key exchange
- then this can result in the client attempting to dereference a NULL pointer
- leading to a client crash. This could be exploited in a Denial of Service
- attack.</li>
- <li>BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)<br/>
- Severity: Moderate<br/>
- There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No
- EC algorithms are affected. Analysis suggests that attacks against RSA and DSA
- as a result of this defect would be very difficult to perform and are not
- believed likely. Attacks against DH are considered just feasible (although very
- difficult) because most of the work necessary to deduce information
- about a private key may be performed offline. The amount of resources
- required for such an attack would be very significant and likely only
- accessible to a limited number of attackers. An attacker would
- additionally need online access to an unpatched system using the target
- private key in a scenario with persistent DH parameters and a private
- key that is shared between multiple clients. For example this can occur by
- default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
- similar to CVE-2015-3193 but must be treated as a separate problem.</li>
- <li>Montgomery multiplication may produce incorrect results (CVE-2016-7055)<br/>
- Severity: Low<br/>
- There is a carry propagating bug in the Broadwell-specific Montgomery
- multiplication procedure that handles input lengths divisible by, but
- longer than 256 bits. (OpenSSL 1.0.2 only)<br/>
- This issue was previously fixed in 1.1.0c</li>
+ <li>Truncated packet could crash via OOB read (CVE-2017-3731)</li>
+ <li>Bad (EC)DHE parameters cause a client crash (CVE-2017-3730)</li>
+ <li>BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)</li>
+ <li>Montgomery multiplication may produce incorrect results (CVE-2016-7055)</li>
</ul>
</blockquote>
</body>
@@ -8407,30 +7683,7 @@ maliciously crafted GET request to the Horde server.</
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/">
- <p>CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7</p>
- <p>CVE-2017-5374: Memory safety bugs fixed in Firefox 51</p>
- <p>CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP</p>
- <p>CVE-2017-5376: Use-after-free in XSL</p>
- <p>CVE-2017-5377: Memory corruption with transforms to create gradients in Skia</p>
- <p>CVE-2017-5378: Pointer and frame data leakage of Javascript objects</p>
- <p>CVE-2017-5379: Use-after-free in Web Animations</p>
- <p>CVE-2017-5380: Potential use-after-free during DOM manipulations</p>
- <p>CVE-2017-5381: Certificate Viewer exporting can be used to navigate and save to arbitrary filesystem locations</p>
- <p>CVE-2017-5382: Feed preview can expose privileged content errors and exceptions</p>
- <p>CVE-2017-5383: Location bar spoofing with unicode characters</p>
- <p>CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)</p>
- <p>CVE-2017-5385: Data sent in multipart channels ignores referrer-policy response headers</p>
- <p>CVE-2017-5386: WebExtensions can use data: protocol to affect other extensions</p>
- <p>CVE-2017-5387: Disclosure of local file existence through TRACK tag error messages</p>
- <p>CVE-2017-5388: WebRTC can be used to generate a large amount of UDP traffic for DDOS attacks</p>
- <p>CVE-2017-5389: WebExtensions can install additional add-ons via modified host requests</p>
- <p>CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer</p>
- <p>CVE-2017-5391: Content about: pages can load privileged about: pages</p>
- <p>CVE-2017-5392: Weak references using multiple threads on weak proxy objects lead to unsafe memory usage</p>
- <p>CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for mozAddonManager</p>
- <p>CVE-2017-5394: Android location bar spoofing using fullscreen and JavaScript events</p>
- <p>CVE-2017-5395: Android location bar spoofing during scrolling</p>
- <p>CVE-2017-5396: Use-after-free with Media Decoder</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -8480,69 +7733,25 @@ maliciously crafted GET request to the Horde server.</
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2017-1/">
- <h3>Summary</h3>
<p>Open redirect</p>
- <h3>Description</h3>
- <p>It was possible to trick phpMyAdmin to redirect to
- insecure using special request path.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be non critical.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2017-2/">
- <h3>Summary</h3>
<p>php-gettext code execution</p>
- <h3>Description</h3>
- <p>The php-gettext library can suffer to code
- execution. However there is no way to trigger this inside
- phpMyAdmin.</p>
- <h3>Severity</h3>
- <p>We consider this to be minor.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2017-3/">
- <h3>Summary</h3>
<p>DOS vulnerability in table editing</p>
- <h3>Description</h3>
- <p>It was possible to trigger recursive include operation by
- crafted parameters when editing table data.</p>
- <h3>Severity</h3>
- <p>We consider this to be non critical.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2017-4/">
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-ports-head
mailing list