aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2019-07-16T11:19:32Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10669[3.7] squid: XSS via user_name or auth parameter in cachemgr.cgi (CVE-2019-13...2019-07-16T11:19:32ZAlicha CH[3.7] squid: XSS via user_name or auth parameter in cachemgr.cgi (CVE-2019-13345)The cachemgr.cgi web module of Squid through 4.7 has
XSS via the user\_name or auth parameter.
### References:
https://bugs.squid-cache.org/show\_bug.cgi?id=4957
https://github.com/squid-cache/squid/pull/429
*(from redmine: issue...The cachemgr.cgi web module of Squid through 4.7 has
XSS via the user\_name or auth parameter.
### References:
https://bugs.squid-cache.org/show\_bug.cgi?id=4957
https://github.com/squid-cache/squid/pull/429
*(from redmine: issue id 10669, created on 2019-07-09)*
* Relations:
* parent #10664
* Changesets:
* Revision 0a4f1520352ff66f50aebb2110bea65b3ee17f90 by Natanael Copa on 2019-07-11T17:08:10Z:
```
main/squid: fix CVE-2019-13345
fixes #10669
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10658[3.7] irssi: Use after free when sending SASL login to the server (CVE-2019-1...2019-07-23T11:06:06ZAlicha CH[3.7] irssi: Use after free when sending SASL login to the server (CVE-2019-13045)Irssi before 1.0.8, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, when
SASL is enabled,
has a use after free when sending SASL login to the server.
### Fixed In Version:
Irssi 1.0.8, 1.1.3, 1.2.1
### References:
https://irssi.org/sec...Irssi before 1.0.8, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, when
SASL is enabled,
has a use after free when sending SASL login to the server.
### Fixed In Version:
Irssi 1.0.8, 1.1.3, 1.2.1
### References:
https://irssi.org/security/irssi\_sa\_2019\_06.txt
https://www.openwall.com/lists/oss-security/2019/06/29/1
*(from redmine: issue id 10658, created on 2019-07-04, closed on 2019-07-04)*
* Relations:
* parent #10653
* Changesets:
* Revision 23cf1dbb3d0a33b1e2ee725878d76f60a53d8e32 by Natanael Copa on 2019-07-04T10:40:41Z:
```
main/irssi: security upgrade to 1.0.8 (CVE-2019-13045)
fixes #10658
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10647[3.7] bzip2: out-of-bounds write in function BZ2_decompress (CVE-2019-12900)2019-07-23T11:06:16ZAlicha CH[3.7] bzip2: out-of-bounds write in function BZ2_decompress (CVE-2019-12900)BZ2\_decompress in decompress.c in bzip2 through 1.0.6 has an
out-of-bounds
write when there are many selectors.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-12900
https://security-tracker.debian.org/tracker/CVE-2019-1...BZ2\_decompress in decompress.c in bzip2 through 1.0.6 has an
out-of-bounds
write when there are many selectors.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-12900
https://security-tracker.debian.org/tracker/CVE-2019-12900
### Patch:
https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc
*(from redmine: issue id 10647, created on 2019-07-02, closed on 2019-07-09)*
* Relations:
* parent #10642
* Changesets:
* Revision 263042b4f11c9dbc797bdf7eef8c0ebdda9efe4a on 2019-07-04T19:27:53Z:
```
main/bzip2: add patch for CVE-2019-12900
Adding the upstream bzip2 security patch to fix the out of bounds security
vulnerability in bzip2.
fixes #10647
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10641[3.7] postgresql: Stack-based buffer overflow via setting a password (CVE-201...2019-07-23T11:06:22ZAlicha CH[3.7] postgresql: Stack-based buffer overflow via setting a password (CVE-2019-10164)PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are
vulnerable to a stack-based buffer overflow. Any authenticated user can
overflow a stack-based buffer
by changing the user’s own password to a purpose-crafted value...PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are
vulnerable to a stack-based buffer overflow. Any authenticated user can
overflow a stack-based buffer
by changing the user’s own password to a purpose-crafted value. This
often suffices to execute arbitrary code as the PostgreSQL operating
system account.
