aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2019-07-23T14:23:20Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/1934[v2.4] libX11 <= 1.5.99.901 (1.6 RC1) CVE-2013-1981 CVE-2013-1997 CVE-2013-20042019-07-23T14:23:20ZPeter Kotcauer[v2.4] libX11 <= 1.5.99.901 (1.6 RC1) CVE-2013-1981 CVE-2013-1997 CVE-2013-2004*(from redmine: issue id 1934, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision 2649f751c0e9819efb815acf526ce7540d894538 by Natanael Copa on 2013-05-24T16:08:10Z:
```
main/libx11: s...*(from redmine: issue id 1934, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision 2649f751c0e9819efb815acf526ce7540d894538 by Natanael Copa on 2013-05-24T16:08:10Z:
```
main/libx11: security fix (CVE-2013-1981,CVE-2013-1997,CVE-2013-2004)
ref #1931
fixes #1934
(cherry picked from commit db1e74cf060eb177b9bd1f5ef787b90b19609c5b)
```Alpine 2.4.12https://gitlab.alpinelinux.org/alpine/aports/-/issues/1937[v2.4] libXext <= 1.3.1 CVE-2013-19822019-07-23T14:23:17ZPeter Kotcauer[v2.4] libXext <= 1.3.1 CVE-2013-1982*(from redmine: issue id 1937, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision 24d0ce7a8c4c75342428d763b97a7f4e69b0a118 by Natanael Copa on 2013-05-24T16:21:13Z:
```
main/libxext: ...*(from redmine: issue id 1937, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision 24d0ce7a8c4c75342428d763b97a7f4e69b0a118 by Natanael Copa on 2013-05-24T16:21:13Z:
```
main/libxext: fix CVE-2013-1982
ref #1931
fixes #1937
(cherry picked from commit adf915bf8b5c4ff1c07648f42cee8ab4d804dede)
```Alpine 2.4.12https://gitlab.alpinelinux.org/alpine/aports/-/issues/1941[v2.4] libXfixes <= 5.0 CVE-2013-19832019-07-23T14:23:13ZPeter Kotcauer[v2.4] libXfixes <= 5.0 CVE-2013-1983*(from redmine: issue id 1941, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision adad53cfd12db1c1f98f8beafae12554e5a9a8f1 by Natanael Copa on 2013-05-24T16:18:21Z:
```
main/libxfixes...*(from redmine: issue id 1941, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision adad53cfd12db1c1f98f8beafae12554e5a9a8f1 by Natanael Copa on 2013-05-24T16:18:21Z:
```
main/libxfixes: fix for CVE-2013-1983
ref #1931
fixes #1941
(cherry picked from commit b26655eaa38290e14b41bf0dd3645030445f42d7)
```Alpine 2.4.12https://gitlab.alpinelinux.org/alpine/aports/-/issues/1946[v2.4] libXi <= 1.7.1 CVE-2013-1984 CVE-2013-1995 CVE-2013-19982019-07-23T14:23:09ZPeter Kotcauer[v2.4] libXi <= 1.7.1 CVE-2013-1984 CVE-2013-1995 CVE-2013-1998*(from redmine: issue id 1946, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision 12ae6c6dff5d79147ae77b188fcdc11f28fc3cee by Natanael Copa on 2013-05-24T16:24:02Z:
```
main/libxi: se...*(from redmine: issue id 1946, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision 12ae6c6dff5d79147ae77b188fcdc11f28fc3cee by Natanael Copa on 2013-05-24T16:24:02Z:
```
main/libxi: security upgrade to 1.6.2.901 (CVE-2013-1984,CVE-2013-1995,CVE-2013-1998)
ref #1931
fixes #1946
```Alpine 2.4.12https://gitlab.alpinelinux.org/alpine/aports/-/issues/1950[v2.4] libXinerama <= 1.1.2 CVE-2013-19852019-07-23T14:23:05ZPeter Kotcauer[v2.4] libXinerama <= 1.1.2 CVE-2013-1985*(from redmine: issue id 1950, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision 33a1152b1f5f134b0fe6439b0eaec2a46574b561 by Natanael Copa on 2013-05-24T16:25:02Z:
```
main/libxinera...*(from redmine: issue id 1950, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision 33a1152b1f5f134b0fe6439b0eaec2a46574b561 by Natanael Copa on 2013-05-24T16:25:02Z:
```
main/libxinerama: fix CVE-2013-1985
ref #1931
fixes #1950
(cherry picked from commit 3e5921fae9eef23dbc7c56b7905ccbf9de168cea)
```Alpine 2.4.12https://gitlab.alpinelinux.org/alpine/aports/-/issues/1954[v2.4] libXp <= 1.0.1 CVE-2013-20622019-07-23T14:23:01ZPeter Kotcauer[v2.4] libXp <= 1.0.1 CVE-2013-2062*(from redmine: issue id 1954, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision 04fca7445c2068e588b79b32e01639ef1a0de1b6 by Natanael Copa on 2013-05-24T16:26:19Z:
```
main/libxp: fi...*(from redmine: issue id 1954, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision 04fca7445c2068e588b79b32e01639ef1a0de1b6 by Natanael Copa on 2013-05-24T16:26:19Z:
```
main/libxp: fix CVE-2013-2062
ref #1931
fixes #1954
(cherry picked from commit 596f76568714ab83fed8fef00c69f6493e6996e3)
```Alpine 2.4.12https://gitlab.alpinelinux.org/alpine/aports/-/issues/1958[v2.4] libXrandr <= 1.4.0 CVE-2013-19862019-07-23T14:22:57ZPeter Kotcauer[v2.4] libXrandr <= 1.4.0 CVE-2013-1986*(from redmine: issue id 1958, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision 0df792b849962f1e9302b2405f6d846e414e27bc by Natanael Copa on 2013-05-24T16:39:02Z:
```
main/libxrandr...*(from redmine: issue id 1958, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision 0df792b849962f1e9302b2405f6d846e414e27bc by Natanael Copa on 2013-05-24T16:39:02Z:
```
main/libxrandr: fix CVE-2013-1986
ref #1931
fixes #1958
```Alpine 2.4.12https://gitlab.alpinelinux.org/alpine/aports/-/issues/1962[v2.4] libXrender <= 0.9.7 CVE-2013-19872019-07-23T14:22:53ZPeter Kotcauer[v2.4] libXrender <= 0.9.7 CVE-2013-1987*(from redmine: issue id 1962, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision 2ae1730c58fb4314514c31b87eaff8759f81d236 by Natanael Copa on 2013-05-24T16:19:03Z:
```
main/libxrende...*(from redmine: issue id 1962, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision 2ae1730c58fb4314514c31b87eaff8759f81d236 by Natanael Copa on 2013-05-24T16:19:03Z:
```
main/libxrender: fix CVE-2013-1987
ref #1931
fixes #1962
(cherry picked from commit de43558cd1904b59c2358a05514aea1d20fab1c2)
```Alpine 2.4.12https://gitlab.alpinelinux.org/alpine/aports/-/issues/1966[v2.4] libXRes <= 1.0.6 CVE-2013-19882019-07-23T14:22:50ZPeter Kotcauer[v2.4] libXRes <= 1.0.6 CVE-2013-1988*(from redmine: issue id 1966, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision 1953e4184b10893c215af56b6968543717976d46 by Natanael Copa on 2013-05-24T16:40:11Z:
```
main/libxres: ...*(from redmine: issue id 1966, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision 1953e4184b10893c215af56b6968543717976d46 by Natanael Copa on 2013-05-24T16:40:11Z:
```
main/libxres: fix CVE-2013-1988
ref #1931
fixes #1966
(cherry picked from commit b262cf6c02f0e15dc88618b6a9e1298ace184057)
```Alpine 2.4.12https://gitlab.alpinelinux.org/alpine/aports/-/issues/1970[v2.4] libXtst <= 1.2.1 CVE-2013-20632019-07-23T14:22:46ZPeter Kotcauer[v2.4] libXtst <= 1.2.1 CVE-2013-2063*(from redmine: issue id 1970, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision 406661591c02dd83efcb2a8885ed58349e2864cd by Natanael Copa on 2013-05-27T16:41:01Z:
```
main/libxtst: ...*(from redmine: issue id 1970, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision 406661591c02dd83efcb2a8885ed58349e2864cd by Natanael Copa on 2013-05-27T16:41:01Z:
```
main/libxtst: fix CVE-2013-2063
ref #1931
fixes #1970
(cherry picked from commit ca33affea49de655ea0a1aa27accea11f84df7c1)
```Alpine 2.4.12https://gitlab.alpinelinux.org/alpine/aports/-/issues/1974[v2.4] libXv <= 1.0.7 CVE-2013-1989 CVE-2013-20662019-07-23T14:22:43ZPeter Kotcauer[v2.4] libXv <= 1.0.7 CVE-2013-1989 CVE-2013-2066*(from redmine: issue id 1974, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision 116a8d9ca2f4a57fd5c27dc32f9d393d7ed3b48e by Natanael Copa on 2013-05-24T16:40:51Z:
```
main/libxv: fi...*(from redmine: issue id 1974, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision 116a8d9ca2f4a57fd5c27dc32f9d393d7ed3b48e by Natanael Copa on 2013-05-24T16:40:51Z:
```
main/libxv: fix CVE-2013-1989,CVE-2013-2066
ref #1931
fixes #1974
(cherry picked from commit a04d1c8ff925273f3caf3a46393cf73ac2b96ab5)
```Alpine 2.4.12https://gitlab.alpinelinux.org/alpine/aports/-/issues/1978[v2.4] libXvMC <= 1.0.7 CVE-2013-1990 CVE-2013-19992019-07-23T14:22:39ZPeter Kotcauer[v2.4] libXvMC <= 1.0.7 CVE-2013-1990 CVE-2013-1999*(from redmine: issue id 1978, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision 0ec2f93c9d72ee4b5af6481a370acbfcb426dc4e by Natanael Copa on 2013-05-24T16:41:25Z:
```
main/libxvmc: ...*(from redmine: issue id 1978, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision 0ec2f93c9d72ee4b5af6481a370acbfcb426dc4e by Natanael Copa on 2013-05-24T16:41:25Z:
```
main/libxvmc: fix CVE-2013-1990,CVE-2013-1999
ref #1931
fixes #1978
(cherry picked from commit dfac4cbecc1c27d53504a0d9a80019146c9c9bfb)
```Alpine 2.4.12https://gitlab.alpinelinux.org/alpine/aports/-/issues/1982[v2.4] libXxf86dga <= 1.1.3 CVE-2013-1991 CVE-2013-20002019-07-23T14:22:36ZPeter Kotcauer[v2.4] libXxf86dga <= 1.1.3 CVE-2013-1991 CVE-2013-2000*(from redmine: issue id 1982, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision 6e94674a196771ea7599e54e128c8a4cedbdbe49 by Natanael Copa on 2013-05-24T16:42:40Z:
```
main/libxxf86d...*(from redmine: issue id 1982, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision 6e94674a196771ea7599e54e128c8a4cedbdbe49 by Natanael Copa on 2013-05-24T16:42:40Z:
```
main/libxxf86dga: fix CVE-2013-1991,CVE-2013-2000
ref #1931
fixes #1982
(cherry picked from commit decef4fe3c4a8fac3afe45c8beebfa95550484f7)
```
* Revision aac3ab664faee25685e9a6fa912f8ec49d1aadab by Natanael Copa on 2013-05-27T15:57:44Z:
```
main/libxxf86dga: actually apply the patches
fixes #1982
```Alpine 2.4.12https://gitlab.alpinelinux.org/alpine/aports/-/issues/1986[v2.4] libxcb <= 1.9 CVE-2013-20642019-07-23T14:22:32ZPeter Kotcauer[v2.4] libxcb <= 1.9 CVE-2013-2064*(from redmine: issue id 1986, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision 9688473ac6aba4112f17501b088e2eb353ec56c2 by Natanael Copa on 2013-05-24T16:03:44Z:
```
main/libxcb: s...*(from redmine: issue id 1986, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision 9688473ac6aba4112f17501b088e2eb353ec56c2 by Natanael Copa on 2013-05-24T16:03:44Z:
```
main/libxcb: security fix (CVE-2013-2064)
ref #1931
fixes #1986
(cherry picked from commit 682ed1fa3f5d7338fff3b497e1b95d45b2481e79)
Conflicts:
main/libxcb/APKBUILD
```Alpine 2.4.12https://gitlab.alpinelinux.org/alpine/aports/-/issues/1990[v2.4] libXxf86vm <= 1.1.2 CVE-2013-20012019-07-23T14:22:29ZPeter Kotcauer[v2.4] libXxf86vm <= 1.1.2 CVE-2013-2001*(from redmine: issue id 1990, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision d5889b384b3c55e50fddd85dad707f163012eaf4 by Natanael Copa on 2013-05-24T16:42:00Z:
```
main/libxxf86v...*(from redmine: issue id 1990, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision d5889b384b3c55e50fddd85dad707f163012eaf4 by Natanael Copa on 2013-05-24T16:42:00Z:
```
main/libxxf86vm: fix CVE-2013-2001
ref #1931
fixes #1990
(cherry picked from commit a632a13327ab882c590bbae004b3be338edc14cf)
```Alpine 2.4.12https://gitlab.alpinelinux.org/alpine/aports/-/issues/1994[v2.4] libXt <= 1.1.3 CVE-2013-2002 CVE-2013-20052019-07-23T14:22:25ZPeter Kotcauer[v2.4] libXt <= 1.1.3 CVE-2013-2002 CVE-2013-2005*(from redmine: issue id 1994, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision f7aaccfd77acfce44d757b68afb7d33532f9447e by Natanael Copa on 2013-05-24T16:43:16Z:
```
main/libxt: fi...*(from redmine: issue id 1994, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision f7aaccfd77acfce44d757b68afb7d33532f9447e by Natanael Copa on 2013-05-24T16:43:16Z:
```
main/libxt: fix CVE-2013-2002,CVE-2013-2005
ref #1931
fixes #1994
(cherry picked from commit e6d9eccdf7eeb94ed8fdd2cd4e7ebd51ed7fb04a)
```Alpine 2.4.12https://gitlab.alpinelinux.org/alpine/aports/-/issues/1998[v2.4] libXcursor <= 1.1.13 CVE-2013-20032019-07-23T14:22:21ZPeter Kotcauer[v2.4] libXcursor <= 1.1.13 CVE-2013-2003*(from redmine: issue id 1998, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision 99d3e572056d735f20db0b6a80e86398462ee97b by Natanael Copa on 2013-05-24T16:19:38Z:
```
main/libxcurso...*(from redmine: issue id 1998, created on 2013-05-23, closed on 2013-05-29)*
* Relations:
* parent #1931
* Changesets:
* Revision 99d3e572056d735f20db0b6a80e86398462ee97b by Natanael Copa on 2013-05-24T16:19:38Z:
```
main/libxcursor: fix CVE-2013-2003
ref #1931
fixes #1998
(cherry picked from commit 12fb9608ca0d7e1478f57863518a56e57fc759bc)
```Alpine 2.4.12https://gitlab.alpinelinux.org/alpine/aports/-/issues/2020[v2.4] cgit directory traversal (CVE-2013-2117)2019-07-23T14:22:07ZNatanael Copa[v2.4] cgit directory traversal (CVE-2013-2117)*(from redmine: issue id 2020, created on 2013-05-28, closed on 2013-05-29)*
* Relations:
* parent #2017
* Changesets:
* Revision 8fa342f4e4662c5ac3038410c69eb77da75c66b3 by Natanael Copa on 2013-05-28T16:48:05Z:
```
main/cgit: sec...*(from redmine: issue id 2020, created on 2013-05-28, closed on 2013-05-29)*
* Relations:
* parent #2017
* Changesets:
* Revision 8fa342f4e4662c5ac3038410c69eb77da75c66b3 by Natanael Copa on 2013-05-28T16:48:05Z:
```
main/cgit: security upgrade to 0.9.2 (CVE-2013-2117)
fixes #2020
(cherry picked from commit 44e740eef26389110713c40214989466c8c83ba5)
```Alpine 2.4.12https://gitlab.alpinelinux.org/alpine/aports/-/issues/2027[v2.4] haproxy 1.4 - 1.4.22 CVE-2013-19122019-07-23T14:22:00ZPeter Kotcauer[v2.4] haproxy 1.4 - 1.4.22 CVE-2013-1912Yves Lafon from the W3C reported some random crashes of haproxy with
an
advanced configuration, that we finally considered was a security
issue
as it could remotely be triggered.
