aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2019-12-31T10:06:17Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/11013Oniguruma: Multiple vulnerabilities CVE-2019-19012, CVE-2019-19203, CVE-2019-...2019-12-31T10:06:17ZAlicha CHOniguruma: Multiple vulnerabilities CVE-2019-19012, CVE-2019-19203, CVE-2019-19204, CVE-2019-19246)### CVE-2019-19246: heap-based buffer overflow in str_lower_case_match in regexec.c
Oniguruma through 6.9.3, as used in PHP 7.3.x and other products, has a heap-based buffer
over-read in str_lower_case_match in regexec.c.
#### Referen...### CVE-2019-19246: heap-based buffer overflow in str_lower_case_match in regexec.c
Oniguruma through 6.9.3, as used in PHP 7.3.x and other products, has a heap-based buffer
over-read in str_lower_case_match in regexec.c.
#### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-19246
#### Patch:
https://github.com/kkos/oniguruma/commit/d3e402928b6eb3327f8f7d59a9edfa622fec557b
### CVE-2019-19012: Integer overflow related to reg->dmax in search_in_range (regexec.c)
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or information disclosure, or possibly have unspecified other impact, via a crafted regular expression.
#### References:
* https://github.com/kkos/oniguruma/issues/164
* https://nvd.nist.gov/vuln/detail/CVE-2019-19012
### CVE-2019-19203: heap-buffer-overflow in gb18030_mbc_enc_len
An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function gb18030_mbc_enc_len in file gb18030.c, a UChar pointer
is dereferenced without checking if it passed the end of the matched string. This leads to a heap-based buffer over-read.
#### References:
* https://github.com/kkos/oniguruma/issues/163
* https://nvd.nist.gov/vuln/detail/CVE-2019-19203
### CVE-2019-19204: heap-buffer-overflow in fetch_interval_quantifier due to double PFETCH
An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier (formerly known as fetch_range_quantifier) in regparse.c, PFETCH is called without checking PEND. This leads to a heap-based buffer over-read.
#### References:
* https://github.com/kkos/oniguruma/issues/162
* https://nvd.nist.gov/vuln/detail/CVE-2019-19204
### Affected branches:
* [x] master (e51c59c5ce3fa8445cad2a03f5727add40b44a8e)
* [x] 3.10-stable
* [x] 3.9-stable
* [x] 3.8-stableFrancesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/11008gnupg: Web of Trust forgeries using collisions in SHA-1 (CVE-2019-14855)2019-12-18T10:03:46ZAlicha CHgnupg: Web of Trust forgeries using collisions in SHA-1 (CVE-2019-14855)Web of Trust forgeries using collisions in SHA-1 signatures (CVE-2019-14855)
Note that this change removes all SHA-1 based key signature newer than
2019-01-19 from the web-of-trust. This includes all key signature created
with dsa1024 k...Web of Trust forgeries using collisions in SHA-1 signatures (CVE-2019-14855)
Note that this change removes all SHA-1 based key signature newer than
2019-01-19 from the web-of-trust. This includes all key signature created
with dsa1024 keys. The new option --allow-weak-key-signatues can be used
to override the new and safer behaviour.
#### Fixed In Version:
gnupg 2.2.18
#### References:
* https://dev.gnupg.org/T4755
* https://security-tracker.debian.org/tracker/CVE-2019-14855
### Affected branches:
* [x] master (94ffa605a4208f620a3f267dd8c13bf7958d1e30)
* [x] 3.10-stable
* [x] 3.9-stable
* [x] 3.8-stableLeonardo ArenaLeonardo Arenahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/11003haproxy: HTTP/2 implementation vulnerable to intermediary encapsulation attac...2020-01-23T13:40:56ZAlicha CHhaproxy: HTTP/2 implementation vulnerable to intermediary encapsulation attacks (CVE-2019-19330)The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, as demonstrated by carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0), aka Intermediary Encapsulation Attacks.
#### ...The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, as demonstrated by carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0), aka Intermediary Encapsulation Attacks.