### References:
https://www.postgresql.org/support/security/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10164
### Patches:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=90adc16ea13750a6b6f704c6cf65dc0f1bdb845c
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=d72a7e4da1001b29a661a4b1a52cb5c4d708bab0
*(from redmine: issue id 10641, created on 2019-07-02, closed on 2019-07-04)*
* Relations:
* relates #10640
* Changesets:
* Revision 16dcb2a286d4881fa56bf8669a72f6bb6af651db by Milan P. Stanić on 2019-07-04T07:26:29Z:
```
main/postgresql: security upgrade to 10.9
CVE-2019-10164
other upstream bugfixes
fixes #10641
```3.7.4Jakub JirutkaJakub Jirutkahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10633[3.7] expat: large number of colons in input makes parser consume high amount...2019-07-23T11:06:27ZAlicha CH[3.7] expat: large number of colons in input makes parser consume high amount of resources, leading to DoS (CVE-2018-20843)In libexpat in Expat before 2.2.7, XML input including XML names that
contain a large number of colons could make the XML
parser consume a high amount of RAM and CPU resources while processing
(enough to be usable for denial-of-service...In libexpat in Expat before 2.2.7, XML input including XML names that
contain a large number of colons could make the XML
parser consume a high amount of RAM and CPU resources while processing
(enough to be usable for denial-of-service attacks).
### Fixed In Version:
expat 2.2.7
### References:
https://github.com/libexpat/libexpat/issues/186
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931031
*(from redmine: issue id 10633, created on 2019-06-28, closed on 2019-07-02)*
* Relations:
* parent #10629
* Changesets:
* Revision 300e04f0a6e629e4ff15327ae3ecbfe34be7b7ca by Natanael Copa on 2019-06-30T12:24:25Z:
```
main/expat: security upgrade to 2.2.7 (CVE-2018-20843)
fixes #10633
```3.7.4Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10620[3.7] libvirt: Multiple vulnerabilities (CVE-2019-10161, CVE-2019-10166, CVE-...2019-07-23T11:06:35ZAlicha CH[3.7] libvirt: Multiple vulnerabilities (CVE-2019-10161, CVE-2019-10166, CVE-2019-10167, CVE-2019-10168)CVE-2019-10161: arbitrary file read/exec via virDomainSaveImageGetXMLDesc API
-----------------------------------------------------------------------------
It was discovered that libvirtd would permit readonly clients to use
the
virDo...CVE-2019-10161: arbitrary file read/exec via virDomainSaveImageGetXMLDesc API
-----------------------------------------------------------------------------
It was discovered that libvirtd would permit readonly clients to use
the
virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which
would be accessed with the permissions of the libvirtd process. An
attacker with access to the libvirtd socket could use this to probe
the
existence of arbitrary files, cause denial of service or cause
libvirtd
to execute arbitrary programs.
This vulnerability was first present in libvirt v0.9.4.
### Fixed In Version:
libvirt 4.10.1, libvirt 5.4.1
### References:
https://security-tracker.debian.org/tracker/CVE-2019-10161
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2019-10161
### Patch:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=aed6a032cead4386472afb24b16196579e239580
CVE-2019-10166: virDomainManagedSaveDefineXML API exposed to readonly clients
-----------------------------------------------------------------------------
It was discovered that libvirtd would permit readonly clients to use
the
virDomainManagedSaveDefineXML() API, which would permit them to modify
managed save state files. If a managed save had already been created
by
a privileged user, a local attacker could modify this file such that
libvirtd would execute an arbitrary program when the domain was resumed.
This vulnerability was first present in libvirt v3.6.1.
### Fixed In Version:
libvirt 4.10.1, libvirt 5.4.1
### References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2019-10166
https://security-tracker.debian.org/tracker/CVE-2019-10166
### Patch:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=db0b78457f183e4c7ac45bc94de86044a1e2056a
CVE-2019-10167: arbitrary command execution via virConnectGetDomainCapabilities API
-----------------------------------------------------------------------------------
The virConnectGetDomainCapabilities() libvirt API accepts an
“emulatorbin”
argument to specify the program providing emulation for a domain.
