Index: head/security/vuxml/vuln.xml =================================================================== --- head/security/vuxml/vuln.xml (revision 567026) +++ head/security/vuxml/vuln.xml (revision 567027) @@ -1,2069 +1,2122 @@ ]> + + salt -- multiple vulnerabilities + + + py36-salt-2019 + py37-salt-2019 + py38-salt-2019 + py36-salt + py37-salt + py38-salt + py39-salt + 2019.2.8 + 30003002.5 + + + + +

SaltStack reports multiple security vulnerabilities in Salt

+
+
    +
  • CVE-2021-3197: The Salt-API.s SSH client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.
  • +
  • CVE-2021-25281: The Salt-API does not have eAuth credentials for the wheel_async client.
  • +
  • CVE-2021-25282: The salt.wheel.pillar_roots.write method is vulnerable to directory traversal.
  • +
  • CVE-2021-25283: The jinja renderer does not protect against server-side template injection attacks.
  • +
  • CVE-2021-25284: webutils write passwords in cleartext to /var/log/salt/minion
  • +
  • CVE-2021-3148: command injection in salt.utils.thin.gen_thin()
  • +
  • CVE-2020-35662: Several places where Salt was not verifying the SSL cert by default.
  • +
  • CVE-2021-3144: eauth Token can be used once after expiration.
  • +
  • CVE-2020-28972: Code base not validating SSL/TLS certificate of the server, which might allow attackers to obtain sensitive information via a man-in-the-middle attack
  • +
  • CVE-2020-28243: Local Privilege Escalation in the Minion.
  • +
+
+ +
+ + "https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/" + CVE-2021-3197 + CVE-2021-25281 + CVE-2021-25282 + CVE-2021-25283 + CVE-2021-25284 + CVE-2021-3148 + CVE-2020-35662 + CVE-2021-3144 + CVE-2020-28972 + CVE-2020-28243 + + + 2021-02-25 + 2021-03-03 + +
+ vault -- unauthenticated license read vault 1.6.3

vault developers report:

Limited Unauthenticated License Read: We addressed a security vulnerability that allowed for the unauthenticated reading of Vault licenses from DR Secondaries.

CVE-2021-27668 https://github.com/hashicorp/vault/releases/tag/v1.6.3 2021-02-26 2021-02-27
FreeBSD -- jail_remove(2) fails to kill all jailed processes FreeBSD-kernel 12.212.2_4 11.411.4_8

Problem Description:

Due to a race condition in the jail_remove(2) implementation, it may fail to kill some of the processes.

Impact:

A process running inside a jail can avoid being killed during jail termination. If a jail is subsequently started with the same root path, a lingering jailed process may be able to exploit the window during which a devfs filesystem is mounted but the jail's devfs ruleset has not been applied, to access device nodes which are ordinarily inaccessible. If the process is privileged, it may be able to escape the jail and gain full access to the system.

CVE-2020-25581 SA-21:04.jail_remove 2021-02-24 2021-02-25
FreeBSD -- Xen grant mapping error handling issues FreeBSD-kernel 12.212.2_4 11.411.4_8

Problem Description:

Grant mapping operations often occur in batch hypercalls, where a number of operations are done in a single hypercall, the success or failure of each one reported to the backend driver, and the backend driver then loops over the results, performing follow-up actions based on the success or failure of each operation.

Unfortunately, when running in HVM/PVH mode, the FreeBSD backend drivers mishandle this: Some errors are ignored, effectively implying their success from the success of related batch elements. In other cases, errors resulting from one batch element lead to further batch elements not being inspected, and hence successful ones to not be possible to properly unmap upon error recovery.

Impact:

A malicious or buggy frontend driver may be able to cause resource leaks in the domain running the corresponding backend driver.

CVE-2021-26932 SA-21:06.xen 2021-02-24 2021-02-25
FreeBSD -- jail_attach(2) relies on the caller to change the cwd FreeBSD-kernel 12.212.2_4 11.411.4_8

Problem Description:

When a process, such as jexec(8) or killall(1), calls jail_attach(2) to enter a jail, the jailed root can attach to it using ptrace(2) before the current working directory is changed.

Impact:

A process with superuser privileges running inside a jail could change the root directory outside of the jail, thereby gaining full read and writing access to all files and directories in the system.

CVE-2020-25582 SA-21:05.jail_chdir 2021-02-24 2021-02-25
FreeBSD -- login.access fails to apply rules FreeBSD 12.212.2_4 11.411.4_8

Problem Description:

A regression in the login.access(5) rule processor has the effect of causing rules to fail to match even when they should not. This means that rules denying access may be ignored.

Impact:

The configuration in login.access(5) may not be applied, permitting login access to users even when the system is configured to deny it.

