aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2021-07-18T07:23:51Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9999[3.7] openssh: Multiple vulnerabilities (CVE-2018-20685, CVE-2019-6109, CVE-2...2021-07-18T07:23:51ZAlicha CH[3.7] openssh: Multiple vulnerabilities (CVE-2018-20685, CVE-2019-6109, CVE-2019-6111)**CVE-2018-20685**: In OpenSSH 7.9, scp.c in the scp client allows
remote SSH servers to bypass intended access restrictions via the
filename of . or an empty filename. The impact is modifying the
permissions of the target directory on...**CVE-2018-20685**: In OpenSSH 7.9, scp.c in the scp client allows
remote SSH servers to bypass intended access restrictions via the
filename of . or an empty filename. The impact is modifying the
permissions of the target directory on the client side.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-20685
https://marc.info/?l=oss-security&m=154745764812881&w=2
### Patch:
https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2
**CVE-2019-6109**: An issue was discovered in OpenSSH 7.9. Due to
missing character encoding in the progress display, a malicious server
(or Man-in-The-Middle attacker) can employ crafted object names to
manipulate the client output, e.g., by using ANSI control codes to hide
additional files being transferred. This affects
refresh\_progress\_meter() in progressmeter.c.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-6109
https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
### Patch:
https://github.com/openssh/openssh-portable/commit/8976f1c4b2721c26e878151f52bdf346dfe2d54c
possibly additionally needed:
https://github.com/openssh/openssh-portable/commit/bdc6c63c80b55bcbaa66b5fde31c1cb1d09a41eb
**CVE-2019-6111**: An issue was discovered in OpenSSH 7.9. Due to the
scp implementation being derived from 1983 rcp, the server chooses which
files/directories are sent to the client. However, the scp client only
performs cursory validation of the object name returned (only directory
traversal attacks are prevented). A malicious scp server (or
Man-in-The-Middle attacker) can overwrite arbitrary files in the scp
client target directory. If recursive operation (-r) is performed, the
server can manipulate subdirectories as well (for example, to overwrite
the .ssh/authorized\_keys file).
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-6111
### Patch:
https://github.com/openssh/openssh-portable/commit/391ffc4b9d31fa1f4ad566499fef9176ff8a07dc
*(from redmine: issue id 9999, created on 2019-02-20, closed on 2019-03-05)*
* Relations:
* parent #9995
* Changesets:
* Revision cfa04666c50b8dfbe34b6ac8e6b177add54ce649 on 2019-03-04T15:08:29Z:
```
main/openssh: security fixes
CVE-2018-20685, CVE-2019-6109, CVE-2019-6111
Rebased HPN patch, included upstream patch due regression bug due to CVE-2019-6109 fix
Fixes #9999
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9835[3.7] py-django: Content spoofing via URL path in default 404 page (CVE-2019-...2020-01-18T00:12:52ZAlicha CH[3.7] py-django: Content spoofing via URL path in default 404 page (CVE-2019-3498)Django before versions 1.11.18, 2.0.10 and 2.1.5 is vulnerable to
content spoofing via crafted URL in the default 404 page.
An attacker could craft a malicious URL that could make spoofed content
appear on the default page generated
...Django before versions 1.11.18, 2.0.10 and 2.1.5 is vulnerable to
content spoofing via crafted URL in the default 404 page.
An attacker could craft a malicious URL that could make spoofed content
appear on the default page generated
by the django.views.defaults.page\_not\_found() view.