Since
v1.2.19, libvirt will execute that program to probe the domain’s
capabilities. Read-only clients could specify an arbitrary path for
this
argument, causing libvirtd to execute a crafted executable with its own
### Fixed In Version:
libvirt 4.10.1, libvirt 5.4.1
### References:
https://security-tracker.debian.org/tracker/CVE-2019-10167
### Patch:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=8afa68bac0cf99d1f8aaa6566685c43c22622f26
CVE-2019-10168: arbitrary command execution via virConnectBaselineHypervisorCPU and virConnectCompareHypervisorCPU APIs
-----------------------------------------------------------------------------------------------------------------------
The virConnectBaselineHypervisorCPU() and
virConnectCompareHypervisorCPU()
libvirt APIs accept an “emulator” argument to specify the program
providing
emulation for a domain. Since v1.2.19, libvirt will execute that program
to
probe the domain’s capabilities. Read-only clients could specify an
arbitrary
path for this argument, causing libvirtd to execute a crafted executable
with
its own privileges.
### Fixed In Version:
libvirt 4.10.1, libvirt 5.4.1
### References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2019-10168
https://security-tracker.debian.org/tracker/CVE-2019-10168
### Patch:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=bf6c2830b6c338b1f5699b095df36f374777b291
*(from redmine: issue id 10620, created on 2019-06-25, closed on 2019-07-04)*
* Relations:
* parent #10615
* Changesets:
* Revision 8cad441d0bb3d51026cb0231485848ce9a821e6a by Francesco Colista on 2019-07-03T14:49:20Z:
```
main/libvirt: security upgrade to 5.5.0
(CVE-2019-10161, CVE-2019-10166, CVE-2019-10167, CVE-2019-10168)
Fixes #10620
```3.7.4Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10578[3.7] glib: file permission vulnerability (CVE-2019-12450)2019-07-23T11:06:53ZAlicha CH[3.7] glib: file permission vulnerability (CVE-2019-12450)file\_copy\_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1
does not properly restrict file
permissions while a copy operation is in progress. Instead, default
permissions are used.
### References:
https://nvd.nist.gov/vu...file\_copy\_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1
does not properly restrict file
permissions while a copy operation is in progress. Instead, default
permissions are used.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-12450
### Patch:
https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174
*(from redmine: issue id 10578, created on 2019-06-14, closed on 2019-06-20)*
* Relations:
* parent #10574
* Changesets:
* Revision 6d61c0096ba308d340d865f9fc295ac6e88e1277 by Natanael Copa on 2019-06-17T09:42:04Z:
```
main/glib: security fix for CVE-2019-12450
fixes #10578
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10571[3.7] dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749)2022-08-14T22:33:43ZAlicha CH[3.7] dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749)dbus is the reference implementation of D-Bus, an asynchronous
inter-process communication system commonly used for system services
or within a desktop session on Linux and other operating systems.
Joe Vennix of Apple Information Se...dbus is the reference implementation of D-Bus, an asynchronous
inter-process communication system commonly used for system services
or within a desktop session on Linux and other operating systems.
Joe Vennix of Apple Information Security discovered an implementation
flaw
in the DBUS\_COOKIE\_SHA1 authentication mechanism. A malicious client
with
write access to its own home directory could manipulate a
~/.dbus-keyrings
symlink to cause a DBusServer with a different uid to read and write
in unintended locations. In the worst case, this could result in the
DBusServer reusing a cookie that is known to the malicious client, and
treating that cookie as evidence that a subsequent client connection
came from an attacker-chosen uid, allowing authentication bypass.
This vulnerability does not normally affect the standard system
dbus-daemon, which only allows the EXTERNAL authentication mechanism.
In supported branches of dbus it also does not normally affect the
standard
session dbus-daemon, for the same reason.