CVE-2020-25580 SA-21:03.pam_login_access 2021-02-24 2021-02-25
redis -- Integer overflow on 32-bit systems redis-devel 6.2.0 redis 6.0.11 redis5 5.0.11

Redis Development team reports:

Redis 4.0 or newer uses a configurable limit for the maximum supported bulk input size. By default, it is 512MB which is a safe value for all platforms. If the limit is significantly increased, receiving a large request from a client may trigger several integer overflow scenarios, which would result with buffer overflow and heap corruption.

CVE-2021-21309 2021-02-22 2021-02-23
zeek -- Remote crash vulnerability zeek 3.0.13

Jon Siwek of Corelight reports:

Fix ASCII Input reader's treatment of input files containing null-bytes. An input file containing null-bytes could lead to a buffer-over-read, crash Zeek, and be exploited to cause Denial of Service.

https://github.com/zeek/zeek/releases/tag/v3.0.13 2021-02-10 2021-02-22
raptor2 -- malformed input file can lead to a segfault raptor2 2.0.15_17

Redland Issue Tracker reports:

due to an out of bounds array access in raptor_xml_writer_start_element_common.

https://bugs.librdf.org/mantis/view.php?id=650 2020-11-24 2021-02-20
jenkins -- Privilege escalation vulnerability in bundled Spring Security library jenkins 2.280

Jenkins Security Advisory:

Description

(high) SECURITY-2195 / CVE-2021-22112

Privilege escalation vulnerability in bundled Spring Security library

https://www.jenkins.io/security/advisory/2021-02-19/ 2021-02-19 2021-02-20
asterisk -- Remote Crash Vulnerability in PJSIP channel driver asterisk13 13.38.2 asterisk16 16.16.1 asterisk18 18.2.1

The Asterisk project reports:

Given a scenario where an outgoing call is placed from Asterisk to a remote SIP server it is possible for a crash to occur.

CVE-2021-26906 https://downloads.asterisk.org/pub/security/AST-2021-005.html 2021-02-08 2021-02-18
asterisk -- An unsuspecting user could crash Asterisk with multiple hold/unhold requests asterisk16 16.16.016.16.1 asterisk18 18.2.018.2.1

The Asterisk project reports:

Due to a signedness comparison mismatch, an authenticated WebRTC client could cause a stack overflow and Asterisk crash by sending multiple hold/unhold requests in quick succession.

CVE-2021-26714 https://downloads.asterisk.org/pub/security/AST-2021-004.html 2021-02-11 2021-02-18
asterisk -- Remote attacker could prematurely tear down SRTP calls asterisk13 13.38.113.38.2 asterisk16 16.16.016.16.1 asterisk18 18.2.018.2.1

The Asterisk project reports:

An unauthenticated remote attacker could replay SRTP packets which could cause an Asterisk instance configured without strict RTP validation to tear down calls prematurely.

CVE-2021-26712 https://downloads.asterisk.org/pub/security/AST-2021-003.html 2021-02-18 2021-02-18
asterisk -- Remote crash possible when negotiating T.38 asterisk16 16.15.016.16.1 asterisk18 18.1.018.2.1

The Asterisk project reports:

When re-negotiating for T.38 if the initial remote response was delayed just enough Asterisk would send both audio and T.38 in the SDP. If this happened, and the remote responded with a declined T.38 stream then Asterisk would crash.

CVE-2021-26717 https://downloads.asterisk.org/pub/security/AST-2021-002.html 2021-02-05 2021-02-18
asterisk -- Remote crash in res_pjsip_diversion asterisk13 13.38.113.38.2 asterisk16 16.15.116.16.1 asterisk18 18.1.118.2.1

The Asterisk project reports:

If a registered user is tricked into dialing a malicious number that sends lots of 181 responses to Asterisk, each one will cause a 181 to be sent back to the original caller with an increasing number of entries in the "Supported" header. Eventually the number of entries in the header exceeds the size of the entry array and causes a crash.

CVE-2020-35776 https://downloads.asterisk.org/pub/security/AST-2021-001.html 2021-01-04 2021-02-18
Rails -- multiple vulnerabilities rubygem-activerecord52 5.2.4.5 rubygem-actionpack60 rubygem-activerecord60 6.0.3.5 rubygem-actionpack61 rubygem-activerecord61 6.1.2.1

Ruby on Rails blog:

Rails version 5.2.4.5, 6.0.3.5 and 6.1.2.1 have been released! Those version are security releases and addresses two issues:

CVE-2021-22880: Possible DoS Vulnerability in Active Record PostgreSQL adapter.