### Fixed In Version:
python-django 1.11.18, python-django 2.0.10, python-django 2.1.5
### References:
https://www.djangoproject.com/weblog/2019/jan/04/security-releases/
### Patch:
https://github.com/django/django/commit/1cd00fcf52d089ef0fe03beabd05d59df8ea052a
*(from redmine: issue id 9835, created on 2019-01-09, closed on 2019-02-19)*
* Relations:
* parent #9832
* Changesets:
* Revision efea0b2841657c90aec0a76835d84fbc2ed2cfb9 on 2019-02-04T11:27:46Z:
```
main/py-django: security upgrade to 1.11.18 (CVE-2019-3498)
Fixes #9835
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9210[3.7] libao: Invalid memory allocation in _tokenize_matrix function in audio_...2019-07-23T11:24:09ZAlicha CH[3.7] libao: Invalid memory allocation in _tokenize_matrix function in audio_out.c (CVE-2017-11548)The \_tokenize\_matrix function in audio\_out.c in Xiph.Org libao 1.2.0
allows remote attackers to cause
a denial of service (memory corruption) via a crafted MP3 file.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2017-11548 ...The \_tokenize\_matrix function in audio\_out.c in Xiph.Org libao 1.2.0
allows remote attackers to cause
a denial of service (memory corruption) via a crafted MP3 file.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2017-11548
http://seclists.org/fulldisclosure/2017/Jul/84
*(from redmine: issue id 9210, created on 2018-08-08, closed on 2018-12-06)*
* Relations:
* copied_to #9207
* parent #9207
* Changesets:
* Revision e31e4436408d168bc3b7ca4c27163e80101a874f by Natanael Copa on 2018-12-04T12:20:14Z:
```
main/libao: security fix for CVE-2017-11548
fixes #9210
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9308[3.7] spice: Missing check in demarshal.py:write_validate_array_item() allows...2019-07-23T11:22:53ZAlicha CH[3.7] spice: Missing check in demarshal.py:write_validate_array_item() allows for buffer overflow and denial of service (CVE-2018-10873)A vulnerability was discovered in SPICE before version 0.14.1 where the
generated code used for demarshalling messages
lacked sufficient bounds checks. A malicious client or server, after
authentication, could send specially crafted me...A vulnerability was discovered in SPICE before version 0.14.1 where the
generated code used for demarshalling messages
lacked sufficient bounds checks. A malicious client or server, after
authentication, could send specially crafted messages
to its peer which would result in a crash or, potentially, other
impacts.
### References:
http://openwall.com/lists/oss-security/2018/08/17/1
https://nvd.nist.gov/vuln/detail/CVE-2018-10873
### Patch:
https://gitlab.freedesktop.org/spice/spice-common/commit/bb15d4815ab586b4c4a20f4a565970a44824c42c
*(from redmine: issue id 9308, created on 2018-08-21, closed on 2018-11-08)*
* Relations:
* copied_to #9305
* parent #9305
* Changesets:
* Revision 9a0074177b1efee56bc3f82db0651fa656877d9e on 2018-11-07T13:58:06Z:
```
main/spice: security upgrade to 0.14.1 (CVE-2018-10873)
Fixes #9308
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9319[3.7] openssh: User enumeration via malformed packets in authentication reque...2019-07-23T11:22:46ZAlicha CH[3.7] openssh: User enumeration via malformed packets in authentication requests (CVE-2018-15473)OpenSSH through 7.7 is prone to a user enumeration vulnerability due to
not delaying bailout for
an invalid authenticating user until after the packet containing the
request has been fully parsed,
related to auth2-gss.c, auth2-hostba...OpenSSH through 7.7 is prone to a user enumeration vulnerability due to
not delaying bailout for
an invalid authenticating user until after the packet containing the
request has been fully parsed,
related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.
### References:
http://www.openwall.com/lists/oss-security/2018/08/15/5
https://nvd.nist.gov/vuln/detail/CVE-2018-15473
### Patch:
https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0
*(from redmine: issue id 9319, created on 2018-08-22, closed on 2018-09-20)*
* Relations:
* parent #9316
* Changesets:
* Revision db649bc3a2755f56372cc2abae87e42e5285e44f by Natanael Copa on 2018-09-20T10:23:51Z:
```
main/openssh: backport security fix (CVE-2018-15473)
fixes #9319
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9349[3.7] dropbear: User enumeration vulnerability (CVE-2018-15599)2019-07-23T11:22:26ZAlicha CH[3.7] dropbear: User enumeration vulnerability (CVE-2018-15599)The recv\_msg\_userauth\_request function in svr-auth.c in Dropbear
through 2018.76 is prone to a user enumeration vulnerability because
username
validity affects how fields in SSH\_MSG\_USERAUTH messages are handled,
a similar issue t...The recv\_msg\_userauth\_request function in svr-auth.c in Dropbear
through 2018.76 is prone to a user enumeration vulnerability because
username
validity affects how fields in SSH\_MSG\_USERAUTH messages are handled,
a similar issue to CVE-2018-15473 in an unrelated codebase.