However, this vulnerability can affect third-party users of DBusServer
(such as Upstart in Ubuntu 14.04 LTS), third-party dbus-daemon
instances,
standard dbus-daemon instances with non-standard configuration, and
the
session bus in older/unsupported dbus branches (such as dbus 1.6.x in
Ubuntu 14.04 LTS).
Vulnerable versions: all < 1.10.28, 1.12.x < 1.12.16, 1.13.x <
1.13.12
Fixed versions: all >= 1.13.12, 1.12.x >= 1.12.16, 1.10.x >=
1.10.28
### References:
https://gitlab.freedesktop.org/dbus/dbus/issues/269
http://www.openwall.com/lists/oss-security/2019/06/11/2
### Patch:
https://gitlab.freedesktop.org/dbus/dbus/commit/47b1a4c41004bf494b87370987b222c934b19016
*(from redmine: issue id 10571, created on 2019-06-13, closed on 2019-06-20)*
* Relations:
* parent #10567
* Changesets:
* Revision f85fc6d35df663ffa71b00201dcbde8cb5727322 by Natanael Copa on 2019-06-17T09:58:25Z:
```
main/dbus: upgrade to 1.10.28 (CVE-2019-12749)
fixes #10571
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10566[3.7] libcroco: Multiple vulnerabilities (CVE-2017-7960, CVE-2017-7961, CVE-2...2019-07-23T10:34:19ZAlicha CH[3.7] libcroco: Multiple vulnerabilities (CVE-2017-7960, CVE-2017-7961, CVE-2017-8834, CVE-2017-8871)CVE-2017-7960: The cr\_input\_new\_from\_uri function in cr-input.c in
libcroco 0.6.11 and 0.6.12 allows
remote attackers to cause a denial of service (heap-based buffer
over-read) via a crafted CSS file.
### References:
https://nvd....CVE-2017-7960: The cr\_input\_new\_from\_uri function in cr-input.c in
libcroco 0.6.11 and 0.6.12 allows
remote attackers to cause a denial of service (heap-based buffer
over-read) via a crafted CSS file.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2017-7960
https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/
### Patch:
https://git.gnome.org/browse/libcroco/commit/?id=898e3a8c8c0314d2e6b106809a8e3e93cf9d4394
CVE-2017-7961: The cr\_tknzr\_parse\_rgb function in cr-tknzr.c in
libcroco 0.6.11 and 0.6.12 has an “outside the range
of representable values of type long” undefined behavior issue, which
might allow remote attackers to cause a denial
of service (application crash) or possibly have unspecified other impact
via a crafted CSS file.
### References:
https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/
### Patch:
https://git.gnome.org/browse/libcroco/commit/?id=9ad72875e9f08e4c519ef63d44cdbd94aa9504f7
CVE-2017-8834: The cr\_tknzr\_parse\_comment function in cr-tknzr.c in
libcroco 0.6.12 allows remote
attackers to cause a denial of service (memory allocation error) via a
crafted CSS file.
### References:
https://bugzilla.gnome.org/show\_bug.cgi?id=782647
https://nvd.nist.gov/vuln/detail/CVE-2017-8834
CVE-2017-8871: The cr\_parser\_parse\_selector\_core function in
cr-parser.c in libcroco 0.6.12 allows remote
attackers to cause a denial of service (infinite loop and CPU
consumption) via a crafted CSS file.
### References:
https://bugzilla.gnome.org/show\_bug.cgi?id=782649
https://nvd.nist.gov/vuln/detail/CVE-2017-8871
*(from redmine: issue id 10566, created on 2019-06-13)*
* Relations:
* parent #105633.7.4LeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10562[3.7] vim: arbitrary command execution in getchar.c (CVE-2019-12735)2019-07-23T11:07:05ZAlicha CH[3.7] vim: arbitrary command execution in getchar.c (CVE-2019-12735)getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote
attackers to execute arbitrary OS commands via the :source!
command in a modeline, as demonstrated by execute in Vim, and
assert\_fails or nvim\_input in Neovim.