#### References:
* https://nvd.nist.gov/vuln/detail/CVE-2019-19330
* https://seclists.org/bugtraq/2019/Nov/45
#### Patches:
* https://git.haproxy.org/?p=haproxy.git;a=commit;h=54f53ef7ce4102be596130b44c768d1818570344
* https://git.haproxy.org/?p=haproxy.git;a=commit;h=146f53ae7e97dbfe496d0445c2802dd0a30b0878
* https://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=ac198b92d461515551b95daae20954b3053ce87e
### Affected branches:
* [x] master (1ec0ef986c567eae00414b20612e216242bbfece)
* [x] 3.10-stable (93080dac2fc349d9fdd148de126f3eaf749cb373)
* [x] 3.9-stable (d69c3c394b7bb54a302fe90b9f5227c6d204446c)
* [x] 3.8-stable (45e394536a3bf2a562ad861feeca530477d4dfd0)Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10996tiff: memory leak in TIFFFdOpen function in tif_unix.c when using pal2rgb (CV...2020-05-09T20:19:55ZAlicha CHtiff: memory leak in TIFFFdOpen function in tif_unix.c when using pal2rgb (CVE-2019-6128)The TIFFFdOpen function in tif_unix.c in LibTIFF 4.0.10 has a memory leak, as demonstrated by pal2rgb.
#### References:
* http://bugzilla.maptools.org/show_bug.cgi?id=2836
* https://nvd.nist.gov/vuln/detail/CVE-2019-6128
#### Patch:...The TIFFFdOpen function in tif_unix.c in LibTIFF 4.0.10 has a memory leak, as demonstrated by pal2rgb.
#### References:
* http://bugzilla.maptools.org/show_bug.cgi?id=2836
* https://nvd.nist.gov/vuln/detail/CVE-2019-6128
#### Patch:
https://gitlab.com/libtiff/libtiff/commit/ae0bed1fe530a82faf2e9ea1775109dbf301a971
### Affected branches:
* [x] master (b6b472198d2967129bb8e42d7ddf72aa6c803567)
* [x] 3.10-stable (967440f6a7)
* [x] 3.9-stable (c99c0aa831ae95cde868a15fc9714c4e57ddca5a)
* [x] 3.8-stable (035d2d008545b9061386ab12de0263222558a272)
https://gitlab.alpinelinux.org/alpine/aports/-/issues/10982ghostscript: -dSAFER escape in .charkeys (CVE-2019-14869)2020-12-11T03:32:34ZAlicha CHghostscript: -dSAFER escape in .charkeys (CVE-2019-14869)This is another instance of a highly priviledged operator being
accessible by specially crafted Postscript code, that can be used to
break out of the -dSAFER limitations.
It was found that `.forceput` operator was present and unprotecte...This is another instance of a highly priviledged operator being
accessible by specially crafted Postscript code, that can be used to
break out of the -dSAFER limitations.
It was found that `.forceput` operator was present and unprotected in
the `.charkeys` method and could be retrieved via manipulation of the
error handler.
The `.charkeys` method was vulnerable since ghostscript-9.15, in one way
or another: the privileged operator was `superexec` instead of
`.forceput` until a more recent version.
#### References:
https://www.openwall.com/lists/oss-security/2019/11/15/1
https://bugs.ghostscript.com/show_bug.cgi?id=701841
#### Patch:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=485904772c5f
### Affected branches:
* [x] master (e48e96ca52799eb62afc59fff61860a3b5b62fea)
* [x] 3.10-stable (d7d7d0f8fd4b586ec7469c101d322f011949610a)
* [x] 3.9-stable
* [ ] 3.8-stableLeonardo ArenaLeonardo Arenahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10973mariadb: Multiple vulnerabilities (CVE-2019-2938, CVE-2019-2974)2019-12-02T14:39:16ZAlicha CHmariadb: Multiple vulnerabilities (CVE-2019-2938, CVE-2019-2974)* CVE-2019-2938: MariaDB 10.3.19, MariaDB 10.2.28
* CVE-2019-2974: MariaDB 10.3.19, MariaDB 10.2.28
References:
* https://mariadb.com/kb/en/library/mariadb-10319-release-notes/
* https://mariadb.com/kb/en/library/mariadb-10228-re...* CVE-2019-2938: MariaDB 10.3.19, MariaDB 10.2.28
* CVE-2019-2974: MariaDB 10.3.19, MariaDB 10.2.28
References:
* https://mariadb.com/kb/en/library/mariadb-10319-release-notes/
* https://mariadb.com/kb/en/library/mariadb-10228-release-notes/
### Affected branches:
* [x] master (04ffd24b186af4b064d5c00e85e0536832c29154)
* [x] 3.10-stable
* [x] 3.9-stable
* [x] 3.8-stableLeonardo ArenaLeonardo Arenahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10972clamav: denial of service via crafted message (CVE-2019-12625)2021-04-02T02:50:11ZAlicha CHclamav: denial of service via crafted message (CVE-2019-12625)A vulnerability was found in ClamAV versions prior to 0.101.3 are susceptible to a zip bomb vulnerability where an unauthenticated
attacker can cause a denial of service condition by sending crafted messages to an affected system.