CVE-2021-22881: Possible Open Redirect in Host Authorization Middleware.

https://weblog.rubyonrails.org/2021/2/10/Rails-5-2-4-5-6-0-3-5-and-6-1-2-1-have-been-released/ https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129 https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130 CVE-2021-22880 CVE-2021-22881 2021-02-10 2021-02-17
chromium -- multiple vulnerabilities chromium 88.0.4324.182

Chrome Releases reports:

This release contains 10 security fixes, including:

  • [1138143] High CVE-2021-21149: Stack overflow in Data Transfer. Reported by Ryoya Tsukasaki on 2020-10-14
  • [1172192] High CVE-2021-21150: Use after free in Downloads. Reported by Woojin Oh(@pwn_expoit) of STEALIEN on 2021-01-29
  • [1165624] High CVE-2021-21151: Use after free in Payments. Reported by Khalil Zhani on 2021-01-12
  • [1166504] High CVE-2021-21152: Heap buffer overflow in Media. Reported by Anonymous on 2021-01-14
  • [1155974] High CVE-2021-21153: Stack overflow in GPU Process. Reported by Jan Ruge of ERNW GmbH on 2020-12-06
  • [1173269] High CVE-2021-21154: Heap buffer overflow in Tab Strip. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-02-01
  • [1175500] High CVE-2021-21155: Heap buffer overflow in Tab Strip. Reported by Khalil Zhani on 2021-02-07
  • [1177341] High CVE-2021-21156: Heap buffer overflow in V8. Reported by Sergei Glazunov of Google Project Zero on 2021-02-11
  • [1170657] Medium CVE-2021-21157: Use after free in Web Sockets. Reported by Anonymous on 2021-01-26
CVE-2021-21149 CVE-2021-21150 CVE-2021-21151 CVE-2021-21152 CVE-2021-21153 CVE-2021-21154 CVE-2021-21155 CVE-2021-21156 CVE-2021-21157 https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_16.html 2021-02-16 2021-02-17
OpenSSL -- Multiple vulnerabilities openssl 1.1.1j,1 openssl-devel 3.0.0a12

The OpenSSL project reports:

Null pointer deref in X509_issuer_and_serial_hash() CVE-2021-23841
(Moderate) The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack.

Integer overflow in CipherUpdate CVE-2021-23840
(Low) Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash.

https://www.openssl.org/news/secadv/20210216.txt CVE-2021-23841 CVE-2021-23840 CVE-2021-23839 2021-02-16 2021-02-16 2021-02-18
openexr, ilmbase -- security fixes related to reading corrupted input files ilmbase 2.5.5 openexr 2.5.5

Cary Phillips reports:

Patch release with various bug/sanitizer/security fixes, primarily related to reading corrupted input files[...].

https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.5.5 2021-02-12 2021-02-12
Gitlab -- Multiple Vulnerabilities gitlab-ce 13.8.013.8.4 13.7.013.7.7 10.513.6.7

Gitlab reports:

Improper Certificate Validation for Fortinet OTP

Denial of Service Attack on gitlab-shell

Resource exhaustion due to pending jobs

Confidential issue titles were exposed

Improper access control allowed demoted project members to access authored merge requests

Improper access control allowed unauthorized users to access analytic pages

Unauthenticated CI lint API may lead to information disclosure and SSRF

Prometheus integration in Gitlab may lead to SSRF

https://about.gitlab.com/releases/2021/02/11/security-release-gitlab-13-8-4-released/ 2021-02-11 2021-02-12
oauth2-proxy -- domain whitelist could be used as redirect oauth2-proxy 7.0.0

SO-AND-SO reports:

In OAuth2 Proxy before version 7.0.0, for users that use the whitelist domain feature, a domain that ended in a similar way to the intended domain could have been allowed as a redirect.

https://nvd.nist.gov/vuln/detail/CVE-2021-21291 2021-02-02 2021-02-12
mod_dav_svn -- server crash mod_dav_svn 1.9.01.10.6 1.11.01.14.0

Subversion project reports:

Subversion's mod_authz_svn module will crash if the server is using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a client sends a request for a non-existing repository URL.

https://subversion.apache.org/security/CVE-2020-17525-advisory.txt 2021-01-29 2021-02-10
gitea -- multiple vulnerabilities gitea 1.13.2

The Gitea Team reports for release 1.13.2:

  • Prevent panic on fuzzer provided string
  • Add secure/httpOnly attributes to the lang cookie
https://github.com/go-gitea/gitea/releases/tag/v1.13.2 ports/253295 2021-01-07 2021-02-06
chromium -- heap buffer overflow in V8 chromium 88.0.4324.150

Chrome Releases reports:

[1170176] High CVE-2021-21148: Heap buffer overflow in V8. Reported by Mattias Buelens on 2021-01-24. Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild.