#...getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote
attackers to execute arbitrary OS commands via the :source!
command in a modeline, as demonstrated by execute in Vim, and
assert\_fails or nvim\_input in Neovim.
### References:
https://github.com/numirias/security/blob/master/doc/2019-06-04\_ace-vim-neovim.md
### Patch:
https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040
*(from redmine: issue id 10562, created on 2019-06-13, closed on 2019-06-22)*
* Changesets:
* Revision aaf594bc234db11d5ef457511b7b3cebb3bcba46 by Natanael Copa on 2019-06-22T07:30:19Z:
```
main/vim: backport fix for CVE-2019-12735
fixes #10562
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10561[3.7] py-django: AdminURLFieldWidget XSS (CVE-2019-12308)2019-07-23T11:07:06ZAlicha CH[3.7] py-django: AdminURLFieldWidget XSS (CVE-2019-12308)An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9,
and 2.2 before 2.2.2. The clickable Current URL
value displayed by the AdminURLFieldWidget displays the provided value
without validating it as a safe URL. Thus, ...An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9,
and 2.2 before 2.2.2. The clickable Current URL
value displayed by the AdminURLFieldWidget displays the provided value
without validating it as a safe URL. Thus, an unvalidated
value stored in the database, or a value provided as a URL query
parameter payload, could result in an clickable JavaScript link.
### Fixed In Version:
Django 2.2.2, Django 2.1.9, Django 1.11.21
### References:
https://docs.djangoproject.com/en/dev/releases/1.11.21/
https://www.openwall.com/lists/oss-security/2019/06/03/2
### Patch:
https://github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b
*(from redmine: issue id 10561, created on 2019-06-13, closed on 2019-06-26)*
* Relations:
* parent #10557
* Changesets:
* Revision 901a6212b9da2d67aced00bf967da681827a5f37 by Natanael Copa on 2019-06-25T21:09:56Z:
```
main/py-django: security upgrade to 1.11.21 (CVE-2019-12308)
fixes #10561
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10555[3.7] heimdal: man-in-the-middle attack in function krb5_init_creds_step in l...2019-07-16T11:23:39ZAlicha CH[3.7] heimdal: man-in-the-middle attack in function krb5_init_creds_step in lib/krb5/init_creds_pw.c (CVE-2019-12098)In the client side of Heimdal before 7.6.0, failure to verify anonymous
PKINIT PA-PKINIT-KX key exchange permits a
man-in-the-middle attack. This issue is in krb5\_init\_creds\_step in
lib/krb5/init\_creds\_pw.c.
### References:
http...In the client side of Heimdal before 7.6.0, failure to verify anonymous
PKINIT PA-PKINIT-KX key exchange permits a
man-in-the-middle attack. This issue is in krb5\_init\_creds\_step in
lib/krb5/init\_creds\_pw.c.
### References:
http://www.h5l.org/pipermail/heimdal-announce/2019-May/000009.html
https://nvd.nist.gov/vuln/detail/CVE-2019-12098
### Patch:
Fixed by:
https://github.com/heimdal/heimdal/commit/2f7f3d9960aa6ea21358bdf3687cee5149aa35cf
(7.6.0)
Introduced by:
https://github.com/heimdal/heimdal/commit/a1ef548600c5bb51cf52a9a9ea12676506ede19f
(1.4.0)
*(from redmine: issue id 10555, created on 2019-06-12)*
* Relations:
* parent #10551
* Changesets:
* Revision c29e49eb3beddab5fba37d37713486319c12df8c by Natanael Copa on 2019-07-11T16:17:41Z:
```
main/heimdal: security fix for CVE-2019-12098
fixes #10555
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10540[3.7] sqlite: Multiple vulnerabilities (CVE-2019-5018, CVE-2019-8457)2019-07-24T10:29:43ZAlicha CH[3.7] sqlite: Multiple vulnerabilities (CVE-2019-5018, CVE-2019-8457)CVE-2019-5018: use-after-free in window function leading to remote code execution
---------------------------------------------------------------------------------
An exploitable use after free vulnerability exists in the window
functio...CVE-2019-5018: use-after-free in window function leading to remote code execution
---------------------------------------------------------------------------------
An exploitable use after free vulnerability exists in the window
function functionality of Sqlite3 3.26.0. A specially crafted SQL
command can cause a use
after free vulnerability, potentially resulting in remote code
execution. An attacker can send a malicious SQL command to trigger this
vulnerability.