### References:
http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2018q3/002108.html
https://nvd.nist.gov/vuln/detail/CVE-2018-15599
### Patch:
https://secure.ucc.asn.au/hg/dropbear/rev/5d2d1021ca00
*(from redmine: issue id 9349, created on 2018-08-28, closed on 2018-11-08)*
* Relations:
* parent #9346
* Changesets:
* Revision 170fca277e13753265ff981c27e1c59d2488a99d by Natanael Copa on 2018-09-20T08:34:53Z:
```
main/dropbear: backport security fix (CVE-2018-15599)
fixes #9349
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9378[3.7] dnsmasq: Improper validation of wildcard synthesized NSEC records (CVE-...2019-07-23T11:22:00ZAlicha CH[3.7] dnsmasq: Improper validation of wildcard synthesized NSEC records (CVE-2017-15107)A vulnerability was found in the implementation of DNSSEC in Dnsmasq up
to and including 2.78. Wildcard synthesized
NSEC records could be improperly interpreted to prove the non-existence
of hostnames that actually exist.
### Referenc...A vulnerability was found in the implementation of DNSSEC in Dnsmasq up
to and including 2.78. Wildcard synthesized
NSEC records could be improperly interpreted to prove the non-existence
of hostnames that actually exist.
### References:
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2018q1/011896.html
https://nvd.nist.gov/vuln/detail/CVE-2017-15107
### Patch:
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=4fe6744a220eddd3f1749b40cac3dfc510787de6
*(from redmine: issue id 9378, created on 2018-09-04, closed on 2018-09-20)*
* Relations:
* parent #9377
* Changesets:
* Revision cc3d92312d674250637dad701c603e3fdfedfb4e by Natanael Copa on 2018-09-20T07:52:58Z:
```
main/dnsmasq: backport security fix (CVE-2017-15107)
fixes #9378
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9384[3.7] ghostscript: Multiple vulnerabilities (CVE-2018-10194, CVE-2018-15908, ...2019-07-23T11:21:53ZAlicha CH[3.7] ghostscript: Multiple vulnerabilities (CVE-2018-10194, CVE-2018-15908, CVE-2018-15909, CVE-2018-15910, CVE-2018-15911)**CVE-2018-10194**: The set\_text\_distance function in
devices/vector/gdevpdts.c in the pdfwrite component in Artifex
Ghostscript
through 9.22 does not prevent overflows in text-positioning calculation,
which allows remote attackers t...**CVE-2018-10194**: The set\_text\_distance function in
devices/vector/gdevpdts.c in the pdfwrite component in Artifex
Ghostscript
through 9.22 does not prevent overflows in text-positioning calculation,
which allows remote attackers to cause a denial of service
(application crash) or possibly have unspecified other impact via a
crafted PDF document.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-10194
http://www.openwall.com/lists/oss-security/2018/04/19/5
### Patch:
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32e96764c88797714879
**CVE-2018-15908**: In Artifex Ghostscript 9.23 before 2018-08-23,
attackers are able to supply malicious
PostScript files to bypass .tempfile restrictions and write files.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-15908
### Patch:
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=0d3901189f245232f0161addf215d7268c4d05a3
**CVE-2018-15909**: In Artifex Ghostscript 9.23 before 2018-08-24, a
type confusion using the .shfill operator could be used by
attackers able to supply crafted PostScript files to crash the
interpreter or potentially execute code.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-15909
### Patches:
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=0b6cd1918e1ec4ffd087400a754a845180a4522b
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e01e77a36cbb2e0277bc3a63852244bec41be0f6
**CVE-2018-15910**: In Artifex Ghostscript 9.23 before 2018-08-23,
attackers able to supply crafted PostScript files
could use a type confusion in the LockDistillerParams parameter to crash
the interpreter or execute code.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-15910
### Patch:
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=c3476dde7743761a4e1d39a631716199b696b880
**CVE-2018-15911**: In Artifex Ghostscript 9.23 before 2018-08-24,
attackers able to supply crafted PostScript could use uninitialized
memory access in the aesdecode operator to crash the interpreter or
potentially execute code.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-15911
### Patch:
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=8e9ce5016db968b40e4ec255a3005f2786cce45f
*(from redmine: issue id 9384, created on 2018-09-04, closed on 2018-09-20)*