—- summary —-
Configurations at risk are those which...Yves Lafon from the W3C reported some random crashes of haproxy with
an
advanced configuration, that we finally considered was a security
issue
as it could remotely be triggered.
—- summary —-
Configurations at risk are those which combine use of HTTP keywords in
TCP content inspection rules, client-side keep-alive, header rewriting
rules and which receive pipelined requests. These configurations may
be
remotely crashed when run with haproxy 1.4 up to and including 1.4.22
or development versions up to and including 1.5-dev17. Versions 1.4.23
and 1.5-dev18 are safe.
—- quick workaround —-
Disable TCP content inspection, or disable HTTP keep-alive by
inserting
“option forceclose” in the affected frontends.
—- details —-
During normal HTTP request processing, request buffers are realigned
if
there are less than global.maxrewrite bytes available after them, in
order to leave enough room for rewriting headers after the request.
This
is done in http\_wait\_for\_request().
However, if some HTTP inspection happens during a “tcp-request
content”
rule, this realignment is not performed. In theory this is not a
problem
because empty buffers are always aligned and TCP inspection happens at
the beginning of a connection. But with HTTP keep-alive, it also
happens
at the beginning of each subsequent request. So if a second request
was
pipelined by the client before the first one had a chance to be
forwarded,
the second request will not be realigned. Then,
http\_wait\_for\_request()
will not perform such a realignment either because the request was
already parsed and marked as such. The consequence of this, is that
the
rewrite of a sufficient number of such pipelined, unaligned requests
may
leave less room past the request been processed than the configured
reserve, which can lead to a buffer overflow if request processing
appends
some data past the end of the buffer.
A number of conditions are required for the bug to be triggered :
- HTTP keep-alive must be enabled ;
- HTTP inspection in TCP rules must be used ;
- some request appending rules are needed (reqadd, x-forwarded-for)
- since empty buffers are always realigned, the client must pipeline
enough requests so that the buffer always contains something till
the point where there is no more room for rewriting.
While such a configuration is quite unlikely to be met (which is
confirmed by the bug’s lifetime), a few people do use these features
together for very specific usages. And more importantly, writing such
a configuration and the request to attack it is trivial.
A quick workaround consists in forcing keep-alive off by adding
“option httpclose” or “option forceclose” in the frontend.
Alternatively,
disabling HTTP-based TCP inspection rules enough if the application
supports it.
At first glance, this bug does not look like it could lead to remote
code
execution, as the overflowing part is controlled by the configuration
and
not by the user. But some deeper analysis should be performed to
confirm
this. And anyway, corrupting the process’ memory and crashing it is
quite
trivial.
Special thanks go to Yves Lafon from the W3C who reported this bug and
deployed significant efforts to collect the relevant data needed to
understand it in less than one week, and to Ryan O’Hara from Red Hat
for providing me with a CVE number.
CVE-2013-1912 was assigned to this issue.
—- links —-
1.4-stable patch for version <= 1.4.22 :
http://git.1wt.eu/web?p=haproxy-1.4.git;a=commitdiff;h=dc80672211
1.4.23 source code:
http://haproxy.1wt.eu/download/1.4/src/haproxy-1.4.23.tar.gz
1.5-dev patch for versions <= 1.5-dev17 :
http://git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=aae75e3279
1.5-dev18 source code:
http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev18.tar.gz
*(from redmine: issue id 2027, created on 2013-05-29, closed on 2013-06-03)*
* Relations:
* parent #2025
* Changesets:
* Revision 9f78fab9c5ca88bf0106dae767f14bf8a08799ae by Natanael Copa on 2013-06-03T11:11:28Z:
```
main/haproxy: security upgrade to 1.4.23 (CVE-2013-1912)
fixes #2027
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2042[v2.4] CVE-2013-2850: Linux kernel iSCSI target heap overflow2019-07-23T14:21:46ZPeter Kotcauer[v2.4] CVE-2013-2850: Linux kernel iSCSI target heap overflowupstream fix:
http://git.kernel.org/cgit/linux/kernel/git/nab/target-pending.git/commit/?id=cea4dcfdad926a27a18e188720efe0f2c9403456
http://www.openwall.com/lists/oss-security/2013/06/01/2
*(from redmine: issue id 2042, created on 201...upstream fix:
http://git.kernel.org/cgit/linux/kernel/git/nab/target-pending.git/commit/?id=cea4dcfdad926a27a18e188720efe0f2c9403456
http://www.openwall.com/lists/oss-security/2013/06/01/2
*(from redmine: issue id 2042, created on 2013-06-02, closed on 2013-06-06)*
* Relations:
* parent #2039
* Changesets:
* Revision 56028d0155b80c508b86c5b1215f0e444ab33c58 by Natanael Copa on 2013-06-05T14:02:08Z:
```
main/linux-grsec: upgrade to 3.4.47 and fix CVE-2013-2850
ref #2039
fixes #2042
```Alpine 2.4.12https://gitlab.alpinelinux.org/alpine/aports/-/issues/2047[v2.4] xen CVE-2013-2076 Information leak on XSAVE/XRSTOR capable AMD CPUs2019-07-23T14:21:41ZPeter Kotcauer[v2.4] xen CVE-2013-2076 Information leak on XSAVE/XRSTOR capable AMD CPUsISSUE DESCRIPTION
=
On AMD processors supporting XSAVE/XRSTOR (family 15h and up), when an
exception is pending, these instructions save/restore only the FOP,
FIP, and FDP x87 registers in FXSAVE/FXRSTOR. This allows one domain
...ISSUE DESCRIPTION
=
On AMD processors supporting XSAVE/XRSTOR (family 15h and up), when an
exception is pending, these instructions save/restore only the FOP,
FIP, and FDP x87 registers in FXSAVE/FXRSTOR. This allows one domain
to determine portions of the state of floating point instructions of
other domains.
NOTE: This is the documented behavior of AMD64 processors, but it is
inconsistent with Intel processors in a security-relevant fashion that
was not addressed by the original implementation of XSAVE support on
Xen.
This vulnerability is similar to CVE-2006-1056, concerning
FXSAVE/FXRSTOR on AMD processors.
IMPACT
==
A malicious domain may be able to leverage this to obtain sensitive
information such as cryptographic keys from another domain.
VULNERABLE SYSTEMS
==
Xen 4.0 and onwards are vulnerable when run on systems with AMD
processors supporting XSAVE. Any kind of guest can exploit the
vulnerability.
In Xen 4.0.2 through 4.0.4 as well as in Xen 4.1.x XSAVE support is
disabled by default; therefore systems running these versions are not
vulnerable unless support is explicitly enabled using the “xsave”
hypervisor command line option.
Systems not using AMD processors, or using AMD processors not
supporting XSAVE (i.e. families prior to 15h), are not vulnerable.
Xen 3.x and earlier are not vulnerable.
MITIGATION
==
Turning off XSAVE support via the “no-xsave” hypervisor command line
option will avoid the vulnerability.
RESOLUTION
==
Applying the attached patch resolves this issue.
xsa52-4.1.patch Xen 4.1.x
xsa52-4.2-unstable.patch Xen 4.2.x, xen-unstable
$ sha256sum xsa52-\*.patch
058741aae8881774cfe8f8d193fee9b92da62e61459b1e9617798ccee2ce8d75
xsa52-4.1.patch
5b8582185bf90386729e81db1f7780c69a891b074a87d9a619a90d6f639bea13
xsa52-4.2-unstable.patch
*(from redmine: issue id 2047, created on 2013-06-03, closed on 2013-06-06)*
* Relations:
* parent #2044
* Changesets:
* Revision a2883b66233b3bc958ccb3555996adeacd070c64 by Natanael Copa on 2013-06-05T15:08:29Z:
```
main/xen: security fixes (CVE-2013-2076,CVE-2013-2077,CVE-2013-2078)
ref #2044
ref #2049
ref #2054
fixes #2047
fixes #2052
fixes #2057
```
* Uploads:
* [xsa52-4.1.patch](/uploads/5ae30620ed645908170349275c2a8b6a/xsa52-4.1.patch)
* [xsa52-4.2-unstable.patch](/uploads/ee88ac70650a77574021fd0e729b1e1b/xsa52-4.2-unstable.patch)Alpine 2.4.12Ariadne Conillariadne@ariadne.spaceAriadne Conillariadne@ariadne.spacehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2052[v2.4] xen CVE-2013-2077 Hypervisor crash due to missing exception recovery o...2019-07-23T14:21:35ZPeter Kotcauer[v2.4] xen CVE-2013-2077 Hypervisor crash due to missing exception recovery on XRSTORreference:
http://www.openwall.com/lists/oss-security/2013/06/03/2
ISSUE DESCRIPTION
=
Processors do certain validity checks on the data passed to XRSTOR.
While the hypervisor controls the placement of that memory block, it
doe...reference:
http://www.openwall.com/lists/oss-security/2013/06/03/2
ISSUE DESCRIPTION
=
Processors do certain validity checks on the data passed to XRSTOR.
While the hypervisor controls the placement of that memory block, it
doesn’t restrict the contents in any way. Thus the hypervisor exposes
itself to a fault occurring on XRSTOR. Other than for FXRSTOR, which
behaves similarly, there was no exception recovery code attached to
XRSTOR.
IMPACT
==
Malicious or buggy unprivileged user space can cause the entire host
to crash.
VULNERABLE SYSTEMS
==
Xen 4.0 and onwards are vulnerable when run on systems with processors
supporting XSAVE. Only PV guests can exploit the vulnerability; for
HVM guests only the control tools have access to the respective
hypervisor functions.
In Xen 4.0.2 through 4.0.4 as well as in Xen 4.1.x XSAVE support is
disabled by default; therefore systems running these versions are not
vulnerable unless support is explicitly enabled using the “xsave”
hypervisor command line option.
Systems using processors not supporting XSAVE are not vulnerable.
Xen 3.x and earlier are not vulnerable.
MITIGATION
==
Turning off XSAVE support via the “no-xsave” hypervisor command line
option will avoid the vulnerability.
RESOLUTION
==
Applying the attached patch resolves this issue.
xsa53-4.1.patch Xen 4.1.x
xsa53-4.2.patch Xen 4.2.x
xsa53-unstable.patch xen-unstable
$ sha256sum xsa53-\*.patch
2deedb983ef6ffb24375e5ae33fd271e4fb94f938be143919310daf1163de182
xsa53-4.1.patch
785f7612bd229f7501f4e98e4760f307d90c64305ee14707d262b77f05fa683d
xsa53-4.2.patch
b9804e081afbc5e7308176841d0249e1f934f75e7fcc8f937bad6b95eb6944a5
xsa53-unstable.patch
*(from redmine: issue id 2052, created on 2013-06-03, closed on 2013-06-06)*
* Relations:
* parent #2049
* Changesets:
* Revision a2883b66233b3bc958ccb3555996adeacd070c64 by Natanael Copa on 2013-06-05T15:08:29Z:
```
main/xen: security fixes (CVE-2013-2076,CVE-2013-2077,CVE-2013-2078)
ref #2044
ref #2049
ref #2054
fixes #2047
fixes #2052
fixes #2057
```
* Uploads:
* [xsa53-4.1.patch](/uploads/72f9f6d9cd1bf2c5b623ac27a7f6597a/xsa53-4.1.patch)
* [xsa53-4.2.patch](/uploads/a66c5c5a42626e4acaf11e168c0eb210/xsa53-4.2.patch)
* [xsa53-unstable.patch](/uploads/b3ea97397c3bb8219df222c7d2d8c07a/xsa53-unstable.patch)Alpine 2.4.12Ariadne Conillariadne@ariadne.spaceAriadne Conillariadne@ariadne.spacehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2057[v2.4] xen CVE-2013-2078 Hypervisor crash due to missing exception recovery o...2019-07-23T14:21:29ZPeter Kotcauer[v2.4] xen CVE-2013-2078 Hypervisor crash due to missing exception recovery on XSETBVreference:
http://www.openwall.com/lists/oss-security/2013/06/03/3
ISSUE DESCRIPTION
=
Processors do certain validity checks on the register values passed to
XSETBV. For the PV emulation path for that instruction the hypervisor ...reference:
http://www.openwall.com/lists/oss-security/2013/06/03/3
ISSUE DESCRIPTION
=
Processors do certain validity checks on the register values passed to
XSETBV. For the PV emulation path for that instruction the hypervisor
code didn’t check for certain invalid bit combinations, thus exposing
itself to a fault occurring when invoking that instruction on behalf
of the guest.
IMPACT
==
Malicious or buggy unprivileged user space can cause the entire host
to crash.
VULNERABLE SYSTEMS
==
Xen 4.0 and onwards are vulnerable when run on systems with processors
supporting XSAVE. Only PV guests can exploit the vulnerability.
In Xen 4.0.2 through 4.0.4 as well as in Xen 4.1.x XSAVE support is
disabled by default; therefore systems running these versions are not
vulnerable unless support is explicitly enabled using the “xsave”
hypervisor command line option.
Systems using processors not supporting XSAVE are not vulnerable.
Xen 3.x and earlier are not vulnerable.
MITIGATION
==
Turning off XSAVE support via the “no-xsave” hypervisor command line
option will avoid the vulnerability.
RESOLUTION
==
Applying the attached patch resolves this issue.
xsa54.patch Xen 4.1.x, Xen 4.2.x, xen-unstable
$ sha256sum xsa54-\*.patch
5d94946b3c9cba52aae2bffd4b0ebb11d09181650b5322a3c85170674a05f6b7
xsa54.patch
$
*(from redmine: issue id 2057, created on 2013-06-03, closed on 2013-06-06)*
* Relations:
* parent #2054
* Changesets:
* Revision a2883b66233b3bc958ccb3555996adeacd070c64 by Natanael Copa on 2013-06-05T15:08:29Z:
```
main/xen: security fixes (CVE-2013-2076,CVE-2013-2077,CVE-2013-2078)
ref #2044
ref #2049
ref #2054
fixes #2047
fixes #2052
fixes #2057
```
* Uploads:
* [xsa54.patch](/uploads/c22094e4e9977acbe2535ba424100d4e/xsa54.patch)Alpine 2.4.12Ariadne Conillariadne@ariadne.spaceAriadne Conillariadne@ariadne.spacehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2062[v2.4] qemu CVE-2013-2007: guest agent creates files with insecure permission...2019-07-23T14:21:24ZPeter Kotcauer[v2.4] qemu CVE-2013-2007: guest agent creates files with insecure permissions in deamon modereferences:
http://www.openwall.com/lists/oss-security/2013/05/06/5
https://bugzilla.redhat.com/show\_bug.cgi?id=956082\#c6
upstream fix:
http://git.qemu.org/?p=qemu.git;a=commit;h=c689b4f1bac352dcfd6ecb9a1d45337de0f1de67
DESCRIPTI...references:
http://www.openwall.com/lists/oss-security/2013/05/06/5
https://bugzilla.redhat.com/show\_bug.cgi?id=956082\#c6
upstream fix:
http://git.qemu.org/?p=qemu.git;a=commit;h=c689b4f1bac352dcfd6ecb9a1d45337de0f1de67
DESCRIPTION ==
The upstream qemu guest agent creates files with insecure permissions
when started in daemon mode, which could potentially lead local
privilege escalation.