####...A vulnerability was found in ClamAV versions prior to 0.101.3 are susceptible to a zip bomb vulnerability where an unauthenticated
attacker can cause a denial of service condition by sending crafted messages to an affected system.
#### References:
* https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html
* https://nvd.nist.gov/vuln/detail/CVE-2019-12625
### Affected branches:
* [x] master (5bb204ff60776c4dfcfd6cab8310d72325d5641f)
* [x] 3.10-stable (cf6b14480665acd8c533d8a514cb32bf74f565d7)
* [x] 3.9-stable
* [x] 3.8-stableCarlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10970bind: TCP-pipelined queries can bypass tcp-clients limit (CVE-2019-6477)2021-04-02T02:51:12ZAlicha CHbind: TCP-pipelined queries can bypass tcp-clients limit (CVE-2019-6477)By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The update to this functionality introduced by CVE-2018-5743 changed how BIND calculates the number of concurrent TCP clients from co...By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The update to this functionality introduced by CVE-2018-5743 changed how BIND calculates the number of concurrent TCP clients from counting the outstanding TCP queries to counting the TCP client connections. On a server with TCP-pipelining capability, it is possible for one TCP client to send a large number of DNS requests over a single connection. Each outstanding query will be handled internally as an independent client request, thus bypassing the new TCP clients limit.
#### Affected Versions:
bind 9.11.6-P1 -> 9.11.12, 9.12.4-P1 -> 9.12.4-P2, 9.14.1 -> 9.14.7
#### Fixed In Version:
bind 9.11.13, 9.14.8, 9.15.6.
#### References:
* https://kb.isc.org/docs/cve-2019-6477
* https://www.openwall.com/lists/oss-security/2019/11/20/8
### Affected branches:
* [x] master (85f2bc39b0cdf3fbb1804e1bde6a0f1570c8931d)
* [x] 3.10-stable (9e6955f54ef0ef060d47afd63899a6d9379a6edf)
* [x] 3.9-stable
* [x] 3.8-stablehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10968xen: Multiple vulnerabilities (CVE-2018-12207, CVE-2019-18421, CVE-2019-18422...2020-05-09T20:19:55ZAlicha CHxen: Multiple vulnerabilities (CVE-2018-12207, CVE-2019-18421, CVE-2019-18422, CVE-2019-18423, CVE-2019-18424, CVE-2019-18425, CVE-2019-11135)### CVE-2019-18425, XSA-298: missing descriptor table limit checking in x86 PV emulation.
Xen versions from at least 3.2 onwards are affected.
#### Reference:
http://xenbits.xen.org/xsa/advisory-298.html
### CVE-2019-18421, XSA-299: ...### CVE-2019-18425, XSA-298: missing descriptor table limit checking in x86 PV emulation.
Xen versions from at least 3.2 onwards are affected.