* Relations:
* parent #9381
* Changesets:
* Revision 0c81d393f55e12aad1694ac3ee4ed2b865527f6f by Andy Postnikov on 2018-09-20T08:02:07Z:
```
main/ghostscript: security upgrade to 9.24
CVE-2018-15908, CVE-2018-15909, CVE-2018-15910, CVE-2018-15911
CVE-2018-10194
fixes #9384
(cherry picked from commit c13758613f3110e14c2e9eda818406f235d996c1)
```3.7.2https://gitlab.alpinelinux.org/alpine/aports/-/issues/9395[3.7] curl: NTLM password overflow via integer overflow (CVE-2018-14618)2019-07-23T11:21:45ZAlicha CH[3.7] curl: NTLM password overflow via integer overflow (CVE-2018-14618)The internal function Curl\_ntlm\_core\_mk\_nt\_hash multiplies the
length of the password by two (SUM)
to figure out how large temporary storage area to allocate from the
heap. The length value is then subsequently
used to iterate o...The internal function Curl\_ntlm\_core\_mk\_nt\_hash multiplies the
length of the password by two (SUM)
to figure out how large temporary storage area to allocate from the
heap. The length value is then subsequently
used to iterate over the password and generate output into the allocated
storage buffer. On systems with a 32 bit size\_t,
the math to calculate SUM triggers an integer overflow when the password
length exceeds 2GB (2^31 bytes). This integer
overflow usually causes a very small buffer to actually get allocated
instead of the intended very huge one, making the
use of that buffer end up in a heap buffer overflow.
### Affected versions:
libcurl 7.15.4 to and including 7.61.0
### Not affected versions:
libcurl < 7.15.4 and >= 7.61.1
### References:
https://curl.haxx.se/docs/CVE-2018-14618.html
### Patch:
https://github.com/curl/curl/commit/57d299a499155d4b327e341c6024e293b0418243.patch
*(from redmine: issue id 9395, created on 2018-09-06, closed on 2018-09-20)*
* Relations:
* parent #9392
* Changesets:
* Revision df67baba4917987405ef39567974697f7ff6c0ed by Natanael Copa on 2018-09-19T11:28:57Z:
```
main/curl: security upgrade to 7.61.1 (CVE-2018-14618)
fixes #9395
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9429[3.7] libjpeg-turbo: Multiple vulnerabilities (CVE-2017-15232, CVE-2018-1152,...2019-07-23T11:21:26ZAlicha CH[3.7] libjpeg-turbo: Multiple vulnerabilities (CVE-2017-15232, CVE-2018-1152, CVE-2018-11813)**CVE-2017-15232**: libjpeg-turbo 1.5.2 has a NULL Pointer Dereference
in jdpostct.c and jquant1.c
via a crafted JPEG file.
### References:
https://github.com/libjpeg-turbo/libjpeg-turbo/pull/182
https://nvd.nist.gov/vuln/detail/CV...**CVE-2017-15232**: libjpeg-turbo 1.5.2 has a NULL Pointer Dereference
in jdpostct.c and jquant1.c
via a crafted JPEG file.
### References:
https://github.com/libjpeg-turbo/libjpeg-turbo/pull/182
https://nvd.nist.gov/vuln/detail/CVE-2017-15232
**CVE-2018-1152**: libjpeg-turbo 1.5.90 is vulnerable to a denial of
service vulnerability caused by
a divide by zero when processing a crafted BMP image.
### Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-1152
### Patch:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/43e84cff1bb2bd8293066f6ac4eb0df61ddddbc6
**CVE-2018-11813**: “cjpeg” utility large loop because read\_pixel in
rdtarga.c mishandles EOF
### Reference:
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/242
### Patch:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/19074854d9d8bc32dff3ed252eed17ed6cc2ecfc
*(from redmine: issue id 9429, created on 2018-09-20, closed on 2018-09-27)*
* Relations:
* parent #9426
* Changesets:
* Revision 01568379c03fee752d2d2db8bf4f352c547192a8 by Natanael Copa on 2018-09-25T12:48:08Z:
```
main/libjpeg-turbo: backport security fix (CVE-2018-11813)
fixes #9429
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9435[3.7] ghostscript: Incorrect "restoration of privilege" checking when running...2019-07-23T11:21:19ZAlicha CH[3.7] ghostscript: Incorrect "restoration of privilege" checking when running out of stack during exception handling (CVE-2018-16802)An issue was discovered in Artifex Ghostscript before 9.25. Incorrect
“restoration of privilege”
checking when running out of stack during exception handling could be
used by attackers able to supply
crafted PostScript to execute cod...An issue was discovered in Artifex Ghostscript before 9.25. Incorrect
“restoration of privilege”
checking when running out of stack during exception handling could be
used by attackers able to supply
crafted PostScript to execute code using the “pipe” instruction. This is
due to an incomplete fix for CVE-2018-16509.