The Red Hat Enterprise Linux 6 qemu-ga, when started in daemon mode,
creates logfiles in /var/log/ world writable allowing any one on the
system to wipe the contents of the log file or to store data within the
log file. An unprivileged guest user could use this flaw to consume all
free space on the partition
with qemu-ga log file, or modify the contents of the log. When a UNIX
domain socket transport were explicitly configured to be used
(non-default), an unprivileged guest user could potentially use this
flaw to escalate their privileges in the guest.
Acknowledgements:
This issue was discovered by Laszlo Ersek of Red Hat.
*(from redmine: issue id 2062, created on 2013-06-03, closed on 2013-06-06)*
* Relations:
* parent #2059
* Changesets:
* Revision ef7cc55e6635a229f49ae024c7b4f92945b1aa2d by Natanael Copa on 2013-06-05T13:01:01Z:
```
main/qemu: security fix CVE-2013-2007
ref #2059
fixes #2062
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2069[v2.4] bind: A recursive resolver can be crashed by a query for a malformed z...2019-07-23T14:21:16ZNatanael Copa[v2.4] bind: A recursive resolver can be crashed by a query for a malformed zone (CVE-2013-3919)### Versions affected:
BIND 9.6-ESV-R9, 9.8.5, and 9.9.3 are affected
Versions 9.6.0 through 9.6-ESV-R8, 9.8.0 through 9.8.4-P2, and 9.9.0
through 9.9.2-P2 ARE NOT affected.
Other major branches of BIND (e.g. 9.7, 9.5, etc) are not vu...### Versions affected:
BIND 9.6-ESV-R9, 9.8.5, and 9.9.3 are affected
Versions 9.6.0 through 9.6-ESV-R8, 9.8.0 through 9.8.4-P2, and 9.9.0
through 9.9.2-P2 ARE NOT affected.
Other major branches of BIND (e.g. 9.7, 9.5, etc) are not vulnerable but
they are no longer supported by ISC and may lack other important
security fixes.
### Severity:
High
### Exploitable:
Remotely
### Description:
A bug has been discovered in the most recent releases of BIND 9 which
has the potential for deliberate exploitation as a denial-of-service
attack. By sending a recursive resolver a query for a record in a
specially malformed zone, an attacker can cause BIND 9 to exit with a
fatal “RUNTIME\_CHECK” error in resolver.c
### Impact:
Triggering this defect will cause the affected server to exit with an
error, denying service to recursive DNS clients that use that particular
server.
### CVSS Score: 7.8
### CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C)
For more information on the Common Vulnerability Scoring System and to
obtain your specific environmental score please visit:
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=%28AV:N/AC:L/Au:N/C:N/I:N/A:C%29
### Workarounds:
None.
### Active exploits:
At the time of this advisory no intentional exploitation of this bug has
been observed in the wild. However, the existence of the issue has been
disclosed on an open mailing list with enough accompanying detail to
reverse engineer an attack and ISC is therefore treating this as a Type
II (publicly disclosed) vulnerability, in accordance with our Phased
Disclosure Process.
### Solution:
New versions of BIND are being provided which contain a fix for the
defect. The recommended solution is to upgrade to the patched release
most closely related to your current version of BIND. These can all be
downloaded from http://ftp.isc.org/isc/bind9
BIND 9 version 9.9.3-P1
BIND 9 version 9.8.5-P1
BIND 9 version 9.6-ESV-R9-P1
### Acknowledgements:
### Document Revision History:
1.0 Type II Public Disclosure, 04 June, 2013
### Related Documents:
See our BIND Security Matrix for a complete listing of Security
Vulnerabilities and versions affected.
If you’d like more information on our product support please visit
www.isc.org/support.
Do you still have questions? Questions regarding this advisory should go
to security-officer@isc.org
Note: ISC patches only currently supported versions. When possible we
indicate EOL versions affected.
ISC Security Vulnerability Disclosure Policy: Details of our current
security advisory policy and practice can be found here: ISC Software
Defect and Security Vulnerability Disclosure Policy
This Knowledge Base article https://kb.isc.org/article/AA-00967 is the
complete and official security advisory document.
*(from redmine: issue id 2069, created on 2013-06-05, closed on 2013-06-10)*
* Relations:
* parent #2066
* Changesets:
* Revision 39ad8b3e5f2f1cb3656f142011b80c945d036a57 by Natanael Copa on 2013-06-05T08:48:50Z:
```
main/bind: security upgrade to 9.9.3_p1 (2013-3919)
fixes #2069
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2075Java Runtime Environment Fails with SIGSEGV2019-07-23T14:21:11ZRichard JohnsonJava Runtime Environment Fails with SIGSEGVI
tried to run a precompiled class file, which resulted in the following
error:
Error occurred during initialization of VM
Could not reserve enough space for object heap
More Details:
\- I have installed this instance of alpine f...I
tried to run a precompiled class file, which resulted in the following
error:
Error occurred during initialization of VM
Could not reserve enough space for object heap
More Details:
\- I have installed this instance of alpine from
alpine-xen-2.6.0\_rc3-x86\_64.iso,
However I did “apk upgrade” just after installing the JRE.
\- I am running Java in dom0
\- I have allocated more than 800MB for dom0
\- Even when running trivial commands such as “java -version” I get the
same
error message
- My goal is to run a Swing application in the X environment
The Test case is attached
*(from redmine: issue id 2075, created on 2013-06-10, closed on 2013-07-03)*
* Changesets:
* Revision 6da42db662737f4c7d76b27bafb754717667772a by Timo Teräs on 2013-06-10T16:51:42Z:
```
main/openjdk6: fix ipv6 related startup crash
fixes #2075
(cherry picked from commit a733d5ca3c5b38a12b6d7a185325ee4bbe65a749)
Conflicts:
main/openjdk6/APKBUILD
```
* Revision b89cea880276f1791d948a779161687e13d56039 by Timo Teräs on 2013-06-11T15:02:09Z:
```
main/openjdk6: fix ipv6 related startup crash
ref #2075
(cherry picked from commit a733d5ca3c5b38a12b6d7a185325ee4bbe65a749)
```
* Uploads:
* [Test.java](/uploads/937320df32c00847a8a0d2faca162c21/Test.java)
* [logs.zip](/uploads/6b56630ce3b38e038830c00e750622d7/logs.zip)Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2082[v2.4] CVE-2013-2164 Linux Kernel - Leak information in cdrom driver2019-07-23T14:21:06ZPeter Kotcauer[v2.4] CVE-2013-2164 Linux Kernel - Leak information in cdrom driverupstream fix:
http://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/commit/drivers/cdrom/cdrom.c?id=050e4b8fb7cdd7096c987a9cd556029c622c7fe2
In drivers/cdrom/cdrom.c mmc\_ioctl\_cdrom\_read\_data() allocates a
memory
area ...upstream fix:
http://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/commit/drivers/cdrom/cdrom.c?id=050e4b8fb7cdd7096c987a9cd556029c622c7fe2
In drivers/cdrom/cdrom.c mmc\_ioctl\_cdrom\_read\_data() allocates a
memory
area with kmalloc in line 2885.
2885 cgc->buffer = kmalloc(blocksize, GFP\_KERNEL);
2886 if (cgc->buffer == NULL)
2887 return -ENOMEM;
In line 2908 we can find the copy\_to\_user function:
2908 if (!ret && copy\_to\_user(arg, cgc->buffer, blocksize))
The cgc->buffer is never cleaned and initialized before this
function. If
ret = 0 with the previous basic block, it’s possible to display some
memory bytes in kernel space from userspace.
When we read a block from the disk it normally fills the ->buffer but
if
the drive is malfunctioning there is a chance that it would only be
partially filled. The result is an leak information to userspace.
*(from redmine: issue id 2082, created on 2013-06-10, closed on 2013-07-03)*
* Relations:
* parent #2077
* Changesets:
* Revision f84874803ecddea53abaa8b2ae68a789794c359f by Natanael Copa on 2013-06-26T11:55:04Z:
```
main/linux-grsec: security fix (CVE-2013-2164)
ref #2077
fixes #2082
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2091[v2.4] CVE-2013-2852 Linux-Kernel: b43 wireless driver2019-07-23T14:20:58ZPeter Kotcauer[v2.4] CVE-2013-2852 Linux-Kernel: b43 wireless driverThe b43 driver reports error strings that can be interpreted as format
strings. Under normal conditions, this is not a problem, but it is
possible for the “fwpostfix” module parameter to change the filenames
used to fetch firmware....The b43 driver reports error strings that can be interpreted as format
strings. Under normal conditions, this is not a problem, but it is
possible for the “fwpostfix” module parameter to change the filenames
used to fetch firmware. When such a file is not found, the filename
will be processed as a format string. This flaw could potentially
allow
escalation from uid-0 to ring-0, so except for certain environments,
it is not too serious.
If b43 hardware is available, this should show itself easily. I don’t
have
any available for testing, but it seems it would show itself like this:
1. rmmod b43
2. modprobe b43 fwpostfix=AA%xBB
…
3. dmesg
…
b43-0 ERROR: Firmware file “b43AAdeff80ccBB/a0g1bsinitvals5.fw” not
found
Using %n instead of %x would lead to exciting crashes. :)
It has been fixed in the upstream wireless tree:
http://git.kernel.org/cgit/linux/kernel/git/linville/wireless.git/commit/?id=9538cbaab6e8b8046039b4b2eb6c9d614dc782bd
*(from redmine: issue id 2091, created on 2013-06-18, closed on 2013-07-03)*
* Relations:
* parent #2088
* Changesets:
* Revision fe9af505b4a99ba6560870a89e982299adb76b2b by Natanael Copa on 2013-06-21T16:20:03Z:
```
main/linux-grsec: upgrade to 3.4.50 kernel (CVE-2013-2851,CVE-2013-2852)
fixes #2091
fixes #2096
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2096[v2.4] CVE-2013-2851 Linux-Kernel: block layer2019-07-23T14:20:53ZPeter Kotcauer[v2.4] CVE-2013-2851 Linux-Kernel: block layerThe block layer uses the “disk\_name” field as a format
string in a number of places. While this is normally not a problem due
to how disk names are created (statically or incrementally), there
is currently at least one way to defi...The block layer uses the “disk\_name” field as a format
string in a number of places. While this is normally not a problem due
to how disk names are created (statically or incrementally), there
is currently at least one way to define nearly arbitrary names via
md. Instead of filtering md, this should be fixed within the kernel’s
interfaces. This flaw could potentially allow escalation from uid-0 to
ring-0, so except for certain environments, it is not too serious.
The test case is trivial:
1. echo md\_%x.%x.%x.%x >/sys/module/md\_mod/parameters/new\_array
2. ls /dev/md\_\*
/dev/md\_c12cc370.df66d800.df66d80c.c13da45b
Using %n instead of %x leads to exciting crashes. :)
The fix has been sent upstream:
http://marc.info/?l=linux-kernel&m=137055204522556&w=2
With the above fixes, a series of additional format string related
clean
ups has also been sent upstream:
http://marc.info/?l=linux-kernel&m=137055207522563&w=2
*(from redmine: issue id 2096, created on 2013-06-18, closed on 2013-07-03)*
* Relations:
* parent #2093
* Changesets:
* Revision fe9af505b4a99ba6560870a89e982299adb76b2b by Natanael Copa on 2013-06-21T16:20:03Z:
```
main/linux-grsec: upgrade to 3.4.50 kernel (CVE-2013-2851,CVE-2013-2852)
fixes #2091
fixes #2096
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2101[v2.4] CVE-2013-2175 : haproxy may crash when using header occurrences relati...2019-07-23T14:20:48ZPeter Kotcauer[v2.4] CVE-2013-2175 : haproxy may crash when using header occurrences relative to the tailDavid Torgerson reported an haproxy crash with enough traces to
diagnose
the cause as being related to the use of a negative occurrence number
in
a header extraction, which is used to extract an entry starting from
the
last occurre...David Torgerson reported an haproxy crash with enough traces to
diagnose
the cause as being related to the use of a negative occurrence number
in
a header extraction, which is used to extract an entry starting from
the
last occurrence.
—- summary —-
Configurations at risk are those which make use of “hdr\_ip(name,–1)”
(in
1.4) or any hdr\_\* variant with a negative occurrence count in 1.5,
or
the “usesrc hdr\_ip(name)” statement in both 1.4 and 1.5. These
configurations may be crashed when run with haproxy 1.4.4 to 1.4.23 or
development versions up to and including 1.5-dev18. Versions 1.4.24
and
1.5-dev19 are safe.
—- quick workaround —-
A workaround consists in rejecting dangerous requests early using
hdr\_cnt(<name>), which is available both in 1.4 and 1.5 :
block if { hdr\_cnt(<name>) ge 10 }
—- details —-
When a config makes use of hdr\_ip(x-forwarded-for,–1) or any such
thing
involving a negative occurrence count, the header is still parsed in
the
order it appears, and an array of up to MAX\_HDR\_HISTORY entries is
created.
When more entries are used, the entries simply wrap and continue this
way.
A problem happens when the incoming header field count exactly divides
MAX\_HDR\_HISTORY, because the computation removes the number of
requested
occurrences from the count, but does not care about the risk of
wrapping
with a negative number. Thus we can dereference the array with a
negative
number and randomly crash the process.
The bug is located in http\_get\_hdr() in haproxy 1.5, and
get\_ip\_from\_hdr2()
in haproxy 1.4. It affects configurations making use of one of the
following
functions with a negative <value> occurence number :
\- hdr\_ip(<name>, <value>) (in 1.4)
- hdr\_\*(<name>, <value>) (in 1.5)
It also affects “source” statements involving “hdr\_ip(<name>)” since
that
statement implicitly uses –1 for <value> :
\- source 0.0.0.0 usesrc hdr\_ip(<name>)
This bug has been present since the introduction of the negative
offset
count in 1.4.4 via commit bce70882.
CVE-2013-2175 was assigned to this bug.
Special thanks to David Torgerson who provided a significant number of
traces, and to Ryan O’Hara from Red Hat for providing a CVE id.