#### Reference:
http://xenbits.xen.org/xsa/advisory-298.html
### CVE-2019-18421, XSA-299: Issues with restartable PV type change operations
#### Reference:
http://xenbits.xen.org/xsa/advisory-299.html
### CVE-2019-18423, XSA-301: add-to-physmap can be abused to DoS Arm hosts
#### Reference:
http://xenbits.xen.org/xsa/advisory-301.html
### CVE-2019-18424, XSA-302: passed through PCI devices may corrupt host memory after deassignment
#### Reference:
http://xenbits.xen.org/xsa/advisory-302.html
### CVE-2019-18422, XSA-303: ARM: Interrupts are unconditionally unmasked in exception handlers
#### Reference:
http://xenbits.xen.org/xsa/advisory-303.html
### CVE-2018-12207, XSA-304: x86: Machine Check Error on Page Size Change DoS
#### Reference:
http://xenbits.xen.org/xsa/advisory-304.html
### CVE-2019-11135, XSA-305: TSX Asynchronous Abort speculative side channel
#### Reference:
http://xenbits.xen.org/xsa/advisory-305.html
### Affected branches:
* [x] master
* [x] 3.10-stable
* [x] 3.9-stable
* [x] 3.8-stableLeonardo ArenaLeonardo Arenahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10965unbound: Vulnerability in IPSEC module (CVE-2019-18934)2019-11-20T10:35:17ZAlicha CHunbound: Vulnerability in IPSEC module (CVE-2019-18934)Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with `--enable-ipsecmod` sup...Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with `--enable-ipsecmod` support, and ipsecmod is enabled and used in the configuration.
References:
https://www.nlnetlabs.nl/downloads/unbound/CVE-2019-18934.txt
https://www.openwall.com/lists/oss-security/2019/11/19/1
https://nvd.nist.gov/vuln/detail/CVE-2019-18934
### Affected branches:
* [x] master (0525728247e68c3ea0700787e56ad61836eb3069)
* [x] 3.10-stable (407d97afdcc1f3eabf878b21614f0cc72b0f336f )
* [x] 3.9-stable (85b36404206898cf9dc3221509b3e0ddac87c7ae)
* [x] 3.8-stable (ae112bcbe065a2f232ad8c641ab8da6b84f7e74c)Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10959squid: Multiple vulnerabilities (CVE-2019-12523, CVE-2019-12525, CVE-2019-125...2021-01-09T12:57:16ZAlicha CHsquid: Multiple vulnerabilities (CVE-2019-12523, CVE-2019-12525, CVE-2019-12526, CVE-2019-12529, CVE-2019-18676, CVE-2019-18677, CVE-2019-18678)### CVE-2019-12523, CVE-2019-18676: Improper input validation and Buffer overflow in URI processor
#### Affected Versions:
All Squid-3.x up to and including 3.5.28, All Squid-4.x up to and including 4.8.
#### Fixed In Version:
squi...### CVE-2019-12523, CVE-2019-18676: Improper input validation and Buffer overflow in URI processor
#### Affected Versions:
All Squid-3.x up to and including 3.5.28, All Squid-4.x up to and including 4.8.
#### Fixed In Version:
squid 4.9
#### Reference:
http://www.squid-cache.org/Advisories/SQUID-2019_8.txt
#### Patch:
http://www.squid-cache.org/Versions/v4/changesets/squid-4-fbbdf75efd7a5cc244b4886a9d42ea458c5a3a73.patch
### CVE-2019-12525: parsing of header Proxy-Authentication leads to memory corruption
#### Fixed In Version:
squid 4.8
#### Reference:
http://www.squid-cache.org/Advisories/SQUID-2019_3.txt
#### Patch:
Squid 3.5:
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-ec0d0f39cf28da14eead0ba5e777e95855bc2f67.patch
Only affects Alpine 3.8-stable
### CVE-2019-12526: Heap overflow issue in URN processing
#### Affected Versions:
All Squid-3.x up to and including 3.5.28, All Squid-4.x up to and including 4.8.
#### Fixed In Version:
squid 4.9
#### Reference:
http://www.squid-cache.org/Advisories/SQUID-2019_7.txt
#### Patch:
http://www.squid-cache.org/Versions/v4/changesets/squid-4-7aa0184a720fd216191474e079f4fe87de7c4f5a.patch
### CVE-2019-12529: OOB read in Proxy-Authorization header causes DoS
#### Affected Versions:
#### Fixed In Version:
squid 4.8
#### Reference:
http://www.squid-cache.org/Advisories/SQUID-2019_2.txt
#### Patch:
http://www.squid-cache.org/Versions/v4/changesets/squid-4-dd46b5417809647f561d8a5e0e74c3aacd235258.patch
Only affects Alpine 3.8-stable
### CVE-2019-18677: Cross-Site Request Forgery issue in HTTP Request processing
#### Affected Versions:
All Squid-3.x up to and including 3.5.28, All Squid-4.x up to and including 4.8.