### References:
https://seclists.org/oss-sec/2018/q3/228
https://seclists.org/oss-sec/2018/q3/229
https://seclists.org/oss-sec/2018/q3/233
### Patches:
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=643b24db
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=3e5d316b
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5812b1b7
*(from redmine: issue id 9435, created on 2018-09-20, closed on 2018-11-08)*
* Relations:
* parent #9432
* Changesets:
* Revision eaab452ca7ff4f35cd8997f0d3f85c517908963f on 2018-11-07T07:50:51Z:
```
main/ghostscript: security upgrade to 9.25 (CVE-2018-16802)
Fixes #9435
```3.7.2https://gitlab.alpinelinux.org/alpine/aports/-/issues/9450[3.7] pango: application crash triggered by unicode chars in pango-emoji.c (C...2019-07-23T11:21:09ZAlicha CH[3.7] pango: application crash triggered by unicode chars in pango-emoji.c (CVE-2018-15120)A flaw was found in Pango since versions 1.40.8 up to newer. Typing
certain invalid Emoji sequences into
a GTK+ application can trigger a Reachable Assertion resulting in an
application crash.
### Fixed In Version:
pango 1.42.4
### ...A flaw was found in Pango since versions 1.40.8 up to newer. Typing
certain invalid Emoji sequences into
a GTK+ application can trigger a Reachable Assertion resulting in an
application crash.
### Fixed In Version:
pango 1.42.4
### References:
https://mail.gnome.org/archives/distributor-list/2018-August/msg00001.html
https://nvd.nist.gov/vuln/detail/CVE-2018-15120
### Patch:
https://gitlab.gnome.org/GNOME/pango/commit/71aaeaf020340412b8d012fe23a556c0420eda5f
*(from redmine: issue id 9450, created on 2018-09-21, closed on 2018-11-08)*
* Relations:
* parent #9448
* Changesets:
* Revision 648d75ad65dee2318f7993e58e83cd26b64e291f on 2018-11-06T15:49:41Z:
```
main/pango: security fix (CVE-2018-15120)
Fixes #9450
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9458[3.7] hylafax: JPEG support code execution (CVE-2018-17141)2019-07-23T11:21:01ZAlicha CH[3.7] hylafax: JPEG support code execution (CVE-2018-17141)HylaFAX 6.0.6 and HylaFAX+ 5.6.0 allow remote attackers to execute
arbitrary code via a dial-in session that provides a FAX page
with the JPEG bit enabled, which is mishandled in
FaxModem::writeECMData() in the faxd/CopyQuality.c<span
...HylaFAX 6.0.6 and HylaFAX+ 5.6.0 allow remote attackers to execute
arbitrary code via a dial-in session that provides a FAX page
with the JPEG bit enabled, which is mishandled in
FaxModem::writeECMData() in the faxd/CopyQuality.c<span
class="underline"></span> file.