—- links —-
1.4-stable patch for version <= 1.4.23 :
http://git.1wt.eu/web?p=haproxy-1.4.git;a=commitdiff;h=f534af74ed
1.4.24 source code:
http://haproxy.1wt.eu/download/1.4/src/haproxy-1.4.24.tar.gz
1.5-dev patch for versions <= 1.5-dev18 :
http://git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=67dad2715b
1.5-dev19 source code:
http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev19.tar.gz
*(from redmine: issue id 2101, created on 2013-06-18, closed on 2013-06-21)*
* Relations:
* parent #2098
* Changesets:
* Revision b9073a5009143c15d717fadaf3e8b37febf839f4 by Natanael Copa on 2013-06-21T14:03:36Z:
```
main/haproxy: security upgrade to 1.4.24 (CVE-2013-2175)
fixes #2101
(cherry picked from commit d2207b3c4708cac6038cfbb0b7c58722e49c5c4e)
Conflicts:
main/haproxy/APKBUILD
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2111[v2.4] Xen Security Advisory 55 (CVE-2013-2194, CVE-2013-2195, CVE-2013-2196)...2019-07-23T14:20:38ZPeter Kotcauer[v2.4] Xen Security Advisory 55 (CVE-2013-2194, CVE-2013-2195, CVE-2013-2196) - Multiple vulnerabilities in libelf PV kernel handling——<s>BEGIN PGP SIGNED MESSAGE——</s>
Hash: SHA1
Xen Security Advisory CVE-2013-2194,CVE-2013-2195,CVE-2013-2196 /
XSA-55
version 5
Multiple vulnerabilities in libelf PV kernel handling
UPDATES IN VERSION 5
CVE numbers have been ...——<s>BEGIN PGP SIGNED MESSAGE——</s>
Hash: SHA1
Xen Security Advisory CVE-2013-2194,CVE-2013-2195,CVE-2013-2196 /
XSA-55
version 5
Multiple vulnerabilities in libelf PV kernel handling
UPDATES IN VERSION 5
CVE numbers have been assigned.
ISSUE DESCRIPTION
=
The ELF parser used by the Xen tools to read domains’ kernels and
construct domains has multiple integer overflows, pointer dereferences
based on calculations from unchecked input values, and other problems.
This corresponds to the following CVEs:
CVE-2013-2194 XEN XSA-55 integer overflows
CVE-2013-2195 XEN XSA-55 pointer dereferences
CVE-2013-2196 XEN XSA-55 other problems
IMPACT
==
A malicious PV domain administrator who can specify their own kernel
can escalate their privilege to that of the domain construction tools
(i.e., normally, to control of the host).
Additionally a malicious HVM domain administrator who is able to
supply their own firmware (“hvmloader”) can do likewise; however we
think this would be very unusual and it is unlikely that such
configurations exist in production systems.
VULNERABLE SYSTEMS
==
All Xen versions are affected.
Installations which only allow the use of trustworthy kernels for PV
domains are not affected.
MITIGATION
==
Ensuring that PV guests use only trustworthy kernels will avoid this
problem.
RESOLUTION
==
Applying the appropriate patch series will resolve this issue.
These were attached to v3 of the advisory which can be found here:
http://lists.xen.org/archives/html/xen-devel/2013-06/msg01626.html
These are available in xen.git
http://xenbits.xen.org/gitweb/?p=xen.git
git://xenbits.xen.org/xen.git
http://xenbits.xen.org/git-http/xen.git
in the git changesets listed below.
xen-unstable:
82cb4113b6ace16de192021de20f6cbd991e478f libxc: Better range check in
xc\_dom\_alloc\_segment
966070058d02cce9684e30073b61d6465e4b351c libxc: check blob size before
proceeding in xc\_dom\_check\_gzip
de7911eaef98b6643d80e4612fe4dcd4528d15b9 libxc: range checks in
xc\_dom\_p2m\_host
and \_guest
3d5a1d4733e55e33521cd5004cab1313e5c5d5ff libxc: check return values from
malloc
aaebaba5ae225f591e0602e071037a935bb281b6 libxc: check failure of
xc\_dom\_\*\_to\_ptr, xc\_map\_foreign\_range
2bcee4b3c316379f4b52cb308947eb6db3faf1a0 libxc: Add range checking to
xc\_dom\_binloader
66fe2726fe8492676f9970b9c2c511bce6186ece libelf: abolish obsolete
macros
39bf7b9d0ae534491745e54df5232127c0bddaf1 libelf: check loops for running
away
a004800f8fc607b96527815c8e3beabcb455d8e0 libelf: use only unsigned
integers
7a549a6aa04dba807f8dd4c1577ab6a7592c4c76 libelf: use C99 bool for
booleans
c84481fbc7de7d15ff7476b3b9cd2713f81feaa3 libelf: Make all callers call
elf\_check\_broken
943de71cf07d9d04ccb215bd46153b04930e9f25 libelf: Check pointer
references in
elf\_is\_elfbinary
65808a8ed41cc7c044f588bd6cab5af0fdc0e029 libelf: check all pointer
accesses
04877847ade4ac9216e9f408fd544ade8f90cf9a libelf: check nul-terminated
strings
properly
50421bd56bf164f490d7d0bf5741e58936de41e8 tools/xcutils/readnotes:
adjust
print\_l1\_mfn\_valid\_note
85256359995587df00001dca22e9a76ba6ea8258 libelf: introduce macros for
memory
access and pointer handling
95dd49bed681af93f71a401b0a35bf2f917c6e68
libelf/xc\_dom\_load\_elf\_symtab: Do not
use “syms” uninitialised
f7aa72ec00aec71eed055dac5e8a151966d75c9c libelf: move include of
<asm/guest\_access.h>to top of file
13e2c808f7ea721c8f200062e2b9b977ee924471 libelf: abolish elf\_sval and
elf\_access\_signed
009ddca51504ce80889937e485d44ac0f9290d63 libelf: add \`struct
elf\_binary\*’
parameter to elf\_load\_image
b5a869209998fedadfe205d37addbd50a802998b libxc: Fix range checking in
xc\_dom\_pfn\_to\_ptr etc.
53bfcf585b09eb4ac2240f89d1ade77421cd2451 libxc: introduce
xc\_dom\_seg\_to\_ptr\_pages
14573b974850d82de7aebad17e6471d27d847f2c libelf: abolish
libelf-relocate.c
Xen 4.2.x:
d21d36e84354c04638b60a739a5f7c3d9f8adaf8 libxc: Better range check in
xc\_dom\_alloc\_segment
2a548e22915535ac13694eb38222903bca7245e3 libxc: check blob size before
proceeding in xc\_dom\_check\_gzip
052a689aa526ca51fd70528d4b0f83dfb2de99c1 libxc: range checks in
xc\_dom\_p2m\_host
and \_guest
8dc90d163650ce8aa36ae0b46debab83cc61edb6 libxc: check return values from
malloc
77c0829fa751f052f7b8ec08287aef6e7ba97bc5 libxc: check failure of
xc\_dom\_\*\_to\_ptr, xc\_map\_foreign\_range
b06e277b1fc08c7da3befeb3ac3950e1d941585d libxc: Add range checking to
xc\_dom\_binloader
3baaa4ffcd3e7dd6227f9bdf817f90e5b75aeda2 libelf: abolish obsolete
macros
52d8cc2dd3bb3e0f6d51e00280da934e8d91653a libelf: check loops for running
away
e673ca50127b6c1263727aa31de0b8bb966ca7a2 libelf: use only unsigned
integers
3fb6ccf2faccaf5e22e33a3155ccc72d732896d8 libelf: use C99 bool for
booleans
a965b8f80388603d439ae2b8ee7b9b018a079f90 libelf: Make all callers call
elf\_check\_broken
d0790bdad7496e720416b2d4a04563c4c27e7b95 libelf: Check pointer
references in
elf\_is\_elfbinary
cc8761371aac432318530c2ddfe2c8234bc0621f libelf: check all pointer
accesses
db14d5bd9b6508adfcd2b910f454fae12fa4ba00 libelf: check nul-terminated
strings
properly
59f66d58180832af6b99a9e4489031b5c2f627ab tools/xcutils/readnotes:
adjust
print\_l1\_mfn\_valid\_note
40020ab55a1e9a1674ddecdb70299fab4fe8579d libelf: introduce macros for
memory
access and pointer handling
de9089b449d2508b1ba05590905c7ebaee00c8c4
libelf/xc\_dom\_load\_elf\_symtab: Do not
use “syms” uninitialised
682a04488e7b3bd6c3448ab60599566eb7c6177a libelf: move include of
<asm/guest\_access.h>to top of file
83ec905922b496e1a5756e3a88405eb6c2c6ba88 libelf: abolish elf\_sval and
elf\_access\_signed
035634047d10c678cbb8801c4263747bdaf4e5b1 libelf: add \`struct
elf\_binary\*’
parameter to elf\_load\_image
8c738fa5c1f3cfcd935b6191b3526f7ac8b2a5bd libxc: Fix range checking in
xc\_dom\_pfn\_to\_ptr etc.
a672da4b2d58ef12be9d7407160e9fb43cac75d9 libxc: introduce
xc\_dom\_seg\_to\_ptr\_pages
9737484becab4a25159f1e985700eaee89690d34 libelf: abolish
libelf-relocate.c
Xen 4.1.x:
ac63ddd70a5ccf5ebf790f06ea4cd4ed794c3978 libxc: check blob size before
proceeding in xc\_dom\_check\_gzip
6eca85d5c144ee8c899ee3cf8791f9087b15f2e8 libxc: range checks in
xc\_dom\_p2m\_host
and \_guest
a2986a7959919bc748784bb75970bfbd42697d3b libxc: check return values from
malloc
117a538dbef62f8d39159dea652e633e01b50a9a libxc: check failure of
xc\_dom\_\*\_to\_ptr, xc\_map\_foreign\_range
40b76f1fb04af421c1415f7bcb168dfaa6960d0d libxc: Add range checking to
xc\_dom\_binloader
4a3a60d8caee49af6951a672c55b08436a8d1f86 libelf: abolish obsolete
macros
968c0399159c65e24bb8b9969259e18791e1f4d8 libelf: check loops for running
away
282188ea84b9e0f9c4865f0609e7740f2f28e7b0 libxc: Introduce xc\_bitops.h
86e39ce58e91fe55d4fdbc914cb1955c45acc20e libelf: use only unsigned
integers
bd3dba9f435fa59f305407f7d9b34e1e164ddd98 libelf: use C99 bool for
booleans
44c74b1ed31c75ed9026abf62ab7427a46d8027a libelf: Make all callers call
elf\_check\_broken
9962d7ffcce97ec2d69a15ef861996b1ead33694 libelf: Check pointer
references in
elf\_is\_elfbinary
39923542bb43e67776c4e8292d4a5a1adef2bd3b libelf: check all pointer
accesses
8ce60b35beaac91a97b79c004ca6bf5d58e7390b libelf: check nul-terminated
strings
properly
4e46085972d2367dff2345a73361c1c17b47ce73 tools/xcutils/readnotes:
adjust
print\_l1\_mfn\_valid\_note
de49d6e83c3a8c753646b007972140ddbb746ba8 libelf: introduce macros for
memory
access and pointer handling
4d3339de1fe3cbf7b05487fdb6cadd7267950948
libelf/xc\_dom\_load\_elf\_symtab: Do not
use “syms” uninitialised
e719b136b750e5eee87c4647d1846e4e1e70eac0 libelf: abolish elf\_sval and
elf\_access\_signed
f7fb94409c562beec06094141ef262dc85f28dac libxc: Fix range checking in
xc\_dom\_pfn\_to\_ptr etc.
bbf40e6b6d47809f4289a866d7d167c25104ecc0 libxc: introduce
xc\_dom\_seg\_to\_ptr\_pages
64a0206c451920b72a9c5721a6f2427baf99e3dd libelf: abolish
libelf-relocate.c
——<s>BEGIN PGP SIGNATURE——</s>
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJRwticAAoJEIP+FMlX6CvZFbEIAMjbI64TpgYSm3cRSFmdHol/
FC2d4mo/aeb8e24RCTnJvxP3oE+o1Oar5FGJi+AATDynzbqcuv7yK7iDQ9ZfwGm5
xZR+knkFKymWLsutb8uhDRT8eYCgmK8aQEXorvcjr69sxrxJascPGv4aHesNihxO
t4tRqRbqGhAzkm9Gm32LaVz3UYCW2ZRs4lxDBjtW5HmsugaOarCYNTqSpftAiAkn
XE8UChNUVO95PAJKRtmihLQ+TGJ9cyujBACrl6RsxdD8JZU6EP4rq7fccdzyqD6D
+c5pw859mtukyy56fwfP5Ji6G9O2VrrZyf4kq13V74SPZ/LV3VKDalfaVVItLGQ=
=RVh5
——<s>END PGP SIGNATURE——</s>
*(from redmine: issue id 2111, created on 2013-06-21, closed on 2013-07-03)*
* Relations:
* parent #2108
* Changesets:
* Revision 386d947eaf640de1a5515087a2b65d5960e5624b by Natanael Copa on 2013-06-26T13:59:41Z:
```
main/xen: fix xsa55 and xsa57 (CVE-2013-2194,CVE-2013-2195,CVE-2013-2196,CVE-2013-2211)
ref #2108
ref #2117
fixes #2111
fixes #2120
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2120[v2.4] Xen Security Advisory 57 - libxl allows guest write access to sensitiv...2019-07-23T14:20:29ZPeter Kotcauer[v2.4] Xen Security Advisory 57 - libxl allows guest write access to sensitive console related xenstore keys (CVE-2013-2211 )ISSUE DESCRIPTION
=
The libxenlight (libxl) toolstack library does not correctly set
permissions on xenstore keys relating to paravirtualised and emulated
serial console devices. This could allow a malicious guest
administrator ...ISSUE DESCRIPTION
=
The libxenlight (libxl) toolstack library does not correctly set
permissions on xenstore keys relating to paravirtualised and emulated
serial console devices. This could allow a malicious guest
administrator to change values in xenstore which the host later relies
on being implicitly trusted.
IMPACT
==
A malicious guest administrator can read and write any files in the
host filesystem which are accessible to the user id running the
xenconsole client binary. This may be the user id of a host
administrator who connects to the guest’s console or the user id of
any self service mechanism provided to guest administrators by the
host provider.
As well as reading and writing files an attacker with access to an HVM
guest can cause any PV or serial consoles to be connected to a variety
of network resources (sockets, udp connections) or other end points
(fifo, pipes) in the host file filesystem according to the privileges
granted to the qemu device model for that guest.
A malicious guest administrator can also redirect the VNC console
port of the guest to another port on the host. This may expose the VNC
port of other guests or of other firewalled services to an attack.
VULNERABLE SYSTEMS
==
All systems which use libxl as part of the toolstack are vulnerable.
libxl is present in Xen versions 4.0 onwards.
The major consumer of libxl functionality is the xl toolstack which
became the default in Xen 4.2.
In addition to this libvirt can optionally make use of libxl. This can
be queried with
\# virsh version
Which will report “xenlight” if libxl is in use. libvirt currently
prefers the xend backend if xend is running.
The xend and xapi toolstacks do not currently use libxl.
MITIGATION
==
Host administrators can start a domain paused and manually correct the
xenstore permissions of the relevant nodes.
A domain can be started in the paused state with xl by using
\# xl create -p <cfg>
A domain’s domid can then be determined with:
\# xl domid <name>
If using libvirt then virsh can be used instead:
\# virsh start —paused <name>
\# virsh domid <name>
For a domain $DOMID the following command will recursively correct the
permissions for the primary PV console:
\# xenstore-chmod -r /local/domain/$DOMID/console n0 r$DOMID
If the domain uses a device model stubdomain then it will also be
necessary to fix the permissions for the stubdomain. The stubdomain is
named “<name>-dm”. Assuming its domain ID is $DMDOM:
\# xenstore-chmod -r /local/domain/$DMDOM/console n0 r$DMDOM
In addition a stub domain has three secondary PV consoles which must
be
fixed, however in this case the “state” and “protocol” nodes along
with the device node itself should not be restricted. For each device
$D in \[1,2,3\]:
\# xenstore-chmod -r /local/domain/$DMDOM/device/console/$N n0 r$DMDOM
\# xenstore-chmod /local/domain/$DMDOM/device/console/$N/state n$DMDOM
r0
\# xenstore-chmod /local/domain/$DMDOM/device/console/$N/protocol
n$DMDOM r0
\# xenstore-chmod /local/domain/$DMDOM/device/console/$N n$DMDOM r0
The current permissions can be listed with
\# xenstore-ls -fp <PATH>
Once the permissions are fixed you may unpause the domain with
\# xl unpause <domain>
or with virsh:
\# virsh resume <domain>
The permissions can also be corrected on a live system if they are
then manually validated to be non-malicious.