CVE-2021-21148 https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html 2021-02-04 2021-02-05
www/chromium -- multiple vulnerabilities chromium 88.0.4324.146

Chrome Releases reports:

This update include 6 security fixes:

  • 1169317] Critical CVE-2021-21142: Use after free in Payments. Reported by Khalil Zhani on 2021-01-21
  • [1163504] High CVE-2021-21143: Heap buffer overflow in Extensions. Reported by Allen Parker and Alex Morgan of MU on 2021-01-06
  • [1163845] High CVE-2021-21144: Heap buffer overflow in Tab Groups. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-01-07
  • [1154965] High CVE-2021-21145: Use after free in Fonts. Reported by Anonymous on 2020-12-03
  • [1161705] High CVE-2021-21146: Use after free in Navigation. Reported by Alison Huffman and Choongwoo Han of Microsoft Browser Vulnerability Research on 2020-12-24
  • [1162942] Medium CVE-2021-21147: Inappropriate implementation in Skia. Reported by Roman Starkov on 2021-01-04
CVE-2021-21142 CVE-2021-21143 CVE-2021-21144 CVE-2021-21145 CVE-2021-21146 CVE-2021-21147 https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop.html 2021-02-02 2021-02-03
Gitlab -- Multiple vulnerabilities gitlab-ce 13.8.013.8.2 13.7.013.7.6 11.813.6.6

Gitlab reports:

Stored XSS in merge request

Stored XSS in epic's pages

Sensitive GraphQL variables exposed in structured log

Guest user can see tag names in private projects

Information disclosure via error message

DNS rebinding protection bypass

Validate existence of private project

https://about.gitlab.com/blog/2021/02/01/security-release-gitlab-13-8-2-released/ CVE-2021-22172 CVE-2021-22169 2021-02-01 2021-02-02
minio -- Server Side Request Forgery minio 2021.01.30.00.20.58

Minio developers report:

Thanks to @phith0n from our community upon a code review, discovered an SSRF (Server Side Request Forgery) in our Browser API implementation. We have not observed this report/attack in the wild or reported elsewhere in the community at large.

All users are advised to upgrade ASAP.

The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.).

In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed.

https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q 2021-01-29 2021-01-31
FreeBSD -- Xen guests can triger backend Out Of Memory FreeBSD-kernel 12.212.2_3 12.112.1_13 11.411.4_7

Problem Description:

Some OSes (including Linux, FreeBSD, and NetBSD) are processing watch events using a single thread. If the events are received faster than the thread is able to handle, they will get queued.

As the queue is unbound, a guest may be able to trigger a OOM in the backend.

CVE-2020-29568 SA-21:02.xenoom 2021-01-29 2021-01-29
FreeBSD -- Uninitialized kernel stack leaks in several file systems FreeBSD-kernel 12.212.2_3 12.112.1_13 11.411.4_7

Problem Description:

Several file systems were not properly initializing the d_off field of the dirent structures returned by VOP_READDIR. In particular, tmpfs(5), smbfs(5), autofs(5) and mqueuefs(5) were failing to do so. As a result, eight uninitialized kernel stack bytes may be leaked to userspace by these file systems. This problem is not present in FreeBSD 11.

Additionally, msdosfs(5) was failing to zero-fill a pair of padding fields in the dirent structure, resulting in a leak of three uninitialized bytes.

Impact:

Kernel stack disclosures may leak sensitive information which could be used to compromise the security of the system.

CVE-2020-25578 CVE-2020-25579 SA-21:01.fsdisclosure 2021-01-29 2021-01-29
pngcheck -- Buffer-overrun vulnerability pngcheck 3.0.1

The libpng project reports:

pngcheck versions 3.0.0 and earlier have a pair of buffer-overrun bugs related to the sPLT and PPLT chunks (the latter is a MNG-only chunk, but it gets noticed even in PNG files if the -s option is used). Both bugs are fixed in version 3.0.1, released on 24 January 2021. Again, while all known vulnerabilities are fixed in this version, the code is quite crufty, so it would be safest to assume there are still some problems hidden in there. As always, use at your own risk.

http://www.libpng.org/pub/png/apps/pngcheck.html 2021-01-24 2021-01-28
sudo -- Multiple vulnerabilities sudo 1.9.5p2

Todd C. Miller reports:

When invoked as sudoedit, the same set of command line options are now accepted as for sudo -e. The -H and -P options are now rejected for sudoedit and sudo -e which matches the sudo 1.7 behavior. This is part of the fix for CVE-2021-3156.