### References:
https://www.openwall.com/lists/oss-security/2018/09/20/1
https://nvd.nist.gov/vuln/detail/CVE-2018-17141
### Patch:
http://git.hylafax.org/HylaFAX?a=commit;h=82fa7bdbffc253de4d3e80a87d47fdbf68eabe36
*(from redmine: issue id 9458, created on 2018-09-24, closed on 2018-10-09)*
* Relations:
* parent #9455
* Changesets:
* Revision 85e4531b6a91a13519196be452785cd3147cd5df on 2018-10-09T06:38:43Z:
```
main/hylafax: security fix (CVE-2018-17141)
Fixes #9458
```3.7.2https://gitlab.alpinelinux.org/alpine/aports/-/issues/9464[3.7] bind: Update policies krb5-subdomain and ms-subdomain (CVE-2018-5741)2019-07-23T11:20:56ZAlicha CH[3.7] bind: Update policies krb5-subdomain and ms-subdomain (CVE-2018-5741)In order to provide fine-grained controls over the ability to use
Dynamic DNS (DDNS) to update records in a zone, BIND provides a feature
called update-policy. Various rules can be configured to limit the types
of updates that can be per...In order to provide fine-grained controls over the ability to use
Dynamic DNS (DDNS) to update records in a zone, BIND provides a feature
called update-policy. Various rules can be configured to limit the types
of updates that can be performed by a client, depending on the key used
when sending the update request. Unfortunately some rule types were not
initially documented, and when documentation for them was added to the
Administrator Reference Manual (ARM) in change, the language that was
added to the ARM at that time incorrectly described the behavior of two
rule types, krb5-subdomain and ms-subdomain. This incorrect
documentation could mislead operators into believing that policies they
had configured were more restrictive than they actually were.
### Versions affected:
The behavior described is present in all versions of BIND 9 which
contain the krb5-subdomain and ms-subdomain update
policies prior to our upcoming maintenance releases, BIND 9.11.5 and
9.12.3. However, the misleading documentation
is not present in all versions.
### References:
https://kb.isc.org/docs/cve-2018-5741
https://www.openwall.com/lists/oss-security/2018/09/19/11
*(from redmine: issue id 9464, created on 2018-09-25, closed on 2018-12-04)*
* Relations:
* parent #9461
* Changesets:
* Revision 6f40ae0c65be42bfa15f7d4c08b7ebd55a3ea4b2 by Natanael Copa on 2018-11-29T15:57:02Z:
```
main/bind: security upgrade to 9.12.3 (CVE-2018-5741)
fixes #9464
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9468[3.7] ansible: Failed tasks do not honour no_log option allowing for secrets ...2019-07-23T11:20:52ZAlicha CH[3.7] ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs (CVE-2018-10855)Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the
no\_log task flag for failed tasks. When the no\_log flag has been
used to protect sensitive data passed to a task from being logged, and
that task does not run succe...Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the
no\_log task flag for failed tasks. When the no\_log flag has been
used to protect sensitive data passed to a task from being logged, and
that task does not run successfully, Ansible will expose
sensitive data in log files and on the terminal of the user running
Ansible.
Unsure if it affects alpine 3.6 and 3.5.
### References:
https://github.com/ansible/ansible/blob/stable-2.4/CHANGELOG.md
https://nvd.nist.gov/vuln/detail/CVE-2018-10855
*(from redmine: issue id 9468, created on 2018-09-25, closed on 2018-09-27)*
* Relations:
* parent #9467
* Changesets:
* Revision c8cfbf0fff5d6a234f77f55ac03d9b0c31f4f5a1 by Natanael Copa on 2018-09-27T07:44:52Z:
```
main/ansible: security upgrade to 2.4.6.0 (CVE-2018-10855)
fixes #9468
```3.7.2https://gitlab.alpinelinux.org/alpine/aports/-/issues/9485[3.7] strongswan: Multiple vulnerabilities (CVE-2018-16151, CVE-2018-16152)2019-07-23T11:20:38ZAlicha CH[3.7] strongswan: Multiple vulnerabilities (CVE-2018-16151, CVE-2018-16152)**CVE-2018-16151**: In verify\_emsa\_pkcs1\_signature() in
gmp\_rsa\_public\_key.c in the gmp plugin in strongSwan 4.x and 5.x
before 5.7.0,
the RSA implementation based on GMP does not reject excess data after
the encoded algorithm OI...**CVE-2018-16151**: In verify\_emsa\_pkcs1\_signature() in
gmp\_rsa\_public\_key.c in the gmp plugin in strongSwan 4.x and 5.x
before 5.7.0,
the RSA implementation based on GMP does not reject excess data after
the encoded algorithm OID during PKCS\#1 v1.5 signature verification.
Similar to the flaw in the same version of strongSwan regarding
digestAlgorithm.parameters, a remote attacker can forge signatures when
small
public exponents are being used, which could lead to impersonation when
only an RSA signature is used for IKEv2 authentication.