See http://wiki.xen.org/wiki/XenBus\#Permissions for information on
the
permissions syntax.
RESOLUTION
==
Applying the appropriate attached patch resolves this issue.
xsa57-4.2.patch Xen 4.2.x
xsa57-4.1.patch Xen 4.1.x
xsa57-unstable.patch xen-unstable
$ sha256sum xsa57-\*.patch
428a1d42f4314404cde339a78a59422bf4f0590c4d16ea8adc83425fe5eede3d
xsa57-4.1.patch
b6a5106848541972519cc529859d9ff3083c79367276c7031560fa4ce6f9f770
xsa57-4.2.patch
d329f56c30f7a4f91906658ea661234d2ca31b74ee68257bf009072999b3d3ef
xsa57-unstable.patch
*(from redmine: issue id 2120, created on 2013-06-26, closed on 2013-07-03)*
* Relations:
* parent #2117
* Changesets:
* Revision 386d947eaf640de1a5515087a2b65d5960e5624b by Natanael Copa on 2013-06-26T13:59:41Z:
```
main/xen: fix xsa55 and xsa57 (CVE-2013-2194,CVE-2013-2195,CVE-2013-2196,CVE-2013-2211)
ref #2108
ref #2117
fixes #2111
fixes #2120
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2126[v2.4] Xen Security Advisory 58 (CVE-2013-1432) - Page reference counting err...2019-07-23T14:20:22ZPeter Kotcauer[v2.4] Xen Security Advisory 58 (CVE-2013-1432) - Page reference counting error due to XSA-45/CVE-2013-1918 fixesreferences:
http://lists.xen.org/archives/html/xen-announce/2013-06/msg00012.html
ISSUE DESCRIPTION
=
The XSA-45/CVE-2013-1918 patch making error handling paths preemptible
broke
page reference counting by not retaining a referen...references:
http://lists.xen.org/archives/html/xen-announce/2013-06/msg00012.html
ISSUE DESCRIPTION
=
The XSA-45/CVE-2013-1918 patch making error handling paths preemptible
broke
page reference counting by not retaining a reference on pages stored
for
deferred cleanup. This would lead to the hypervisor prematurely
attempting to
free the page, generally crashing upon finding the page still in use.
CREDITS
===
Thanks to Andrew Cooper and the Citrix XenServer team for discovering
and reporting this vulnerability, and helping investigate it.
IMPACT
==
Malicious or buggy PV guest kernels can mount a denial of service
attack
affecting the whole system. It can’t be excluded that this could also
be
exploited to mount a privilege escalation attack.
VULNERABLE SYSTEMS
==
All Xen versions having the XSA-45/CVE-2013-1918 fixes applied are
vulnerable.
The vulnerability is only exposed by PV guests.
MITIGATION
==
Running only HVM guests, or PV guests with trusted kernels, will avoid
this
vulnerability.
RESOLUTION
==
Applying the appropriate attached patch resolves this issue.
xsa58-4.1.patch Xen 4.1.x
xsa58-4.2.patch Xen 4.2.x
xsa58-unstable.patch xen-unstable
$ sha256sum xsa58\*.patch
3623ec87e5a2830f0d41de19a8e448d618954973c3264727a1f3a095f15a8641
xsa58-4.1.patch
194d6610fc38b767d643e5d58a1268f45921fb35e309b47aca6a388b861311c2
xsa58-4.2.patch
2c94b099d7144d03c0f7f44e892a521537fc040d11bc46f84a2438eece46a0f5
xsa58-unstable.patch
*(from redmine: issue id 2126, created on 2013-06-26, closed on 2013-07-03)*
* Relations:
* parent #2123
* Changesets:
* Revision f87a9718398452ab5e15eccd2eb427d16098c072 by Natanael Copa on 2013-07-01T17:02:29Z:
```
main/xen: main/xen: fix xsa45 and xsa58 (CVE-2013-1918,CVE-2013-1432)
ref #2123
fixes #2126
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2137[v2.4] CVE-2013-4113 php: xml_parse_into_struct buffer overflow when parsing ...2019-07-23T14:20:13ZNatanael Copa[v2.4] CVE-2013-4113 php: xml_parse_into_struct buffer overflow when parsing deeply nested XMLreferences:
https://bugs.php.net/bug.php?id=65236
https://bugzilla.redhat.com/show\_bug.cgi?id=983689
*(from redmine: issue id 2137, created on 2013-07-16, closed on 2013-07-18)*
* Relations:
* parent #2136
* Changesets:
* Rev...references:
https://bugs.php.net/bug.php?id=65236
https://bugzilla.redhat.com/show\_bug.cgi?id=983689
*(from redmine: issue id 2137, created on 2013-07-16, closed on 2013-07-18)*
* Relations:
* parent #2136
* Changesets:
* Revision 1be6dba9064c72276b4cebc2a9ade9b279d90d84 by Natanael Copa on 2013-07-16T12:46:41Z:
```
main/php: security upgrade to 5.3.27 (CVE-2013-4113)
ref #2136
fixes #2137
```Alpine 2.4.12Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2142[v2.4]CVE-2013-4125 kernel: ipv6: BUG_ON in fib6_add_rt2node()2019-07-12T14:40:24ZPeter Kotcauer[v2.4]CVE-2013-4125 kernel: ipv6: BUG_ON in fib6_add_rt2node()references:
http://www.security-database.com/detail.php?alert=CVE-2013-4125
https://bugzilla.redhat.com/show\_bug.cgi?id=984664
*(from redmine: issue id 2142, created on 2013-07-18, closed on 2013-07-24)*
* Relations:
* parent #...references:
http://www.security-database.com/detail.php?alert=CVE-2013-4125
https://bugzilla.redhat.com/show\_bug.cgi?id=984664
*(from redmine: issue id 2142, created on 2013-07-18, closed on 2013-07-24)*
* Relations:
* parent #2139Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2147[v2.4] CVE-2013-4127 kernel: vhost-net: use-after-free in vhost_net_flush2019-07-12T14:40:26ZPeter Kotcauer[v2.4] CVE-2013-4127 kernel: vhost-net: use-after-free in vhost_net_flushreference:
https://bugzilla.redhat.com/show\_bug.cgi?id=984722
vhost\_net\_ubuf\_put\_and\_wait has a confusing name: it will actually
also free it’s argument. vhost\_net\_flush tries to use the argument
after passing it to vhost\_net...reference:
https://bugzilla.redhat.com/show\_bug.cgi?id=984722
vhost\_net\_ubuf\_put\_and\_wait has a confusing name: it will actually
also free it’s argument. vhost\_net\_flush tries to use the argument
after passing it to vhost\_net\_ubuf\_put\_and\_wait, this results in
use after free.
Upstream fix:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=dd7633ecd553a5e304d349aa6f8eb8a0417098c5
Introduced by:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1280c27f8e29acf4af2da914e80ec27c3dbd5c01
Introduced in upstream version:
v3.8-rc1
*(from redmine: issue id 2147, created on 2013-07-18, closed on 2013-07-23)*
* Relations:
* parent #2144Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2162[v2.4] CVE-2013-4130 spice: unsafe clients ring access abort2019-07-23T14:20:03ZPeter Kotcauer[v2.4] CVE-2013-4130 spice: unsafe clients ring access abortreference:
https://bugzilla.redhat.com/show\_bug.cgi?id=984769
*(from redmine: issue id 2162, created on 2013-07-18, closed on 2013-07-23)*
* Relations:
* parent #2159
* Changesets:
* Revision 0840b37ba1b61fc6068907d72ce76359dfa...reference:
https://bugzilla.redhat.com/show\_bug.cgi?id=984769
*(from redmine: issue id 2162, created on 2013-07-18, closed on 2013-07-23)*
* Relations:
* parent #2159
* Changesets:
* Revision 0840b37ba1b61fc6068907d72ce76359dface9e4 by Natanael Copa on 2013-07-19T15:26:20Z:
```
main/spice: fix CVE-2013-4130
ref #2159
fixes #2162
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2166[v2.4] CVE-2013-4073 ruby: hostname check bypassing vulnerability in SSL client2019-07-23T14:20:01ZPeter Kotcauer[v2.4] CVE-2013-4073 ruby: hostname check bypassing vulnerability in SSL clientreferences:
http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/
https://bugzilla.redhat.com/show\_bug.cgi?id=979251
*(from redmine: issue id 2166, created on 2013-07-1...references:
http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/
https://bugzilla.redhat.com/show\_bug.cgi?id=979251
*(from redmine: issue id 2166, created on 2013-07-18, closed on 2013-07-29)*
* Relations:
* parent #2164
* Changesets:
* Revision bb618853bacfeddcd43b60c6e71571e2d3981e9b by Natanael Copa on 2013-07-24T09:19:14Z:
```
main/ruby: security upgrade to 1.8.7_p374 (CVE-2013-4073)
ref #2164
fixes #2166
```Alpine 2.4.12Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2177[v2.4] bind: CVE-2013-4854: A specially crafted query can cause BIND to termi...2019-07-23T14:19:50ZNatanael Copa[v2.4] bind: CVE-2013-4854: A specially crafted query can cause BIND to terminate abnormallCVE: CVE-2013-4854
Document Version: 2.0
Posting date: 26 July 2013
Program Impacted: BIND
Versions affected: 9.7.0<s><span style="text-align:right;">9.7.7,
9.8.0</span></s>&gt;9.8.5-P1, 9.9.0-&gt;9.9.3-P1, 9.8.6b1 and 9.9.4b1;
S...CVE: CVE-2013-4854
Document Version: 2.0
Posting date: 26 July 2013
Program Impacted: BIND
Versions affected: 9.7.0<s><span style="text-align:right;">9.7.7,
9.8.0</span></s>>9.8.5-P1, 9.9.0->9.9.3-P1, 9.8.6b1 and 9.9.4b1;
Subscription: 9.9.3-S1 and 9.9.4-S1b1
Severity: Critical
Exploitable: Remotely
### Description
A specially crafted query that includes malformed rdata can cause named
to terminate with an assertion failure while rejecting the malformed
query.
BIND 9.6 and BIND 9.6-ESV are unaffected by this problem. Earlier
branches of BIND 9 are believed to be unaffected but have not been
tested. BIND 10 is also unaffected by this issue.
Please Note: All versions of BIND 9.7 are known to be affected, but
these branches are beyond their “end of life” (EOL) and no longer
receive testing or security fixes from ISC. For current information on
which versions are actively supported, please see
http://www.isc.org/downloads/software-support-policy/bind-software-status/.
### Impact
Authoritative and recursive servers are equally vulnerable. Intentional
exploitation of this condition can cause a denial of service in all
nameservers running affected versions of BIND 9. Access Control Lists do
not provide any protection from malicious clients.
In addition to the named server, applications built using libraries from
the affected source distributions may crash with assertion failures
triggered in the same fashion.
CVSS Score: 7.8
CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C)
For more information on the Common Vulnerability Scoring System and to
obtain your specific environmental score please visit:
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)
### Workarounds
No known workarounds at this time.
### Active exploits
Crashes have been reported by multiple ISC customers. First observed in
the wild on 26 July 2013.
*(from redmine: issue id 2177, created on 2013-07-29, closed on 2013-07-30)*
* Relations:
* parent #2173
* Changesets:
* Revision 8378c7b716e70df2bc2c6d588dc68620a2756cb7 by Natanael Copa on 2013-07-29T08:26:25Z:
```
main/bind: security upgrade to 9.9.3_p2 (CVE-2013-4854)
fixes #2177
```Alpine 2.4.12https://gitlab.alpinelinux.org/alpine/aports/-/issues/2190[v2.4] libgcrypt CVE-2013-4242 GnuPG susceptible to Yarom/Falkner flush+reloa...2019-07-23T14:19:37ZPeter Kotcauer[v2.4] libgcrypt CVE-2013-4242 GnuPG susceptible to Yarom/Falkner flush+reload cache side-channel attackreferences:
http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000329.html
http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html
Libgcrypt version 1.5.3.
This is a **security fix** release for the stable branch.
...references:
http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000329.html
http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html
Libgcrypt version 1.5.3.
This is a **security fix** release for the stable branch.
Libgcrypt is a general purpose library of cryptographic building
blocks. It is originally based on code used by GnuPG. It does not
provide any implementation of OpenPGP or other protocols. Thorough
understanding of applied cryptography is required to use Libgcrypt.
Noteworthy changes in version 1.5.3:
\* Mitigate the Yarom/Falkner flush+reload side-channel attack on
RSA secret keys. See <http://eprint.iacr.org/2013/448>.
\[ Note that Libgcrypt is used by GnuPG 2.x and thus this release
fixes
the above problem. The fix for GnuPG < 2.0 can be found in the just
released GnuPG 1.4.14. \]
Source code is hosted at the GnuPG FTP server and its mirrors as
listed at http://www.gnupg.org/download/mirrors.html . On the primary
server the source file and its digital signatures is:
ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.3.tar.bz2 (1.5M)
ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.3.tar.bz2.sig
This file is bzip2 compressed. A gzip compressed version is also
available:
ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.3.tar.gz (1.8M)
ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.3.tar.gz.sig
Alternativley you may upgrade version 1.5.2 using this patch file:
ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.2-1.5.3.diff.bz2 (4k)
The SHA-1 checksums are:
2c6553cc17f2a1616d512d6870fe95edf6b0e26e libgcrypt-1.5.3.tar.bz2
184405c91d1ab4877caefb1a6458767e5f0b639e libgcrypt-1.5.3.tar.gz
b711fe3ddf534bb6f11823542036eb4a32e0c914 libgcrypt-1.5.2-1.5.3.diff.bz2
*(from redmine: issue id 2190, created on 2013-08-02, closed on 2013-08-06)*
* Relations:
* parent #2187
* Changesets:
* Revision a78dcc77315409e70607d0180e52d7c3367247ad by Natanael Copa on 2013-08-05T14:15:08Z:
```
main/libgcrypt: security upgrade to 1.5.3 (CVE-2013-4242)
ref #2187
fixes #2190
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2200[v2.4] quagga: CVE-2013-2236, stack overrun in apiserver2019-07-23T14:19:29ZNatanael Copa[v2.4] quagga: CVE-2013-2236, stack overrun in apiserverhttp://nongnu.uib.no//quagga/quagga-0.99.22.3.changelog.txt
commit 3f872fe60463a931c5c766dbf8c36870c0023e88
Author: David Lamparter <equinox@opensourcerouting.org>
Date: Mon Jul 8 23:05:28 2013 +0200
ospfd: CVE-20...http://nongnu.uib.no//quagga/quagga-0.99.22.3.changelog.txt
commit 3f872fe60463a931c5c766dbf8c36870c0023e88
Author: David Lamparter <equinox@opensourcerouting.org>
Date: Mon Jul 8 23:05:28 2013 +0200
ospfd: CVE-2013-2236, stack overrun in apiserver
the OSPF API-server (exporting the LSDB and allowing announcement of
Opaque-LSAs) writes past the end of fixed on-stack buffers. This leads
to an exploitable stack overflow.
For this condition to occur, the following two conditions must be true:
- Quagga is configured with --enable-opaque-lsa
- ospfd is started with the "-a" command line option
If either of these does not hold, the relevant code is not executed and
the issue does not get triggered.