Fixed a potential buffer overflow when unescaping backslashes in the command's arguments. Normally, sudo escapes special characters when running a command via a shell (sudo -s or sudo -i). However, it was also possible to run sudoedit with the -s or -i flags in which case no escaping had actually been done, making a buffer overflow possible. This fixes CVE-2021-3156.

https://www.sudo.ws/stable.html#1.9.5p2 CVE-2021-3156 2021-01-26 2021-01-26
pysaml2 -- multiple vulnerabilities py36-pysaml2 py37-pysaml2 py38-pysaml2 py39-pysaml2 6.5.0

pysaml2 Releases:

Fix processing of invalid SAML XML documents - CVE-2021-21238

Fix unspecified xmlsec1 key-type preference - CVE-2021-21239

https://github.com/IdentityPython/pysaml2/releases https://github.com/IdentityPython/pysaml2/security/advisories/GHSA-f4g9-h89h-jgv9 https://github.com/IdentityPython/pysaml2/security/advisories/GHSA-5p3x-r448-pc62 CVE-2021-21238 CVE-2021-21239 2021-01-20 2021-01-26
jenkins -- Arbitrary file read vulnerability in workspace browsers jenkins 2.276 jenkins-lts 2.263.3

Jenkins Security Advisory:

Description

(Medium) SECURITY-2197 / CVE-2021-21615

Arbitrary file read vulnerability in workspace browsers

https://www.jenkins.io/security/advisory/2021-01-26/ 2021-01-26 2021-01-26
mutt -- denial of service mutt 2.0.5

Tavis Ormandy reports:

rfc822.c in Mutt through 2.0.4 allows remote attackers to cause a denial of service (mailbox unavailability) by sending email messages with sequences of semicolon characters in RFC822 address fields (aka terminators of empty groups). A small email message from the attacker can cause large memory consumption, and the victim may then be unable to see email messages from other persons.

https://gitlab.com/muttmua/mutt/-/issues/323 CVE-2021-3181 2021-01-17 2021-01-23
MySQL -- Multiple vulnerabilities mysql56-client 5.6.51 mysql57-client 5.7.33 mysql80-client 8.0.23 mysql56-server 5.6.51 mysql57-server 5.7.33 mysql80-server 8.0.23

Oracle reports:

This Critical Patch Update contains 34 new security patches for Oracle MySQL Server and 4 for MySQL Client.

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 6.8.

https://www.oracle.com/security-alerts/cpujan2021.html#AppendixMSQL CVE-2021-2046 CVE-2021-2020 CVE-2021-2024 CVE-2021-2011 CVE-2021-2006 CVE-2021-2048 CVE-2021-2028 CVE-2021-2122 CVE-2021-2058 CVE-2021-2001 CVE-2021-2016 CVE-2021-2021 CVE-2021-2030 CVE-2021-2031 CVE-2021-2036 CVE-2021-2055 CVE-2021-2060 CVE-2021-2070 CVE-2021-2076 CVE-2021-2065 CVE-2021-2014 CVE-2021-2002 CVE-2021-2012 CVE-2021-2009 CVE-2021-2072 CVE-2021-2081 CVE-2021-2022 CVE-2021-2038 CVE-2021-2061 CVE-2021-2056 CVE-2021-2087 CVE-2021-2088 CVE-2021-2032 CVE-2021-2010 CVE-2021-1998 CVE-2021-2007 CVE-2021-2019 CVE-2021-2042 2021-01-23 2021-01-23
chromium -- multiple vulnerabilities chromium 88.0.4324.96

Chrome Releases reports:

This release contains 36 security fixes, including:

  • [1137179] Critical CVE-2021-21117: Insufficient policy enforcement in Cryptohome. Reported by Rory McNamara on 2020-10-10
  • [1161357] High CVE-2021-21118: Insufficient data validation in V8. Reported by Tyler Nighswander (@tylerni7) of Theori on 2020-12-23
  • [1160534] High CVE-2021-21119: Use after free in Media. Reported by Anonymous on 2020-12-20
  • [1160602] High CVE-2021-21120: Use after free in WebSQL. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2020-12-21
  • [1161143] High CVE-2021-21121: Use after free in Omnibox. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-12-22
  • [1162131] High CVE-2021-21122: Use after free in Blink. Reported by Renata Hodovan on 2020-12-28
  • [1137247] High CVE-2021-21123: Insufficient data validation in File System API. Reported by Maciej Pulikowski on 2020-10-11
  • [1131346] High CVE-2021-21124: Potential user after free in Speech Recognizer. Reported by Chaoyang Ding(@V4kst1z) from Codesafe Team of Legendsec at Qi'anxin Group on 2020-09-23
  • [1152327] High CVE-2021-21125: Insufficient policy enforcement in File System API. Reported by Ron Masas (Imperva) on 2020-11-24
  • [1163228] High CVE-2020-16044: Use after free in WebRTC. Reported by Ned Williamson of Project Zero on 2021-01-05
  • [1108126] Medium CVE-2021-21126: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-07-22
  • [1115590] Medium CVE-2021-21127: Insufficient policy enforcement in extensions. Reported by Jasminder Pal Singh, Web Services Point WSP, Kotkapura on 2020-08-12
  • [1138877] Medium CVE-2021-21128: Heap buffer overflow in Blink. Reported by Liang Dong on 2020-10-15
  • [1140403] Medium CVE-2021-21129: Insufficient policy enforcement in File System API. Reported by Maciej Pulikowski on 2020-10-20
  • [1140410] Medium CVE-2021-21130: Insufficient policy enforcement in File System API. Reported by Maciej Pulikowski on 2020-10-20
  • [1140417] Medium CVE-2021-21131: Insufficient policy enforcement in File System API. Reported by Maciej Pulikowski on 2020-10-20
  • [1128206] Medium CVE-2021-21132: Inappropriate implementation in DevTools. Reported by David Erceg on 2020-09-15
  • [1157743] Medium CVE-2021-21133: Insufficient policy enforcement in Downloads. Reported by wester0x01 (https://twitter.com/wester0x01) on 2020-12-11
  • [1157800] Medium CVE-2021-21134: Incorrect security UI in Page Info. Reported by wester0x01 (https://twitter.com/wester0x01) on 2020-12-11
  • [1157818] Medium CVE-2021-21135: Inappropriate implementation in Performance API. Reported by ndevtk on 2020-12-11
  • [1038002] Low CVE-2021-21136: Insufficient policy enforcement in WebView. Reported by Shiv Sahni, Movnavinothan V and Imdad Mohammed on 2019-12-27
  • [1093791] Low CVE-2021-21137: Inappropriate implementation in DevTools. Reported by bobblybear on 2020-06-11
  • [1122487] Low CVE-2021-21138: Use after free in DevTools. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2020-08-27
  • [1136327] Low CVE-2021-21140: Uninitialized Use in USB. Reported by David Manouchehri on 2020-10-08
  • [1140435] Low CVE-2021-21141: Insufficient policy enforcement in File System API. Reported by Maciej Pulikowski on 2020-10-20
CVE-2020-16044 CVE-2021-21117 CVE-2021-21118 CVE-2021-21119 CVE-2021-21120 CVE-2021-21121 CVE-2021-21122 CVE-2021-21123 CVE-2021-21124 CVE-2021-21125 CVE-2021-21126 CVE-2021-21127 CVE-2021-21128 CVE-2021-21129 CVE-2021-21130 CVE-2021-21131 CVE-2021-21132 CVE-2021-21133 CVE-2021-21134 CVE-2021-21135 CVE-2021-21136 CVE-2021-21137 CVE-2021-21138 CVE-2021-21139 CVE-2021-21140 CVE-2021-21141 https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html 2021-01-19 2021-01-22
chocolate-doom -- Arbitrary code execution chocolate-doom 3.0.1 crispy-doom 5.9.0

Michal Dardas from LogicalTrust reports:

The server in Chocolate Doom 3.0.0 and Crispy Doom 5.8.0 doesn't validate the user-controlled num_players value, leading to a buffer overflow. A malicious user can overwrite the server's stack.

https://github.com/chocolate-doom/chocolate-doom/issues/1293 CVE-2020-14983 2020-06-22 2021-01-22
nokogiri -- Security vulnerability rubygem-nokogiri rubygem-nokogiri18 1.11.0.rc3

Nokogiri reports:

In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by Nokogiri::XML::Schema were trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks.

https://nokogiri.org/CHANGELOG.html CVE-2020-26247 2021-01-22 2021-01-22
dnsmasq -- DNS cache poisoning, and DNSSEC buffer overflow, vulnerabilities dnsmasq 2.83 dnsmasq-devel 2.83

Simon Kelley reports:

There are broadly two sets of problems. The first is subtle errors in dnsmasq's protections against the chronic weakness of the DNS protocol to cache-poisoning attacks; the Birthday attack, Kaminsky, etc.[...]

the second set of errors is a good old fashioned buffer overflow in dnsmasq's DNSSEC code. If DNSSEC validation is enabled, an installation is at risk.

https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014599.html https://www.jsof-tech.com/disclosures/dnspooq/ CVE-2020-25684 CVE-2020-25685 CVE-2020-25686 CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25687 2020-09-16 2021-01-20
go -- cmd/go: packages using cgo can cause arbitrary code execution at build time; crypto/elliptic: incorrect operations on the P-224 curve go 1.15.7,1

The Go project reports:

The go command may execute arbitrary code at build time when cgo is in use on Windows. This may occur when running "go get", or any other command that builds code. Only users who build untrusted code (and don't execute it) are affected. In addition to Windows users, this can also affect Unix users who have "." listed explicitly in their PATH and are running "go get" or build commands outside of a module or with module mode disabled.

The P224() Curve implementation can in rare circumstances generate incorrect outputs, including returning invalid points from ScalarMult. The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages support P-224 ECDSA keys, but they are not supported by publicly trusted certificate authorities. No other standard library or golang.org/x/crypto package supports or uses the P-224 curve.