### References:
https://www.talosintelligence.com/vulnerability\_reports/TALOS-2019-0777
https://nvd.nist.gov/vuln/detail/CVE-2019-5018
CVE-2019-8457: heap out-of-bound read in function rtreenode()
-------------------------------------------------------------
SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap
out-of-bound
read in the rtreenode() function when handling invalid rtree tables.
### References:
https://www.sqlite.org/releaselog/3\_28\_0.html
https://nvd.nist.gov/vuln/detail/CVE-2019-8457
### Patch:
https://www.sqlite.org/src/info/90acdbfce9c08858
*(from redmine: issue id 10540, created on 2019-06-05)*
* Relations:
* parent #105373.7.4LeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10521[3.7] libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memor...2019-07-24T10:30:47ZAlicha CH[3.7] libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion (CVE-2018-1000654)The ASN.1 library used in GNUTLS (libtasn1) through versions 4.13 allows
for an infinite loop due to an issue in the
\_asn1\_expand\_object\_id(p\_tree) function.
An attacker could exploit this via a crafted ASN.1 structure to causing
...The ASN.1 library used in GNUTLS (libtasn1) through versions 4.13 allows
for an infinite loop due to an issue in the
\_asn1\_expand\_object\_id(p\_tree) function.
An attacker could exploit this via a crafted ASN.1 structure to causing
high CPU usage until a resultant out-of-memory error.
### References:
https://gitlab.com/gnutls/libtasn1/issues/4
https://nvd.nist.gov/vuln/detail/CVE-2018-1000654
*(from redmine: issue id 10521, created on 2019-05-31)*
* Relations:
* parent #105173.7.4LeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10514[3.7] heimdal: S4U2Self with unkeyed checksum (CVE-2018-16860)2019-07-23T11:07:21ZAlicha CH[3.7] heimdal: S4U2Self with unkeyed checksum (CVE-2018-16860)S4U2Self is an extension to Kerberos used in Active Directory to allow
a service to request a kerberos ticket to itself from the Kerberos Key
Distribution Center (KDC) for a non-Kerberos authenticated user
(principal in Kerboros pa...S4U2Self is an extension to Kerberos used in Active Directory to allow
a service to request a kerberos ticket to itself from the Kerberos Key
Distribution Center (KDC) for a non-Kerberos authenticated user
(principal in Kerboros parlance). This is useful to allow internal
code paths to be standardized around Kerberos.
S4U2Proxy (constrained-delegation) is an extension of this mechanism
allowing this impersonation to a second service over the network. It
allows a privileged server that obtained a S4U2Self ticket to itself
to then assert the identity of that principal to a second service and
present itself as that principal to get services from the second
service.
There is a flaw in Samba’s AD DC in the Heimdal KDC. When the Heimdal
KDC checks the checksum that is placed on the S4U2Self packet by the
server to protect the requested principal against modification, it
does not confirm that the checksum algorithm that protects the user
name (principal) in the request is keyed. This allows a
man-in-the-middle attacker who can intercept the request to the KDC to
modify the packet by replacing the user name (principal) in the
request with any desired user name (principal) that exists in the KDC
and replace the checksum protecting that name with a CRC32 checksum
(which requires no prior knowledge to compute).
This would allow a S4U2Self ticket requested on behalf of user name
(principal) user@EXAMPLE.COM to any service to be changed to a
S4U2Self ticket with a user name (principal) of
Administrator@EXAMPLE.COM. This ticket would then contain the PAC of
the modified user name (principal).