Since the issue occurs on receiving large LSAs (larger than 1488 bytes),
it is possible for this to happen during normal operation of a network.
In particular, if there is an OSPF router with a large number of
interfaces, the Router-LSA of that router may exceed 1488 bytes and
trigger this, leading to an ospfd crash.
For an attacker to exploit this, s/he must be able to inject valid LSAs
into the OSPF domain. Any best-practice protection measure (using
crypto authentication, restricting OSPF to internal interfaces, packet
filtering protocol 89, etc.) will prevent exploitation. On top of that,
remote (not on an OSPF-speaking network segment) attackers will have
difficulties bringing up the adjacency needed to inject a LSA.
This patch only performs minimal changes to remove the possibility of a
stack overrun. The OSPF API in general is quite ugly and needs a
rewrite.
Reported-by: Ricky Charlet <ricky.charlet@hp.com>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
*(from redmine: issue id 2200, created on 2013-08-06, closed on 2013-08-30)*
* Relations:
* parent #2195Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2207[v2.4] Multiple security issues in libtiff (CVE-2013-1960 , CVE-2013-1961)2019-07-23T14:19:24ZPeter Kotcauer[v2.4] Multiple security issues in libtiff (CVE-2013-1960 , CVE-2013-1961)references:
https://access.redhat.com/security/cve/CVE-2013-1960
https://access.redhat.com/security/cve/CVE-2013-1961
Two flaws were reported to us in tiff2pdf utility shipped with the
libtiff library. Details as follows:
1. CVE-...references:
https://access.redhat.com/security/cve/CVE-2013-1960
https://access.redhat.com/security/cve/CVE-2013-1961
Two flaws were reported to us in tiff2pdf utility shipped with the
libtiff library. Details as follows:
1. CVE-2013-1961 libtiff (tiff2pdf): Stack-based buffer overflow with
malformed image-length and resolution
A stack-based buffer overflow was found in the way tiff2pdf, a TIFF
image to a PDF document conversion tool, of libtiff, a library of
functions for manipulating TIFF (Tagged Image File Format) image
format
files, performed write of TIFF image content into particular PDF
document file, when malformed image-length and resolution values are
used in the TIFF file. A remote attacker could provide a specially-
crafted TIFF image format file, that when processed by tiff2pdf would
lead to tiff2pdf executable crash.
Reference: https://bugzilla.redhat.com/show\_bug.cgi?id=952131
2. CVE-2013-1960 libtiff (tiff2pdf): Heap-based buffer overflow in
t2\_process\_jpeg\_strip()
A heap-based buffer overflow flaw was found in the way tiff2pdf, a
TIFF
image to a PDF document conversion tool, of libtiff, a library of
functions for manipulating TIFF (Tagged Image File Format) image
format
files, performed write of TIFF image content into particular PDF
document file, in the tp\_process\_jpeg\_strip() function. A remote
attacker could provide a specially-crafted TIFF image format file,
that
when processed by tiff2pdf would lead to tiff2pdf executable crash or,
potentially, arbitrary code execution with the privileges of the user
running the tiff2pdf binary.
Reference: https://bugzilla.redhat.com/show\_bug.cgi?id=952158
*(from redmine: issue id 2207, created on 2013-08-06, closed on 2013-08-29)*
* Relations:
* parent #2203
* Changesets:
* Revision 0b6330a18a153ba21a8f38fa27469cbf0c0d14c4 by Natanael Copa on 2013-08-07T14:35:19Z:
```
main/tiff: sec fixes from upstream (CVE-2013-1960,CVE-2013-1961)
ref #2203
fixes #2207
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2212[v2.4] CVE-2013-4131 subversion: DoS (assertion failure, crash) in mod_dav_sv...2019-07-23T14:19:19ZPeter Kotcauer[v2.4] CVE-2013-4131 subversion: DoS (assertion failure, crash) in mod_dav_svn when handling certain MOVE, COPY, or DELETE HTTP requestsreference:
http://subversion.apache.org/security/CVE-2013-4131-advisory.txt
A vulnerability has been found and corrected in subversion:
The mod\_dav\_svn Apache HTTPD server module in Subversion 1.7.0
through
1.7.10 and 1.8.x befor...reference:
http://subversion.apache.org/security/CVE-2013-4131-advisory.txt
A vulnerability has been found and corrected in subversion:
The mod\_dav\_svn Apache HTTPD server module in Subversion 1.7.0
through
1.7.10 and 1.8.x before 1.8.1 allows remote authenticated users to
cause a denial of service (assertion failure or out-of-bounds read)
via a certain (1) COPY, (2) DELETE, or (3) MOVE request against a
revision root (CVE-2013-4131).
*(from redmine: issue id 2212, created on 2013-08-06, closed on 2013-08-30)*
* Relations:
* parent #2209
* Changesets:
* Revision a14b3265c02eed3547dfc5e62b8152433683c66a by Natanael Copa on 2013-08-08T10:45:59Z:
```
main/subversion: security upgrade to 1.7.11 (CVE-4131)
fixes #2212
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2216[v2.4] CVE-2013-1896 apache2: mod_dav DoS (httpd child process crash) via a U...2019-07-23T14:19:15ZPeter Kotcauer[v2.4] CVE-2013-1896 apache2: mod_dav DoS (httpd child process crash) via a URI MERGE request with source URI not handled by mod_davreferences:
http://s.apache.org/H1a
https://access.redhat.com/security/cve/CVE-2013-1896
mod\_dav.c in the Apache HTTP Server before 2.2.25 does not properly
determine whether DAV is enabled for a URI, which allows remote
attackers ...references:
http://s.apache.org/H1a
https://access.redhat.com/security/cve/CVE-2013-1896
mod\_dav.c in the Apache HTTP Server before 2.2.25 does not properly
determine whether DAV is enabled for a URI, which allows remote
attackers to cause a denial of service (segmentation fault) via a MERGE
request in which the URI is configured for handling by the mod\_dav\_svn
module, but a certain href attribute in XML data refers to a non-DAV
URI.
*(from redmine: issue id 2216, created on 2013-08-06, closed on 2013-08-30)*
* Relations:
* parent #2214
* Changesets:
* Revision bae0972f3c8bee8cb8fdf9d73463d1fe043ba17c by Natanael Copa on 2013-08-08T10:52:31Z:
```
main/apache2: security upgrade to 2.2.25 (CVE-2013-1896)
fixes #2216
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2235[2.4] cacti CVE-2013-1434, CVE-2013-14352019-07-23T14:18:56ZPeter Kotcauer[2.4] cacti CVE-2013-1434, CVE-2013-1435Two security issues (SQL injection and command line injection via SNMP
settings) were found in Cacti, a web interface for graphing of
monitoring
systems.
*(from redmine: issue id 2235, created on 2013-08-29, closed on 2013-08-30)*
...Two security issues (SQL injection and command line injection via SNMP
settings) were found in Cacti, a web interface for graphing of
monitoring
systems.
*(from redmine: issue id 2235, created on 2013-08-29, closed on 2013-08-30)*
* Relations:
* parent #2231
* Changesets:
* Revision c88fc5c79c5875673a0c57f1c601d036d9aa4931 by Natanael Copa on 2013-08-30T13:47:12Z:
```
main/cacti: security upgrade to 0.8.8b (CVE-2013-1434,CVE-2013-1435)
fixes #2235
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2241[2.4]lcms CVE-2013-42762019-07-23T14:18:50ZPeter Kotcauer[2.4]lcms CVE-2013-4276references:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718682
https://bugzilla.redhat.com/show\_bug.cgi?id=991757\#attach\_783274
https://bugzilla.redhat.com/show\_bug.cgi?id=991757
*(from redmine: issue id 2241, created on...references:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718682
https://bugzilla.redhat.com/show\_bug.cgi?id=991757\#attach\_783274
https://bugzilla.redhat.com/show\_bug.cgi?id=991757
*(from redmine: issue id 2241, created on 2013-08-29, closed on 2013-08-30)*
* Relations:
* parent #2237
* Changesets:
* Revision 2b610e740af36c298240910e010b29396f4b8f23 by Natanael Copa on 2013-08-30T13:31:11Z:
```
main/lcms: fix CVE-2013-4276
fixes #2241
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2274[v2.4] Zabbix vulnerability in 2.0.8 (CVE-2013-5743)2019-07-23T14:18:26ZNatanael Copa[v2.4] Zabbix vulnerability in 2.0.8 (CVE-2013-5743)More details in https://support.zabbix.com/browse/ZBX-7091. Can we
patch
2.0.8 in edge (at least) please?
*(from redmine: issue id 2274, created on 2013-10-08, closed on 2013-10-09)*
* Relations:
* parent #2271
* Changesets:
* R...More details in https://support.zabbix.com/browse/ZBX-7091. Can we
patch
2.0.8 in edge (at least) please?
*(from redmine: issue id 2274, created on 2013-10-08, closed on 2013-10-09)*
* Relations:
* parent #2271
* Changesets:
* Revision 6a7754475627b26c051baaa5fc4f8d4de85589f7 by Natanael Copa on 2013-10-09T08:07:33Z:
```
main/zabbix: security upgrade to 1.8.18 (CVE-2013-5743)
fixes #2274
```Alpine 2.4.12https://gitlab.alpinelinux.org/alpine/aports/-/issues/2310[v2.4] Linux kernel: ipc: ipc_rcu_putref refcount races (CVE-2013-4483)2019-07-23T14:17:57ZNatanael Copa[v2.4] Linux kernel: ipc: ipc_rcu_putref refcount races (CVE-2013-4483)The ipc\_rcu\_putref function in ipc/util.c in the Linux kernel before
3.10 does not properly manage a reference count, which allows local
users to cause a denial of service (memory consumption or system crash)
via a crafted application....The ipc\_rcu\_putref function in ipc/util.c in the Linux kernel before
3.10 does not properly manage a reference count, which allows local
users to cause a denial of service (memory consumption or system crash)
via a crafted application.
*(from redmine: issue id 2310, created on 2013-11-12, closed on 2014-06-04)*
* Relations:
* parent #2301Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2319[v2.4] linux-grsec: CVE-2013-4348: kernel denial of service2019-07-23T14:17:51ZNatanael Copa[v2.4] linux-grsec: CVE-2013-4348: kernel denial of serviceThe skb\_flow\_dissect function in net/core/flow\_dissector.c in the
Linux kernel through 3.12 allows remote attackers to cause a denial of
service (infinite loop) via a small value in the IHL field of a packet
with IPIP encapsulation.
...The skb\_flow\_dissect function in net/core/flow\_dissector.c in the
Linux kernel through 3.12 allows remote attackers to cause a denial of
service (infinite loop) via a small value in the IHL field of a packet
with IPIP encapsulation.
•CONFIRM:[https://bugzilla.redhat.com/show\_bug.cgi?id=1007939](https://bugzilla.redhat.com/show\_bug.cgi?id=1007939)
•CONFIRM:[https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=6f092343855a71e03b8d209815d8c45bf3a27fcd](https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=6f092343855a71e03b8d209815d8c45bf3a27fcd)
*(from redmine: issue id 2319, created on 2013-11-12, closed on 2013-11-15)*
* Relations:
* parent #2302
* Changesets:
* Revision c52034e6fbfdea1ad9c4f948d7ec06c3ed0280cf by Natanael Copa on 2013-11-12T15:38:56Z:
```
main/linux-grsec: upgrade to 3.4.68 (CVE-2013-4348,CVE-2013-4470)
fixes #2319
fixes #2327
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2322[v2.4] linux-vserver: CVE-2013-4348: kernel denial of service2019-07-23T14:17:48ZNatanael Copa[v2.4] linux-vserver: CVE-2013-4348: kernel denial of serviceThe skb\_flow\_dissect function in net/core/flow\_dissector.c in the
Linux kernel through 3.12 allows remote attackers to cause a denial of
service (infinite loop) via a small value in the IHL field of a packet
with IPIP encapsulation.
...The skb\_flow\_dissect function in net/core/flow\_dissector.c in the
Linux kernel through 3.12 allows remote attackers to cause a denial of
service (infinite loop) via a small value in the IHL field of a packet
with IPIP encapsulation.
•CONFIRM:[https://bugzilla.redhat.com/show\_bug.cgi?id=1007939](https://bugzilla.redhat.com/show\_bug.cgi?id=1007939)
•CONFIRM:[https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=6f092343855a71e03b8d209815d8c45bf3a27fcd](https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=6f092343855a71e03b8d209815d8c45bf3a27fcd)
*(from redmine: issue id 2322, created on 2013-11-12, closed on 2013-11-15)*
* Relations:
* parent #2302
* Changesets:
* Revision fc302f8cee02077c4c747133d76ffca1ae9bce91 by Natanael Copa on 2013-11-14T10:14:25Z:
```
main/linux-vserver: upgrade to 3.4.69 and fix CVE-2013-4348
fixes #2322
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2327[v2.4] CVE-2013-4470: kernel; UDP Fragmentation Offload (UFO) enabled; denial...2019-07-23T14:17:43ZNatanael Copa[v2.4] CVE-2013-4470: kernel; UDP Fragmentation Offload (UFO) enabled; denial of serviceThe Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is
enabled, does not properly initialize certain data structures, which
allows local users to cause a denial of service (memory corruption and
system crash) or possibly g...The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is
enabled, does not properly initialize certain data structures, which
allows local users to cause a denial of service (memory corruption and
system crash) or possibly gain privileges via a crafted application that
uses the UDP\_CORK option in a setsockopt system call and sends both
short and long packets, related to the ip\_ufo\_append\_data function in
net/ipv4/ip\_output.c and the ip6\_ufo\_append\_data function in
net/ipv6/ip6\_output.c.
•MLIST:\[oss-security\] 20131025 Re: CVE request: Linux kernel: net:
memory corruption with UDP\_CORK and UFO
•URL:[http://www.openwall.com/lists/oss-security/2013/10/25/5](http://www.openwall.com/lists/oss-security/2013/10/25/5)
•CONFIRM:[http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b](http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b)
•CONFIRM:[http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e93b7d748be887cd7639b113ba7d7ef792a7efb9](http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e93b7d748be887cd7639b113ba7d7ef792a7efb9)
•CONFIRM:[https://bugzilla.redhat.com/show\_bug.cgi?id=1023477](https://bugzilla.redhat.com/show\_bug.cgi?id=1023477)
•CONFIRM:[https://github.com/torvalds/linux/commit/c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b](https://github.com/torvalds/linux/commit/c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b)
•CONFIRM:[https://github.com/torvalds/linux/commit/e93b7d748be887cd7639b113ba7d7ef792a7efb9](https://github.com/torvalds/linux/commit/e93b7d748be887cd7639b113ba7d7ef792a7efb9)
•CONFIRM:[https://www.kernel.org/pub/linux/kernel/v3.x/patch-3.12.bz2](https://www.kernel.org/pub/linux/kernel/v3.x/patch-3.12.bz2)
Upgrade to 3.4.68.
*(from redmine: issue id 2327, created on 2013-11-12, closed on 2013-11-18)*
* Relations:
* parent #2303
* Changesets:
* Revision c52034e6fbfdea1ad9c4f948d7ec06c3ed0280cf by Natanael Copa on 2013-11-12T15:38:56Z:
```
main/linux-grsec: upgrade to 3.4.68 (CVE-2013-4348,CVE-2013-4470)
fixes #2319
fixes #2327
```Alpine 2.4.12https://gitlab.alpinelinux.org/alpine/aports/-/issues/2333[v2.4] CVE-2013-4350: Linux kernel: net: sctp: ipv6 ipsec encryption bug in s...2019-07-23T14:17:40ZAlexander Belous[v2.4] CVE-2013-4350: Linux kernel: net: sctp: ipv6 ipsec encryption bug in sctp_v6_xmitDescription
The IPv6 SCTP implementation in net/sctp/ipv6.c in the Linux kernel
through 3.11.1 uses data structures and function calls that do not
trigger an intended configuration of IPsec encryption, which allows
remote attackers to o...Description
The IPv6 SCTP implementation in net/sctp/ipv6.c in the Linux kernel
through 3.11.1 uses data structures and function calls that do not
trigger an intended configuration of IPsec encryption, which allows
remote attackers to obtain sensitive information by sniffing the
network.