CVE-2021-3115 http://golang.org/issue/43783 CVE-2021-3114 http://golang.org/issue/43786 2021-01-13 2021-01-19
cloud-init -- Wrong access permissions of authorized keys cloud-init 20.420.4.1

cloud-init reports:

cloud-init release 20.4.1 is now available. This is a hotfix release, that contains a single patch to address a security issue in cloud-init 20.4.

Briefly, for users who provide more than one unique SSH key to cloud-init and have a shared AuthorizedKeysFile configured in sshd_config, cloud-init 20.4 started writing all of these keys to such a file, granting all such keys SSH access as root.

It's worth restating this implication: if you are using the default AuthorizedKeysFile setting in /etc/ssh/sshd_config, as most will be, then you are _not_ affected by this issue.

https://bugs.launchpad.net/cloud-init/+bug/1911680 2021-01-14 2021-01-19
moinmoin -- multiple vulnerabilities moinmoin 1.9.11

MoinMoin reports:

  • Security fix for CVE-2020-25074: fix remote code execution via cache action

  • Security fix for CVE-2020-15275: fix malicious SVG attachment causing stored XSS vulnerability

https://github.com/moinwiki/moin-1.9/blob/1.9.11/docs/CHANGES#L13 CVE-2020-25074 CVE-2020-15275 2020-11-08 2021-01-18
Ghostscript -- SAFER Sandbox Breakout ghostscript9-agpl-base 9.509.52_8

SO-AND-SO reports:

A memory corruption issue was found in Artifex Ghostscript 9.50 and 9.52. Use of a non-standard PostScript operator can allow overriding of file access controls. The 'rsearch' calculation for the 'post' size resulted in a size that was too large, and could underflow to max uint32_t. This was fixed in commit 5d499272b95a6b890a1397e11d20937de000d31b.

https://nvd.nist.gov/vuln/detail/CVE-2020-15900 2020-07-28 2021-01-17
Node.js -- January 2021 Security Releases node10 10.23.1 node12 12.20.1 node14 14.15.4 node 15.5.1

Node.js reports:

use-after-free in TLSWrap (High) (CVE-2020-8265)

Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.

HTTP Request Smuggling in nodejs (Low) (CVE-2020-8287)

Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

OpenSSL - EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)

iThis is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20201208.txt.

https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/ https://www.openssl.org/news/secadv/20201208.txt CVE-2020-8265 CVE-2020-8287 CVE-2020-1971 2021-01-04 2021-01-14
Gitlab -- vulnerability gitlab-ce 13.7.013.7.4 13.6.013.6.5 12.213.5.7

SO-AND-SO reports:

Ability to steal a user's API access token through GitLab Pages

https://about.gitlab.com/releases/2021/01/14/critical-security-release-gitlab-13-7-4-released/ 2021-01-14 2021-01-14
wavpack -- integer overflow in pack_utils.c wavpack 5.4.0

The wavpack project reports:

src/pack_utils.c - issue #91: fix integer overflows resulting in buffer overruns (CVE-2020-35738) - sanitize configuration parameters better (improves clarity and aids debugging)

https://github.com/dbry/WavPack/blob/733616993d53cc1f9a7ffb88a858447ba51eb0ee/ChangeLog CVE-2020-35738 2020-12-29 2021-01-14
jenkins -- multiple vulnerabilities jenkins 2.275 jenkins-lts 2.263.2

Jenkins Security Advisory:

Description

(Medium) SECURITY-1452 / CVE-2021-21602

Arbitrary file read vulnerability in workspace browsers

(High) SECURITY-1889 / CVE-2021-21603

XSS vulnerability in notification bar

(High) SECURITY-1923 / CVE-2021-21604

Improper handling of REST API XML deserialization errors

(High) SECURITY-2021 / CVE-2021-21605

Path traversal vulnerability in agent names

(Medium) SECURITY-2023 / CVE-2021-21606

Arbitrary file existence check in file fingerprints

(Medium) SECURITY-2025 / CVE-2021-21607

Excessive memory allocation in graph URLs leads to denial of service

(High) SECURITY-2035 / CVE-2021-21608

Stored XSS vulnerability in button labels

(Low) SECURITY-2047 / CVE-2021-21609

Missing permission check for paths with specific prefix

(High) SECURITY-2153 / CVE-2021-21610

Reflected XSS vulnerability in markup formatter preview

(High) SECURITY-2171 / CVE-2021-21611

Stored XSS vulnerability on new item page

https://www.jenkins.io/security/advisory/2021-01-13/ 2021-01-13 2021-01-13
phpmyfaq -- XSS vulnerability phpmyfaq 3.0.6

phpmyfaq developers report:

phpMyFAQ does not implement sufficient checks to avoid XSS injection for displaying tags.