### Affected Versions:
All releases of Heimdal from 0.8 including 7.5.0
### Reference:
https://github.com/heimdal/heimdal/commit/c6257cc2c842c0faaeb4ef34e33890ee88c4cbba
https://www.samba.org/samba/security/CVE-2018-16860.html
### Patch:
https://github.com/heimdal/heimdal/commit/c6257cc2c842c0faaeb4ef34e33890ee88c4cbba
*(from redmine: issue id 10514, created on 2019-05-30, closed on 2019-06-05)*
* Relations:
* parent #10510
* Changesets:
* Revision d3d301001ca95af4473c3a52c9bccd9950b7b04c on 2019-06-04T14:44:57Z:
```
main/heimdal: security fix (CVE-2018-16860)
Fixes #10514
Clarify license
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10494[3.7] monit: Multiple vulnerabilities (CVE-2019-11454, CVE-2019-11455)2019-07-23T11:07:38ZAlicha CH[3.7] monit: Multiple vulnerabilities (CVE-2019-11454, CVE-2019-11455)CVE-2019-11454: cross-site scripting (XSS) in http/cervlet.c
------------------------------------------------------------
Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash
Monit before 5.25.3 allows a remote unauthen...CVE-2019-11454: cross-site scripting (XSS) in http/cervlet.c
------------------------------------------------------------
Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash
Monit before 5.25.3 allows a remote unauthenticated attacker to
introduce arbitrary JavaScript
via manipulation of an unsanitized user field of the Authorization
header for HTTP Basic Authentication, which is mishandled during an
\_viewlog operation.
### References:
https://github.com/dzflack/exploits/blob/master/unix/monit\_xss.py
https://nvd.nist.gov/vuln/detail/CVE-2019-11454
### Patches:
https://bitbucket.org/tildeslash/monit/commits/1a8295eab6815072a18019b668fe084945b751f3
https://bitbucket.org/tildeslash/monit/commits/328f60773057641c4b2075fab9820145e95b728c
CVE-2019-11455: buffer over-read in function Util\_urlDecode in util.c
----------------------------------------------------------------------
A buffer over-read in Util\_urlDecode in util.c in Tildeslash Monit
before 5.25.3 allows a remote authenticated attacker to retrieve the
contents of adjacent memory via manipulation of GET or POST parameters.
The attacker can also cause a denial of service (application outage).
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-11455
### Patch:
https://bitbucket.org/tildeslash/monit/commits/f12d0cdb42d4e74dffe1525d4062c815c48ac57a
*(from redmine: issue id 10494, created on 2019-05-28, closed on 2019-06-05)*
* Relations:
* parent #10491
* Changesets:
* Revision 165df433b6fd3e30ce578c4f54946a2079aa963c on 2019-06-05T14:16:54Z:
```
main/monit: upgrade to 5.25.2, security fixes
CVE-2019-11454, CVE-2019-11455
Fixes #10494
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10437[3.7] libjpeg-turbo: denial of service in get_8bit_row in rdbmp.c (CVE-2018-1...2019-07-23T10:32:28ZAlicha CH[3.7] libjpeg-turbo: denial of service in get_8bit_row in rdbmp.c (CVE-2018-14498)get\_8bit\_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG
through 3.3.1 allows attackers to cause a denial of service (heap-based
buffer over-read
and application crash) via a crafted 8-bit BMP in which one or more of
the c...get\_8bit\_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG
through 3.3.1 allows attackers to cause a denial of service (heap-based
buffer over-read
and application crash) via a crafted 8-bit BMP in which one or more of
the color indices is out of range for the number of palette entries.