•URL:[http://www.openwall.com/lists/oss-security/2013/09/13/3](http://www.openwall.com/lists/oss-security/2013/09/13/3)
•CONFIRM:[http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=95ee62083cb6453e056562d91f597552021e6ae7](http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=95ee62083cb6453e056562d91f597552021e6ae7)
•CONFIRM:[https://bugzilla.redhat.com/show\_bug.cgi?id=1007872](https://bugzilla.redhat.com/show\_bug.cgi?id=1007872)
•CONFIRM:[https://github.com/torvalds/linux/commit/95ee62083cb6453e056562d91f597552021e6ae7](https://github.com/torvalds/linux/commit/95ee62083cb6453e056562d91f597552021e6ae7)
*(from redmine: issue id 2333, created on 2013-11-12, closed on 2017-05-17)*
* Relations:
* parent #2306Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2339[v2.4] CVE-2013-4475, CVE-2013-4476: samba2019-07-23T14:17:33ZAlexander Belous[v2.4] CVE-2013-4475, CVE-2013-4476: sambahttp://www.samba.org/samba/history/
*(from redmine: issue id 2339, created on 2013-11-13, closed on 2013-11-18)*
* Relations:
* parent #2338
* Changesets:
* Revision 145836360ec3811eac5629311303d891a9088ce4 by Natanael Copa on 201...http://www.samba.org/samba/history/
*(from redmine: issue id 2339, created on 2013-11-13, closed on 2013-11-18)*
* Relations:
* parent #2338
* Changesets:
* Revision 145836360ec3811eac5629311303d891a9088ce4 by Natanael Copa on 2013-11-14T10:34:54Z:
```
main/samba: security upgrade to 3.6.20 (CVE-2013-4475,CVE-2013-4476)
fixes #2339
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2349[v2.4] OpenSSH Security Advisory: gcmrekey.adv (CVE-2013-4548)2019-07-23T14:17:24ZNatanael Copa[v2.4] OpenSSH Security Advisory: gcmrekey.adv (CVE-2013-4548)OpenSSH Security Advisory: gcmrekey.adv
This document may be found at: http://www.openssh.com/txt/gcmrekey.adv
1. Vulnerability
A memory corruption vulnerability exists in the post-
authentication sshd proc...OpenSSH Security Advisory: gcmrekey.adv
This document may be found at: http://www.openssh.com/txt/gcmrekey.adv
1. Vulnerability
A memory corruption vulnerability exists in the post-
authentication sshd process when an AES-GCM cipher
(aes128-gcm@openssh.com or aes256-gcm@openssh.com) is
selected during kex exchange.
If exploited, this vulnerability might permit code execution
with the privileges of the authenticated user and may
therefore allow bypassing restricted shell/command
configurations.
2. Affected configurations
OpenSSH 6.2 and OpenSSH 6.3 when built against an OpenSSL
that supports AES-GCM.
3. Mitigation
Disable AES-GCM in the server configuration. The following
sshd_config option will disable AES-GCM while leaving other
ciphers active:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc
4. Details
When using AES-GCM, sshd was not initialising a Message
Authentication Code (MAC) context that is unused when the
cipher mode offers authentication itself. This context
contains some callback pointers, including a cleanup callback
that was still being invoked during a rekeying operation.
As such, the address being called was derived from previous
heap contents.
This vulnerability is mitigated by the difficulty of
pre-loading the heap with a useful callback address and by
any platform address-space layout randomisation applied to
sshd and the shared libraries it depends upon.
5. Credit
This issue was identified by Markus Friedl (an OpenSSH
developer) on November 7th, 2013.
6. Fix
OpenSSH 6.4 contains a fix for this vulnerability. Users who
prefer to continue to use OpenSSH 6.2 or 6.3 may apply this
patch:
Index: monitor_wrap.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/monitor_wrap.c,v
retrieving revision 1.76
diff -u -p -u -r1.76 monitor_wrap.c
--- monitor_wrap.c 17 May 2013 00:13:13 -0000 1.76
+++ monitor_wrap.c 6 Nov 2013 16:31:26 -0000
@@ -469,7 +469,7 @@ mm_newkeys_from_blob(u_char *blob, int b
buffer_init(&b);
buffer_append(&b, blob, blen);
- newkey = xmalloc(sizeof(*newkey));
+ newkey = xcalloc(1, sizeof(*newkey));
enc = &newkey->enc;
mac = &newkey->mac;
comp = &newkey->comp;
*(from redmine: issue id 2349, created on 2013-11-14, closed on 2013-11-14)*
* Relations:
* parent #2346Alpine 2.4.12https://gitlab.alpinelinux.org/alpine/aports/-/issues/2351[v2.4] CVE-2013-4508 CVE-2013-4559 CVE-2013-4560: lighttpd2019-07-23T14:17:22ZAlexander Belous[v2.4] CVE-2013-4508 CVE-2013-4559 CVE-2013-4560: lighttpdSeveral vulnerabilities have been discovered in the lighttpd web server.
CVE-2013-4508
It was discovered that lighttpd uses weak ssl ciphers when SNI (Server
Name Indication) is enabled. This issue was solved by ensuring that
stronger...Several vulnerabilities have been discovered in the lighttpd web server.
CVE-2013-4508
It was discovered that lighttpd uses weak ssl ciphers when SNI (Server
Name Indication) is enabled. This issue was solved by ensuring that
stronger ssl ciphers are used when SNI is selected.
http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2925
http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2913
CVE-2013-4559
The clang static analyzer was used to discover privilege escalation
issues due to missing checks around lighttpd’s setuid, setgid, and
setgroups calls. Those are now appropriately checked.
http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2923
CVE-2013-4560
The clang static analyzer was used to discover a use-after-free issue
when the FAM stat cache engine is enabled, which is now fixed.
http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2921
*(from redmine: issue id 2351, created on 2013-11-14, closed on 2013-11-18)*
* Relations:
* parent #2350
* Changesets:
* Revision 0238d08745129ac6330aec20e5f110bf3bec3599 by Natanael Copa on 2013-11-15T12:09:55Z:
```
main/lighttpd: various sec fixes (CVE-2013-4508,CVE-2013-4559,CVE-2013-4560)
ref #2350
fixes #2351
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2370[v2.4] nginx security advisory (CVE-2013-4547)2019-07-23T14:17:08ZNatanael Copa[v2.4] nginx security advisory (CVE-2013-4547)http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html
Ivan Fratric of the Google Security Team discovered a bug in nginx,
which might allow an attacker to bypass security restrictions in
certain
configurations by using ...http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html
Ivan Fratric of the Google Security Team discovered a bug in nginx,
which might allow an attacker to bypass security restrictions in
certain
configurations by using a specially crafted request, or might have
potential other impact (CVE-2013-4547).
Some checks on a request URI were not executed on a character
following
an unescaped space character (which is invalid per HTTP protocol, but
allowed for compatibility reasons since nginx 0.8.41). One of the
results is that it was possible to bypass security restrictions like
location /protected/ {
deny all;
}
by requesting a file as “/foo /../protected/file” (in case of static
files, only if there is a “foo ” directory with a trailing space), or
to
trigger processing of a file with a trailing space in a configuration
like
location ~ \\.php$ {
fastcgi\_pass …
}
by requesting a file as “/file \\0.php”.
The problem affects nginx 0.8.41 - 1.5.6.
The problem is fixed in nginx 1.5.7, 1.4.4.
Patch for the problem can be found here:
http://nginx.org/download/patch.2013.space.txt
As a temporary workaround the following configuration
can be used in each server{} block:
if ($request\_uri ~ " ") {
return 444;
}
*(from redmine: issue id 2370, created on 2013-11-20, closed on 2013-11-20)*
* Relations:
* parent #2364
* Changesets:
* Revision b3726212255d94d087466f1de1930eb286cbc0dd by Natanael Copa on 2013-11-20T13:36:10Z:
```
main/nginx: security fix (CVE-2013-4547)
fixes #2370
```Alpine 2.4.12https://gitlab.alpinelinux.org/alpine/aports/-/issues/2377[v2.4] CVE-2013-4545: libcurl cert name check ignore2019-07-23T14:17:06ZAlexander Belous[v2.4] CVE-2013-4545: libcurl cert name check ignore3. THE SOLUTION
libcurl 7.33.0 makes sure that both options independently will cause the
operation to fail unless the criteria is fulfilled.The fix was
committed, pushed and released without the full security implications
being properl...3. THE SOLUTION
libcurl 7.33.0 makes sure that both options independently will cause the
operation to fail unless the criteria is fulfilled.The fix was
committed, pushed and released without the full security implications
being properly realized.
4. RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order
of preference:• A - Upgrade to curl and libcurl 7.33.0
B - Apply (https://github.com/bagder/curl/commit/3c3622b6) and rebuild
libcurl
C - Make sure CURLOPT\_SSL\_VERIFYPEER is not disabled
D - Build libcurl with another TLS backend than OpenSSL\*
*(from redmine: issue id 2377, created on 2013-11-21, closed on 2013-12-02)*
* Relations:
* parent #2376
* Changesets:
* Revision 2fa3868d4cb0239491a154da0a797178a2c932d1 by Natanael Copa on 2013-11-25T14:21:36Z:
```
main/curl: security fix (CVE-2013-4545)
fixes #2377
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2381[v2.4] XADV-2013008 Linux Kernel 3.11.7 <= sk_attach_filter Kernel Heap Corru...2019-07-12T14:42:12ZAlexander Belous[v2.4] XADV-2013008 Linux Kernel 3.11.7 <= sk_attach_filter Kernel Heap CorruptionVulnerable versions:
- linux kernel 3.11.7 &lt;=
Testbed: ubuntu
Type: Local
Impact: Medium
Vendor: http://www.kernel.org
Author: x90c <geinblues nospam gmail dot com>
Site: x90c.org
=
ABSTRACT: =
The Linux Socket Filte...Vulnerable versions:
- linux kernel 3.11.7 <=
Testbed: ubuntu
Type: Local
Impact: Medium
Vendor: http://www.kernel.org
Author: x90c <geinblues nospam gmail dot com>
Site: x90c.org
=
ABSTRACT: =
The Linux Socket Filtering is derived from the Berkeley Packet Filter.
There are some distinct differences between the BSD and Linux Kernel
Filtering.
Linux Socket Filtering (LSF) allows a user-space program to attach a
filter onto any socket and allow or disallow certain types of data to
come through the socket. LSF follows exactly the same filter code
structure
as the BSD Berkeley Packet Filter (BPF).
The linux kernel has a vulnerability to lead the kernel panic via an
Integer overflow, It occured at sk\_attach\_filter() in
/net/core/filter.c
the sk\_attach\_filter.
•References:
\[1\] https://www.kernel.org/doc/Documentation/networking/filter.txt
\[2\]
http://www.cs.columbia.edu/~nahum/w6998/lectures/vpk-columbia-nsdi-lsf.pdf
=
DETAILS: =
\[~/linux-3.11.7/net/core/filter.c\]
——
int sk\_attach\_filter(struct sock\_fprog \*fprog, struct sock \*sk) {
struct sk\_filter \*fp, \*old\_fp;
// XXX user controllable fprog->len, stored count of filter to
attach.
unsigned int fsize = sizeof(struct sock\_filter) \* fprog->len;
int err;
if (sock\_flag(sk, SOCK\_FILTER\_LOCKED)) return <s>EPERM;/\* Make sure
new filter is there and in the right amounts. \*/ if
(fprog</s>>filter == NULL) return -EINVAL;// XXX Integer overflow (+
sizeof(\*fp)) and causing a little allocation. fp = sock\_kmalloc(sk,
fsize+sizeof(\*fp), GFP\_KERNEL); if (!fp) return <s>ENOMEM;// XXX
kernel heap corruption occured with fsize with larger value. if
(copy\_from\_user(fp</s>>insns, fprog->filter, fsize)) {
sock\_kfree\_s(sk, fp, fsize+sizeof(\*fp));
*(from redmine: issue id 2381, created on 2013-11-21, closed on 2014-04-17)*
* Relations:
* parent #2380Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2393[v2.4] CVE-2013-1739: nss2019-07-23T14:17:02ZAlexander Belous[v2.4] CVE-2013-1739: nssMozilla Network Security Services (NSS) before 3.15.2 does not ensure
that data structures are initialized before read operations, which
allows remote attackers to cause a denial of service or possibly have
unspecified other impact...Mozilla Network Security Services (NSS) before 3.15.2 does not ensure
that data structures are initialized before read operations, which
allows remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors that trigger a decryption failure
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1739
*(from redmine: issue id 2393, created on 2013-11-22, closed on 2014-03-03)*
* Relations:
* parent #2391Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2398[v2.4] CVE-2013-1741: nss2019-07-23T14:16:57ZAlexander Belous[v2.4] CVE-2013-1741: nssInteger overflow in Mozilla Network Security Services (NSS) 3.15
before
3.15.3 allows remote attackers to cause a denial of service or
possibly
have unspecified other impact via a large size value (CVE-2013-1741).
http://cve.mitre.o...Integer overflow in Mozilla Network Security Services (NSS) 3.15
before
3.15.3 allows remote attackers to cause a denial of service or
possibly
have unspecified other impact via a large size value (CVE-2013-1741).
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1741
*(from redmine: issue id 2398, created on 2013-11-22, closed on 2013-12-03)*
* Relations:
* parent #2397Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2404[v2.4] CVE-2013-2566 CVE-2013-5605 CVE-2013-5606: nss and RC4 (TLS, SSL)2019-07-23T14:16:52ZAlexander Belous[v2.4] CVE-2013-2566 CVE-2013-5605 CVE-2013-5606: nss and RC4 (TLS, SSL)The RC4 algorithm, as used in the TLS protocol and SSL protocol, has
many single-byte biases, which makes it easier for remote attackers
to conduct plaintext-recovery attacks via statistical analysis of
ciphertext in a large number...The RC4 algorithm, as used in the TLS protocol and SSL protocol, has
many single-byte biases, which makes it easier for remote attackers
to conduct plaintext-recovery attacks via statistical analysis of
ciphertext in a large number of sessions that use the same plaintext
(CVE-2013-2566).
Mozilla Network Security Services (NSS) 3.14 before 3.14.5 and 3.15
before 3.15.3 allows remote attackers to cause a denial of service or
possibly have unspecified other impact via invalid handshake packets
(CVE-2013-5605).
The CERT\_VerifyCert function in lib/certhigh/certvfy.c in Mozilla
Network Security Services (NSS) 3.15 before 3.15.3 provides an
unexpected return value for an incompatible key-usage certificate
when the CERTVerifyLog argument is valid, which might allow remote
attackers to bypass intended access restrictions via a crafted
certificate (CVE-2013-5606).