### References:
https://www.strongswan.org/blog/2018/09/24/strongswan-vulnerability-(cve-2018-16151,-cve-2018-16152).html
https://nvd.nist.gov/vuln/detail/CVE-2018-16151
### Patches:
https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.3.1-5.6.0\_gmp-pkcs1-verify.patch
https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.6.1-5.6.3\_gmp-pkcs1-verify.patch
**CVE-2018-16152**: In verify\_emsa\_pkcs1\_signature() in
gmp\_rsa\_public\_key.c in the gmp plugin in strongSwan 4.x and 5.x
before 5.7.0,
the RSA implementation based on GMP does not reject excess data in the
digestAlgorithm.parameters field during PKCS\#1 v1.5 signature
verification. Consequently, a remote attacker can forge signatures when
small public exponents are being used, which could lead to
impersonation when only an RSA signature is used for IKEv2
authentication.
### References:
https://www.strongswan.org/blog/2018/09/24/strongswan-vulnerability-(cve-2018-16151,-cve-2018-16152).html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-16152
### Patches:
https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.3.1-5.6.0\_gmp-pkcs1-verify.patch
https://download.strongswan.org/patches/27\_gmp\_pkcs1\_verify\_patch/strongswan-5.6.1-5.6.3\_gmp-pkcs1-verify.patch
*(from redmine: issue id 9485, created on 2018-09-27, closed on 2018-10-04)*
* Relations:
* parent #9482
* Changesets:
* Revision 2f0878ed064f5b397f15426c9141880a36754a99 by Natanael Copa on 2018-10-02T12:22:52Z:
```
main/strongswan: backport security fix (CVE-2018-16151, CVE-2018-16152)
fixes #9485
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9500[3.7] gd: Double free in src/gd_bump.c:gdImageBmpPtr() via crafted JPEG (CVE-...2019-07-23T11:20:29ZAlicha CH[3.7] gd: Double free in src/gd_bump.c:gdImageBmpPtr() via crafted JPEG (CVE-2018-1000222)Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability
in gdImageBmpPtr Function that can result
in Remote Code Execution . This attack appear to be exploitable via
Specially Crafted Jpeg Image can trigger double free. ...Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability
in gdImageBmpPtr Function that can result
in Remote Code Execution . This attack appear to be exploitable via
Specially Crafted Jpeg Image can trigger double free.
This vulnerability appears to have been fixed in after commit
ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5.
### References:
https://github.com/libgd/libgd/issues/447
https://nvd.nist.gov/vuln/detail/CVE-2018-1000222
### Patch:
https://github.com/libgd/libgd/commit/ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5
*(from redmine: issue id 9500, created on 2018-10-02, closed on 2018-10-04)*
* Relations:
* parent #9497
* Changesets:
* Revision c128b589236dc1ca58758abeda2124e078c34767 by Natanael Copa on 2018-10-02T14:05:50Z:
```
main/gd: backport security fix for CVE-2018-1000222
fixes #9500
```3.7.2Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9517[3.7] strongswan: heap buffer overflow using crafted certificates (CVE-2018-1...2019-07-23T11:20:16ZAlicha CH[3.7] strongswan: heap buffer overflow using crafted certificates (CVE-2018-17540)The gmp plugin in strongSwan before 5.7.1 has a Buffer Overflow via a
crafted certificate,
the vulnerability was introduced with the patch that fixes
CVE-2018-16151/2.
### References:
https://www.strongswan.org/blog/2018/10/01/strong...The gmp plugin in strongSwan before 5.7.1 has a Buffer Overflow via a
crafted certificate,
the vulnerability was introduced with the patch that fixes
CVE-2018-16151/2.
### References:
https://www.strongswan.org/blog/2018/10/01/strongswan-vulnerability-(cve-2018-17540).html
https://nvd.nist.gov/vuln/detail/CVE-2018-17540
*(from redmine: issue id 9517, created on 2018-10-08, closed on 2018-10-09)*
* Relations:
* parent #9515
* Changesets:
* Revision e043f4360d1a4acefce7229bd7836a3db968e86c on 2018-10-08T13:26:31Z:
```
main/strongswan: security fix (CVE-2018-17540)
Fixes #9517
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9523[3.7] libexif: Out-of-bounds heap read in exif_data_save_data_entry function ...2019-07-23T11:20:10ZAlicha CH[3.7] libexif: Out-of-bounds heap read in exif_data_save_data_entry function (CVE-2017-7544)One heap-based out-of-bounds read vulnerabiltiy exists in
libexif-0.6.21. When saving the data of an entry tagged with
“EXIF\_TAG\_MAKER\_NOTE” to
a buffer and copying the data of the exif entry, there is a mismatch
between the compute...One heap-based out-of-bounds read vulnerabiltiy exists in
libexif-0.6.21. When saving the data of an entry tagged with
“EXIF\_TAG\_MAKER\_NOTE” to
a buffer and copying the data of the exif entry, there is a mismatch
between the computed read size of the entry data and the size of the
allocated entry data.