#### Fixed In Version:
squid 4.9
#### Reference:
http://www.squid-cache.org/Advisories/SQUID-2019_9.txt
#### Patches:
Squid 3.5:
<http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-e5f1813a674848dde570f7920873e1071f96e0b4.patch>
Squid 4:
<http://www.squid-cache.org/Versions/v4/changesets/squid-4-36492033ea4097821a4f7ff3ddcb971fbd1e8ba0.patch>
### CVE-2019-18678: HTTP Request Splitting issue in HTTP message processing
#### Fixed In Version:
squid 4.9
http://www.squid-cache.org/Advisories/SQUID-2019_10.txt
#### Patch:
http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch
Only affects Alpine 3.8-stable
### Affected branches:
* [x] master (c960394d423ce258a68bf53364ae13b6e331d8fe)
* [x] 3.10-stable
* [x] 3.9-stable
* [x] 3.8-stableNatanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10948libjpeg-turbo: code execution (CVE-2019-2201)2020-01-23T12:33:20ZAlicha CHlibjpeg-turbo: code execution (CVE-2019-2201)There is an integer overflow and subsequent heap corruption in
libjpeg-turbo 2.0.3 and earlier.
#### References:
* https://github.com/libjpeg-turbo/libjpeg-turbo/issues/361
* https://www.openwall.com/lists/oss-security/2019/11/11/1...There is an integer overflow and subsequent heap corruption in
libjpeg-turbo 2.0.3 and earlier.
#### References:
* https://github.com/libjpeg-turbo/libjpeg-turbo/issues/361
* https://www.openwall.com/lists/oss-security/2019/11/11/1
#### Patch:
- https://github.com/libjpeg-turbo/libjpeg-turbo/commit/2a9e3bd7430cfda1bc812d139e0609c6aca0b884
- https://github.com/libjpeg-turbo/libjpeg-turbo/commit/c30b1e72dac76343ef9029833d1561de07d29bad
### Affected branches:
* [x] master (b6439b6d58b8a76bfe414723b033a34c5275502e)
* [x] 3.11-stable (88cf1dcb5c371de4fe74b08039d09a7d400a326b)
* [x] 3.10-stable (e852bf9467a5250a1d3eab5770c859c0c2878788)
* [x] 3.9-stable (be90230363da27cdade94d0f3c3e2a5569690163)
* [x] 3.8-stable (8c593acdd5ae3aa50db4851fe92f8b3eea5fd0e9)Leonardo ArenaLeonardo Arenahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10946squid: Information Disclosure issue in HTTP Digest Authentication (CVE-2019-1...2020-12-10T02:29:32ZAlicha CHsquid: Information Disclosure issue in HTTP Digest Authentication (CVE-2019-18679)Due to incorrect data management Squid is vulnerable to a
information disclosure when processing HTTP Digest Authentication.
#### Fixed in version:
Squid 4.9
#### References:
http://www.squid-cache.org/Advisories/SQUID-2019_11.txt...Due to incorrect data management Squid is vulnerable to a
information disclosure when processing HTTP Digest Authentication.
#### Fixed in version:
Squid 4.9
#### References:
http://www.squid-cache.org/Advisories/SQUID-2019_11.txt
#### Patch:
http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch
### Affected branches:
* [x] master
* [x] 3.10-stable
* [x] 3.9-stable
* [x] 3.8-stableLeonardo ArenaLeonardo Arenahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10945freetds: buffer overflow vulnerability (CVE-2019-13508)2019-11-13T10:46:01ZAlicha CHfreetds: buffer overflow vulnerability (CVE-2019-13508)FreeTDS prior to 1.1.11 has a Buffer Overflow.
#### References:
* https://nvd.nist.gov/vuln/detail/CVE-2019-13508
* https://github.com/FreeTDS/freetds/commit/962306a1e42590e7b93dcd9d771fdc2348df6239
#### Patch:
https://github.com/F...FreeTDS prior to 1.1.11 has a Buffer Overflow.