https://www.phpmyfaq.de/security/advisory-2020-12-23 2020-12-23 2021-01-12
sudo -- Potential information leak in sudoedit sudo 1.9.5

Todd C. Miller reports:

A potential information leak in sudoedit that could be used to test for the existence of directories not normally accessible to the user in certain circumstances. When creating a new file, sudoedit checks to make sure the parent directory of the new file exists before running the editor. However, a race condition exists if the invoking user can replace (or create) the parent directory. If a symbolic link is created in place of the parent directory, sudoedit will run the editor as long as the target of the link exists.If the target of the link does not exist, an error message will be displayed. The race condition can be used to test for the existence of an arbitrary directory. However, it _cannot_ be used to write to an arbitrary location.

https://www.sudo.ws/stable.html#1.9.5 CVE-2021-23239 2021-01-11 2021-01-11
CairoSVG -- Regular Expression Denial of Service vulnerability py36-cairosvg py37-cairosvg py38-cairosvg py39-cairosvg 2.0.02.5.1

CairoSVG security advisories:

When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS).

If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time.

https://github.com/Kozea/CairoSVG/security/advisories/GHSA-hq37-853p-g5cf 2020-12-30 2021-01-10
Gitlab -- multiple vulnerabilities gitlab-ce 13.7.013.7.2 13.6.013.6.4 12.213.5.6

Gitlab reports:

Ability to steal a user's API access token through GitLab Pages

Prometheus denial of service via HTTP request with custom method

Unauthorized user is able to access private repository information under specific conditions

Regular expression denial of service in NuGet API

Regular expression denial of service in package uploads

Update curl dependency

CVE-2019-3881 mitigation

https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-released/ CVE-2021-22166 CVE-2020-26414 CVE-2019-3881 2021-01-07 2021-01-09
chromium -- multiple vulnerabilities chromium 87.0.4280.141

Chrome Releases reports:

This release includes 16 security fixes, including:

  • [1148749] High CVE-2021-21106: Use after free in autofill. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2020-11-13
  • [1153595] High CVE-2021-21107: Use after free in drag and drop. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-11-30
  • [1155426] High CVE-2021-21108: Use after free in media. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-12-04
  • [1152334] High CVE-2021-21109: Use after free in payments. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2020-11-24
  • [1152451] High CVE-2021-21110: Use after free in safe browsing. Reported by Anonymous on 2020-11-24
  • [1149125] High CVE-2021-21111: Insufficient policy enforcement in WebUI. Reported by Alesandro Ortiz on 2020-11-15
  • [1151298] High CVE-2021-21112: Use after free in Blink. Reported by YoungJoo Lee(@ashuu_lee) of Raon Whitehat on 2020-11-20
  • [1155178] High CVE-2021-21113: Heap buffer overflow in Skia. Reported by tsubmunu on 2020-12-03
  • [1148309] High CVE-2020-16043: Insufficient data validation in networking. Reported by Samy Kamkar, Ben Seri at Armis, Gregory Vishnepolsky at Armis on 2020-11-12
  • [1150065] High CVE-2021-21114: Use after free in audio. Reported by Man Yue Mo of GitHub Security Lab on 2020-11-17
  • [1157790] High CVE-2020-15995: Out of bounds write in V8. Reported by Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu Lab on 2020-12-11
  • [1157814] High CVE-2021-21115: Use after free in safe browsing. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-12-11
  • [1151069] Medium CVE-2021-21116: Heap buffer overflow in audio. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2020-11-19
CVE-2020-15995 CVE-2020-16043 CVE-2021-21106 CVE-2021-21107 CVE-2021-21108 CVE-2021-21109 CVE-2021-21110 CVE-2021-21111 CVE-2021-21112 CVE-2021-21113 CVE-2021-21114 CVE-2021-21115 CVE-2021-21116 https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop.html 2021-01-06 2021-01-07
mail/dovecot -- multiple vulnerabilities dovecot 2.3.13

Aki Tuomi reports:

When imap hibernation is active, an attacker can cause Dovecot to discover file system directory structure and access other users' emails using specially crafted command. The attacker must have valid credentials to access the mail server.

Mail delivery / parsing crashed when the 10 000th MIME part was message/rfc822 (or if parent was multipart/digest). This happened due to earlier MIME parsing changes for CVE-2020-12100.

https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html CVE-2020-24386 CVE-2020-25275 2020-08-17 2021-01-04
&vuln-2020; &vuln-2019; &vuln-2018; &vuln-2017; &vuln-2016; &vuln-2015; &vuln-2014; &vuln-2013; &vuln-2012; &vuln-2011; &vuln-2010; &vuln-2009; &vuln-2008; &vuln-2007; &vuln-2006; &vuln-2005; &vuln-2004; &vuln-2003;