The vulnerability can cause Denial-of-Service, even Information
Disclosure (disclosing some critical heap chunk metadata, even other
applications’ private data).
### References:
https://sourceforge.net/p/libexif/bugs/130/
https://nvd.nist.gov/vuln/detail/CVE-2017-7544
*(from redmine: issue id 9523, created on 2018-10-08, closed on 2018-10-09)*
* Relations:
* parent #9520
* Changesets:
* Revision cbc4ecf8e7c6c9368d52cb2080d2fed92b853ea3 on 2018-10-08T13:49:38Z:
```
main/libexif: security fix (CVE-2017-7544)
Fixes #9523
```3.7.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/9535[3.7] libx11: Multiple vulnerabilities (CVE-2018-14598, CVE-2018-14599, CVE-2...2019-07-23T11:20:02ZAlicha CH[3.7] libx11: Multiple vulnerabilities (CVE-2018-14598, CVE-2018-14599, CVE-2018-14600)CVE-2018-14598: Crash on invalid reply in XListExtensions in ListExt.c
----------------------------------------------------------------------
An issue was discovered in ListExt.c:XListExtensions and
GetFPath.c:XGetFontPath in libX11 thr...CVE-2018-14598: Crash on invalid reply in XListExtensions in ListExt.c
----------------------------------------------------------------------
An issue was discovered in ListExt.c:XListExtensions and
GetFPath.c:XGetFontPath in libX11 through version 1.6.5. A malicious
server can send
a reply in which the first string overflows, causing a variable to be
set to NULL that will be freed later on, leading to DoS (segmentation
fault).
### Fixed In Version:
libX11 1.6.6
### References:
http://www.openwall.com/lists/oss-security/2018/08/21/6
https://lists.x.org/archives/xorg-announce/2018-August/002916.html
### Patch:
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=e83722768fd5c467ef61fa159e8c6278770b45c2
CVE-2018-14599: off-by-one error in XListExtensions in ListExt.c
----------------------------------------------------------------
An issue was discovered in libX11 through 1.6.5. Functions
GetFPath.c:XGetFontPath, ListExt.c:XListExtensions and
FontNames.c:XListFonts are
vulnerable to an off-by-one error when parsing list of strings returned
by malicious server responses, leading to DoS.
### Fixed In Version:
libX11 1.6.6
### References:
http://www.openwall.com/lists/oss-security/2018/08/21/6
https://lists.x.org/archives/xorg-announce/2018-August/002916.html
### Patch:
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=b469da1430cdcee06e31c6251b83aede072a1ff0
CVE-2018-14600: Out of Bounds write in XListExtensions in ListExt.c
-------------------------------------------------------------------
An issue was discovered in libX11 through 1.6.5. Functions
ListExt.c:XListExtensions and GetFPath.c:XGetFontPath interpret a
variable as signed instead
of unsigned, resulting in an out-of-bounds write (of up to 128 bytes),
leading to DoS or remote code execution.
### Fixed In Version:
libX11 1.6.6
### References:
http://www.openwall.com/lists/oss-security/2018/08/21/6
https://lists.x.org/archives/xorg-announce/2018-August/002916.html
### Patch:
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=dbf72805fd9d7b1846fe9a11b46f3994bfc27fea
*(from redmine: issue id 9535, created on 2018-10-08, closed on 2018-10-09)*
* Relations:
* parent #9532
* Changesets:
* Revision 6b5e91624ae5ccf42f83f5799de854c9aa486ca7 by Natanael Copa on 2018-10-08T11:56:44Z:
```
main/libx11: security upgrade to 1.6.6
CVE-2018-14598
CVE-2018-14599
CVE-2018-14600
fixes #9535
```3.7.2Natanael CopaNatanael Copa