#### References:
* https://nvd.nist.gov/vuln/detail/CVE-2019-13508
* https://github.com/FreeTDS/freetds/commit/962306a1e42590e7b93dcd9d771fdc2348df6239
#### Patch:
https://github.com/FreeTDS/freetds/commit/0df4eb82a0e3ff844e373d7c9f9c6c813925e2ac
### Affected branches:
* [x] master (cc3bf8e425d6a75093512a7c3bbd5beeaabde813)
* [x] 3.10-stable
* [x] 3.9-stable
* [x] 3.8-stableLeonardo ArenaLeonardo Arenahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10944Oniguruma: Multiple vulnerabilities (CVE-2019-13224, CVE-2019-13225, CVE-2019...2019-11-14T08:50:01ZAlicha CHOniguruma: Multiple vulnerabilities (CVE-2019-13224, CVE-2019-13225, CVE-2019-16163)### CVE-2019-13224: use-after-free in onig_new_deluxe() in regext.c
A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code e...### CVE-2019-13224: use-after-free in onig_new_deluxe() in regext.c
A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe().
#### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-13224
#### Patch:
https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55
### CVE-2019-13225: null-pointer dereference in match_at() in regexec.c
A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression.
#### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-13225
#### Patch:
https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c
### CVE-2019-16163: stack exhaustion in regcomp.c because of recursion in regparse.c
Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c.
#### References:
https://github.com/kkos/oniguruma/issues/147
#### Patch:
https://github.com/kkos/oniguruma/commit/4097828d7cc87589864fecf452f2cd46c5f37180
### Affected branches:
* [x] master (81bbfcc4024b83f3292bcace77baa02984d72841)
* [x] 3.10-stable
* [x] 3.9-stable
* [x] 3.8-stableFrancesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10943fribidi: Stack-based buffer overflow (CVE-2019-18397)2020-05-09T20:19:56ZAlicha CHfribidi: Stack-based buffer overflow (CVE-2019-18397)The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in GNU fribidi when processing a large number of unicode isolate directional characters. A remote...The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in GNU fribidi when processing a large number of unicode isolate directional characters. A remote attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
#### Affected Versions:
From 1.0.0 to 1.0.7
#### References:
* https://seclists.org/oss-sec/2019/q4/59
* https://security-tracker.debian.org/tracker/CVE-2019-18397
Patch:
* Fixed by: https://github.com/fribidi/fribidi/commit/034c6e9a1d296286305f4cfd1e0072b879f52568
* Introduced by: https://github.com/fribidi/fribidi/commit/f20b6480b9cd46dae8d82a6f95d9c53558fcfd20 (v1.0.0)
### Affected branches:
* [x] master (0cac76661fd3b286f052ef3d4343a5458b71b306)
* [x] 3.10-stable (056e278147ebf0f3781926c395e533081eb8c0f9)
* [x] 3.9-stable (e245657e6ddf7511c3bb512238a8b2fc8df56be3)
* [x] 3.8-stable (f49f79ef74f6410eadb866875ab2c2e95bd96ba8)LeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10927tiff: integer overflow leading to heap-based buffer overflow in tif_getimage....2019-11-03T21:24:49ZAlicha CHtiff: integer overflow leading to heap-based buffer overflow in tif_getimage.c (CVE-2019-17546)tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" conditi...tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition.
#### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-17546
#### Patch:
https://gitlab.com/libtiff/libtiff/commit/4bb584a35f87af42d6cf09d15e9ce8909a839145
### Affected branches:
* [x] master
* [x] 3.10-stable
* [x] 3.9-stable
* [x] 3.8-stable
* [x] 3.7-stableLeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10926libarchive: use-after-free (CVE-2019-18408)2019-11-02T07:06:30ZAlicha CHlibarchive: use-after-free (CVE-2019-18408)archive_read_format_rar_read_data in archive_read_support_format_rar.c in libarchive before 3.4.0
has a use-after-free in a certain ARCHIVE_FAILED situation, related to Ppmd7_DecodeSymbol.
#### References:
https://nvd.nist.gov/vuln/de...archive_read_format_rar_read_data in archive_read_support_format_rar.c in libarchive before 3.4.0
has a use-after-free in a certain ARCHIVE_FAILED situation, related to Ppmd7_DecodeSymbol.
#### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-18408
#### Patch:
https://github.com/libarchive/libarchive/commit/b8592ecba2f9e451e1f5cb7ab6dcee8b8e7b3f60
### Affected branches:
* [x] master (6787a7e2434a85069463e3ce9ec04398c233d5c6)
* [x] 3.10-stable
* [x] 3.9-stable
* [x] 3.8-stable
* [x] 3.7-stableLeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10924libvncserver: Memory leak in VNC server code (CVE-2019-15681)2019-11-03T22:08:09ZAlicha CHlibvncserver: Memory leak in VNC server code (CVE-2019-15681)LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a contains a memory leak (CWE-655) in VNC server code, which allow an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerabi...LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a contains a memory leak (CWE-655) in VNC server code, which allow an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory and bypass ASLR. This attack appear to be exploitable via network connectivity.
#### Affected Versions:
libvncserver 0.9.12 and earlier.
#### References:
* https://nvd.nist.gov/vuln/detail/CVE-2019-15681
* https://security-tracker.debian.org/tracker/CVE-2019-15681
#### Patch:
https://github.com/LibVNC/libvncserver/commit/d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a
### Affected branches:
* [x] master
* [x] 3.10-stable
* [x] 3.9-stable
* [x] 3.8-stable
* [x] 3.7-stableLeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10921samba: Multiple vulnerabilities (CVE-2019-10218, CVE-2019-14833, CVE-2019-14847)2020-04-03T06:00:16ZAlicha CHsamba: Multiple vulnerabilities (CVE-2019-10218, CVE-2019-14833, CVE-2019-14847)### CVE-2019-10218: Client code can return filenames containing path separators
Samba client code (libsmbclient) returns server-supplied filenames to
calling code without checking for pathname separators (such as "/" or
"../") in the s...### CVE-2019-10218: Client code can return filenames containing path separators
Samba client code (libsmbclient) returns server-supplied filenames to
calling code without checking for pathname separators (such as "/" or
"../") in the server returned names.
A malicious server can craft a pathname containing separators and
return this to client code, causing the client to use this access local
pathnames for reading or writing instead of SMB network pathnames.
This access is done using the local privileges of the client.
This attack can be achieved using any of SMB1/2/3 as it is not reliant
on any specific SMB protocol version.
#### Fixed In Versions:
Samba 4.11.2, 4.10.10 and 4.9.15
#### References:
https://www.samba.org/samba/security/CVE-2019-10218.html
### CVE-2019-14833: Samba AD DC check password script does not receive the full password.
Since Samba Version 4.5.0 a Samba AD DC can use a custom command to
verify the password complexity. The command can be specified with
the "check password script" smb.conf parameter.
This command is called when Samba handles a user password change or
a new user password is set. The script receives the new cleartext
password string in order to run custom password complexity checks
like dictionary checks to avoid weak user passwords.
When the password contains multi-byte (non-ASCII) characters, the
check password script does not receive the full password string.
#### Fixed In Versions:
Samba 4.11.2, 4.10.10 and 4.9.15
#### References:
https://www.samba.org/samba/security/CVE-2019-14833.html
### CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync
Since Samba 4.0.0 Samba has implemented, in the AD DC, the "dirsync"
LDAP control specified in MS-ADTS "3.1.1.3.4.1.3
LDAP_SERVER_DIRSYNC_OID".
However, when combined with the ranged results feature specified in
MS-ADTS "3.1.1.3.1.3.3 Range Retrieval of Attribute Values" a NULL
pointer is can be de-referenced.
This is a Denial of Service only, no further escalation of privilege
is associated with this issue.
Samba 4.11 is not affected as the issue was fixed as a result of
Coverity static analysis, before the potential for denial of service
became apparent.
#### Fixed In Version:
Samba 4.9.15 and 4.10.10
#### References:
https://www.samba.org/samba/security/CVE-2019-14847.html
### Affected branches:
* [x] master
* [x] 3.10-stable (1a4e1a61106f66fdcf65ec33a37a99cea23db966)
* [x] 3.9-stable (2eff8a828fa8e0df24702602a7a3280016efebf3)
* [x] 3.8-stable (4da1ee1a718f0e9dfd6a6e91f9348fa96a58567d)
* [ ] 3.7-stable (EOL)Leonardo ArenaLeonardo Arena