### References:
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/258
https://nvd.nist.gov/vuln/detail/CVE-2018-14498
### Patch:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9c78a04df4e44ef6487eee99c4258397f4fdca55
*(from redmine: issue id 10437, created on 2019-05-09)*
* Relations:
* parent #103063.7.4LeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10435[3.7] perl-email-address: DOS vulnerability in perl module Email::Address (CV...2019-07-23T11:10:03ZAlicha CH[3.7] perl-email-address: DOS vulnerability in perl module Email::Address (CVE-2018-12558)The parse() method in the Email::Address module through 1.909 for Perl
is vulnerable
to Algorithmic complexity on specially prepared input, leading to Denial
of Service. Prepared
special input that caused this problem contained 30 fo...The parse() method in the Email::Address module through 1.909 for Perl
is vulnerable
to Algorithmic complexity on specially prepared input, leading to Denial
of Service. Prepared
special input that caused this problem contained 30 form-field
characters (“\\f”).
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-12558
https://www.openwall.com/lists/oss-security/2018/06/19/3
### Patch:
https://github.com/Perl-Email-Project/Email-Address/commit/aeaf0d7f1b0897b54cb246b8ac15d3ef177e5cae
*(from redmine: issue id 10435, created on 2019-05-09, closed on 2019-06-06)*
* Relations:
* parent #10430
* Changesets:
* Revision 18070a9ba09af91c141de190a77de4d154f310e4 on 2019-06-05T12:38:19Z:
```
main/perl-email-address: security upgrade to 1.912 (CVE-2018-12558)
Fixes #10435
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10429[3.7] tcpflow: stack-based buffer over-read exists in setbit() at iptree.h (C...2019-07-16T11:48:51ZAlicha CH[3.7] tcpflow: stack-based buffer over-read exists in setbit() at iptree.h (CVE-2018-18409)A stack-based buffer over-read exists in setbit() at iptree.h of TCPFLOW
1.5.0, due to received incorrect values causing incorrect computation,
leading to denial of service during an address\_histogram call or a
get\_histogram call.
#...A stack-based buffer over-read exists in setbit() at iptree.h of TCPFLOW
1.5.0, due to received incorrect values causing incorrect computation,
leading to denial of service during an address\_histogram call or a
get\_histogram call.
### References:
https://github.com/simsong/tcpflow/issues/195
https://nvd.nist.gov/vuln/detail/CVE-2018-18409
### Patch:
https://github.com/simsong/tcpflow/commit/89c04b4fb0e46b3c4f1388686e83966e531cbea9
*(from redmine: issue id 10429, created on 2019-05-08)*
* Relations:
* parent #10425
* Changesets:
* Revision f9f4e0e8b1cc5aeab558b091c9a9d003303d1d6e by Natanael Copa on 2019-07-08T14:27:05Z:
```
main/tcpflow: backport fix for CVE-2018-18409
and remove unused patch
ref #10429
```3.7.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10417[3.7] wpa_supplicant: EAP-pwd message reassembly issue with unexpected fragme...2019-07-23T11:10:11ZAlicha CH[3.7] wpa_supplicant: EAP-pwd message reassembly issue with unexpected fragment (CVE-2019-11555)The EAP-pwd implementation in hostapd (EAP server) before 2.8 and
wpa\_supplicant (EAP peer) before 2.8 does not validate fragmentation
reassembly state properly for a case where an unexpected fragment could
be received. This could resul...The EAP-pwd implementation in hostapd (EAP server) before 2.8 and
wpa\_supplicant (EAP peer) before 2.8 does not validate fragmentation
reassembly state properly for a case where an unexpected fragment could
be received. This could result in process termination due to a NULL
pointer dereference (denial of service). This affects
eap\_server/eap\_server\_pwd.c and eap\_peer/eap\_pwd.c.
### References:
https://www.openwall.com/lists/oss-security/2019/04/26/1
https://w1.fi/security/2019-5/
https://nvd.nist.gov/vuln/detail/CVE-2019-11555
*(from redmine: issue id 10417, created on 2019-05-07, closed on 2019-06-20)*
* Relations:
* parent #10413
* Changesets:
* Revision 8caec8957d86cbdfe758cbfba62dcb1b73514bc9 on 2019-06-05T07:30:50Z:
```
main/wpa_supplicant: security fix (CVE-2019-11555)
Fixes #10417
```3.7.4Natanael CopaNatanael Copa