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2566
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5605
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5606
*(from redmine: issue id 2404, created on 2013-11-22, closed on 2014-03-03)*
* Relations:
* parent #2403Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2409[v2.4] CVE-2013-5607: nspr2019-07-23T14:16:47ZAlexander Belous[v2.4] CVE-2013-5607: nsprInteger overflow in the PL\_ArenaAllocate function in Mozilla Netscape
Portable Runtime (NSPR) before 4.10.2, as used in Firefox before
25.0.1, Firefox ESR 17.x before 17.0.11 and 24.x before 24.1.1, and
SeaMonkey before 2.22.1, al...Integer overflow in the PL\_ArenaAllocate function in Mozilla Netscape
Portable Runtime (NSPR) before 4.10.2, as used in Firefox before
25.0.1, Firefox ESR 17.x before 17.0.11 and 24.x before 24.1.1, and
SeaMonkey before 2.22.1, allows remote attackers to cause a denial of
service (application crash) or possibly have unspecified other impact
via a crafted X.509 certificate, a related issue to CVE-2013-1741
(CVE-2013-5607).
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5607
*(from redmine: issue id 2409, created on 2013-11-22, closed on 2014-03-03)*
* Relations:
* parent #2408Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2417[v2.4] CVE-2013-4473 CVE-2013-4474: poppler2019-07-23T14:16:40ZAlexander Belous[v2.4] CVE-2013-4473 CVE-2013-4474: popplerPoppler is found to be affected by a stack based buffer overflow
vulnerability
in the pdfseparate utility. Successfully exploiting this issue could
allow
remote attackers to execute arbitrary code in the context of the
affected
app...Poppler is found to be affected by a stack based buffer overflow
vulnerability
in the pdfseparate utility. Successfully exploiting this issue could
allow
remote attackers to execute arbitrary code in the context of the
affected
application. Failed exploits may result in denial-of-service
conditions
(CVE-2013-4473).
The issue is said to be fixed in poppler 0.24.2
Poppler was found to have a user controlled format string vulnerability
because
it fails to sanitize user-supplied input. An attacker may exploit this
issue to
execute arbitrary code in the context of the vulnerable application.
Failed
exploit attempts will likely result in a denial-of-service condition
(CVE-2013-4474).
The issue is said to be fixed in Poppler 0.24.3.
References:
\[ 1 \] Bug \#1024753 - CVE-2013-4473 poppler: stack-based buffer
overflow in pdfseparate utility
https://bugzilla.redhat.com/show\_bug.cgi?id=1024753
\[ 2 \] Bug \#1024762 - CVE-2013-4474 poppler: format string flaw in
pdfseparate utility
https://bugzilla.redhat.com/show\_bug.cgi?id=1024762
*(from redmine: issue id 2417, created on 2013-11-22, closed on 2013-12-04)*
* Relations:
* parent #2416
* Changesets:
* Revision d4c3615f7139db89c4dc3f20759b3ff3f87f87ed by Natanael Copa on 2013-12-03T13:05:28Z:
```
main/poppler: security fix (CVE-2013-4473,CVE-2013-4474)
fixes #2417
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2422[v2.4] XSA-61: libxl partially sets up HVM passthrough even with disabled iommu2019-07-23T14:16:36ZAlexander Belous[v2.4] XSA-61: libxl partially sets up HVM passthrough even with disabled iommuRESOLUTION ==
xsa61-4.1.patch Xen 4.1.x
xsa61-4.2-unstable.patch Xen 4.2.x, xen-unstable
*(from redmine: issue id 2422, created on 2013-11-22, closed on 2013-12-03)*
* Relations:
* parent #2421
* Changesets:
* Revision 5be71c73...RESOLUTION ==
xsa61-4.1.patch Xen 4.1.x
xsa61-4.2-unstable.patch Xen 4.2.x, xen-unstable
*(from redmine: issue id 2422, created on 2013-11-22, closed on 2013-12-03)*
* Relations:
* parent #2421
* Changesets:
* Revision 5be71c7331614a992a112079f465f508118e2aa3 by Natanael Copa on 2013-12-03T11:21:06Z:
```
main/xen: security fix for CVE-2013-4329/XSA-61
fixes #2422
```Alpine 2.4.12Ariadne Conillariadne@ariadne.spaceAriadne Conillariadne@ariadne.spacehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2429[v2.4] CVE-2013-4351: GnuPG treats no-usage-permitted keys as all-usages-perm...2019-07-23T14:16:28ZAlexander Belous[v2.4] CVE-2013-4351: GnuPG treats no-usage-permitted keys as all-usages-permittedGnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits
cleared (no usage permitted) as if it has all bits set (all usage
permitted), which might allow remote attackers to bypass intended
cryptographic protection mechani...GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits
cleared (no usage permitted) as if it has all bits set (all usage
permitted), which might allow remote attackers to bypass intended
cryptographic protection mechanisms by leveraging the subkey.
•MLIST:\[oss-security\] 20130913 Re: GnuPG treats no-usage-permitted
keys as all-usages-permitted
•URL:http://www.openwall.com/lists/oss-security/2013/09/13/4
•CONFIRM:http://thread.gmane.org/gmane.comp.encryption.gpg.devel/17712/focus=18138
•CONFIRM:https://bugzilla.redhat.com/show\_bug.cgi?id=1010137
•SUSE:openSUSE-SU-2013:1526
•URL:http://lists.opensuse.org/opensuse-updates/2013-10/msg00003.html
•SUSE:openSUSE-SU-2013:1532
•URL:http://lists.opensuse.org/opensuse-updates/2013-10/msg00006.html
•UBUNTU:USN-1987-1
•URL:http://ubuntu.com/usn/usn-1987-1
*(from redmine: issue id 2429, created on 2013-11-22, closed on 2013-12-02)*
* Relations:
* parent #2428
* Changesets:
* Revision 7d23506288363cc604c77fa2bc7ec36eed7a5c61 by Natanael Copa on 2013-11-26T14:36:04Z:
```
main/gnupg: security upgrade to 2.0.22 (CVE-2013-4351)
fixes #2429
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2442[v2.4] wireshark: upgrade to 1.6.16 (CVE-2013-4074,CVE-2013-4081,CVE-2013-4083)2019-07-23T14:16:15ZNatanael Copa[v2.4] wireshark: upgrade to 1.6.16 (CVE-2013-4074,CVE-2013-4081,CVE-2013-4083)The following vulnerability has been fixed.
wnpa-sec-2013-32
The CAPWAP dissector could crash. Discovered by Laurent Butti. (Bug 8725)
Versions affected: 1.8.0 to 1.8.7, 1.6.0 to 1.6.15.
CVE-2013-4074
...The following vulnerability has been fixed.
wnpa-sec-2013-32
The CAPWAP dissector could crash. Discovered by Laurent Butti. (Bug 8725)
Versions affected: 1.8.0 to 1.8.7, 1.6.0 to 1.6.15.
CVE-2013-4074
wnpa-sec-2013-39
The HTTP dissector could overrun the stack. Discovered by David Keeler. (Bug 8733)
Versions affected: 1.8.0 to 1.8.7, 1.6.0 to 1.6.15.
CVE-2013-4081
wnpa-sec-2013-41
The DCP ETSI dissector could crash. (Bug 8717)
Versions affected: 1.10.0, 1.8.0 to 1.8.7, 1.6.0 to 1.6.15.
CVE-2013-4083
http://www.wireshark.org/docs/relnotes/wireshark-1.6.16.html
*(from redmine: issue id 2442, created on 2013-11-26, closed on 2013-12-02)*
* Changesets:
* Revision c63d8b6e3c721bd4bf8d7af76a2c662766bf1e98 by Natanael Copa on 2013-11-26T15:31:01Z:
```
main/wireshark: security upgrade to 1.6.16 (CVE-2013-4074,CVE-2013-4081,CVE-2013-4083)
fixes #2442
```Alpine 2.4.12https://gitlab.alpinelinux.org/alpine/aports/-/issues/2452[v2.4] CVE-2011-4971: memcached crash2019-07-23T14:16:06ZAlexander Belous[v2.4] CVE-2011-4971: memcached crashA vulnerability was found and corrected in memcached:
Memcached is vulnerable to a denial of service as it can be made to
crash when it receives a specially crafted packet over the network
(CVE-2011-4971).
References:
http://cve.mit...A vulnerability was found and corrected in memcached:
Memcached is vulnerable to a denial of service as it can be made to
crash when it receives a specially crafted packet over the network
(CVE-2011-4971).
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4971
https://code.google.com/p/memcached/issues/detail?id=192\#c19
*(from redmine: issue id 2452, created on 2013-12-03, closed on 2013-12-04)*
* Relations:
* parent #2451
* Changesets:
* Revision 82a118c6ad22de1fd39186499c9bf1e3d58d9de6 by Natanael Copa on 2013-12-03T13:44:31Z:
```
main/memcached: upgrade to 1.4.15 and security workaround for CVE-2011-4971
ref #2451
fixes #2452
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2457[v2.4] CVE-2013-4407: perl-http-body2019-07-23T14:16:01ZAlexander Belous[v2.4] CVE-2013-4407: perl-http-bodyHTTP::Body::Multipart in the HTTP-Body 1.08, 1.17, and earlier module
for Perl uses the part of the uploaded file’s name after the first “.”
character as the suffix of a temporary file, which makes it easier for
remote attackers to condu...HTTP::Body::Multipart in the HTTP-Body 1.08, 1.17, and earlier module
for Perl uses the part of the uploaded file’s name after the first “.”
character as the suffix of a temporary file, which makes it easier for
remote attackers to conduct attacks by leveraging subsequent behavior
that may assume the suffix is well-formed.
•CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721634
•DEBIAN:DSA-2801
•URL:http://www.debian.org/security/2013/dsa-2801
*(from redmine: issue id 2457, created on 2013-12-03, closed on 2013-12-10)*
* Relations:
* parent #2456
* Changesets:
* Revision 6041642bea0d97919a65d2e7e2d8211a0cf744f5 on 2013-12-03T16:10:09Z:
```
main/perl-http-body: security fix (CVE-2013-4407). Fixes #2457
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2462[v2.4] CVE-2013-4164: ruby buffer overflow2019-07-23T14:15:56ZAlexander Belous[v2.4] CVE-2013-4164: ruby buffer overflowHeap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0
before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before
revision
43780 allows context-dependent attackers to cause a denial of service
(segmentation fault) a...Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0
before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before
revision
43780 allows context-dependent attackers to cause a denial of service
(segmentation fault) and possibly execute arbitrary code via a string
that is converted to a floating point value, as demonstrated using
(1) the to\_f method or (2) JSON.parse (CVE-2013-4164).
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4164
*(from redmine: issue id 2462, created on 2013-12-03, closed on 2013-12-04)*
* Relations:
* parent #2461
* Changesets:
* Revision 679810634a9c18b619329faf0b4ffcd21685712f by Natanael Copa on 2013-12-03T14:29:35Z:
```
main/ruby: security fix for CVE-2013-4164
fixes #2462
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2467[v2.4] CVE-2013-6051: quagga: bgpd could be crashed through BGP updates2019-07-23T14:15:51ZAlexander Belous[v2.4] CVE-2013-6051: quagga: bgpd could be crashed through BGP updatesbgpd could be crashed through BGP updates.
The patch has been applied by vendor for quagga\_0\_99\_21\_release
branch just 2 weeks ago. So not sure if other branches are vulnerable:
http://git.savannah.gnu.org/gitweb/?p=quagga.git;a=c...bgpd could be crashed through BGP updates.
The patch has been applied by vendor for quagga\_0\_99\_21\_release
branch just 2 weeks ago. So not sure if other branches are vulnerable:
http://git.savannah.gnu.org/gitweb/?p=quagga.git;a=commitdiff;h=8794e8d229dc9fe29ea31424883433d4880ef408
http://git.savannah.gnu.org/gitweb/?p=quagga.git;a=shortlog;h=refs/heads/stable/0.99.21
*(from redmine: issue id 2467, created on 2013-12-03, closed on 2013-12-13)*
* Relations:
* parent #2466
* Changesets:
* Revision 2ec54a88f9fc8d7992c73a2a5462630025bcc7e8 by Natanael Copa on 2013-12-10T10:54:12Z:
```
main/quagga: security fixes (CVE-2012-1820, CVE-2013-2236, CVE-2013-6051)
ref #2466
fixes #2467
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2472[v2.4] CVE-2013-4288 CVE-2013-4324 CVE-2013-4311: polkit, spice-gtk, libvirt:...2019-07-23T14:15:48ZAlexander Belous[v2.4] CVE-2013-4288 CVE-2013-4324 CVE-2013-4311: polkit, spice-gtk, libvirt: bypass intended access restrictionsRace condition in PolicyKit (aka polkit) allows local users to bypass
intended PolicyKit restrictions and gain privileges by starting a setuid
or pkexec process before the authorization check is performed, related
to (1) the polkit\_unix...Race condition in PolicyKit (aka polkit) allows local users to bypass
intended PolicyKit restrictions and gain privileges by starting a setuid
or pkexec process before the authorization check is performed, related
to (1) the polkit\_unix\_process\_new API function, (2) the dbus API, or
(3) the —process (unix-process) option for authorization to pkcheck.
Seems to be fixed in polkit-0.112
(http://cgit.freedesktop.org/polkit/commit/?id=3968411b0c7ba193f9b9276ec911692aec248608).
If so Alpine Linux v2.4 to v2.7 are vulnerable.
•MLIST:\[oss-security\] 20130918 Fwd: \[vs-plain\] polkit races
•URL:http://www.openwall.com/lists/oss-security/2013/09/18/4
•MLIST:\[oss-security\] 20130918 Re: Fwd: \[vs-plain\] polkit races
•URL:http://seclists.org/oss-sec/2013/q3/626
•MISC:http://bugzilla.redhat.com/bugzilla/show\_bug.cgi?id=1002375
•REDHAT:RHSA-2013:1270
•URL:http://rhn.redhat.com/errata/RHSA-2013-1270.html
•REDHAT:RHSA-2013:1460
•URL:http://rhn.redhat.com/errata/RHSA-2013-1460.html
•SUSE:openSUSE-SU-2013:1527
•URL:http://lists.opensuse.org/opensuse-updates/2013-10/msg00004.html
•SUSE:openSUSE-SU-2013:1528
•URL:http://lists.opensuse.org/opensuse-updates/2013-10/msg00005.html
•UBUNTU:USN-1953-1
•URL:http://www.ubuntu.com/usn/USN-1953-1
*(from redmine: issue id 2472, created on 2013-12-03, closed on 2014-01-07)*
* Relations:
* parent #2471
* Changesets:
* Revision 43de28a5532fe55c0b52196fd78c8a43b8694f82 by Natanael Copa on 2013-12-24T11:11:53Z:
```
main/polkit: security fix for CVE-2013-4288
ref #2471
fixes #2472
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2478[v2.4] CVE-2013-1821: lib/rexml/text.rb in the REXML parser in Ruby2019-07-23T14:15:42ZAlexander Belous[v2.4] CVE-2013-1821: lib/rexml/text.rb in the REXML parser in Rubylib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows
remote attackers to cause a denial of service (memory consumption and
crash) via crafted text nodes in an XML document, aka an XML Entity
Expansion (XEE) attack.
*(...lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows
remote attackers to cause a denial of service (memory consumption and
crash) via crafted text nodes in an XML document, aka an XML Entity
Expansion (XEE) attack.
*(from redmine: issue id 2478, created on 2013-12-05, closed on 2013-12-10)*
* Relations:
* relates #2164Alpine 2.4.12Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2484[v2.4] Samba 4.1.3, 4.0.13 and 3.6.22 Security Releases (CVE-2013-4408, CVE-2...2019-07-23T14:15:35ZNatanael Copa[v2.4] Samba 4.1.3, 4.0.13 and 3.6.22 Security Releases (CVE-2013-4408, CVE-2012-6150)CVE-2013-4408 (DCE-RPC fragment length field is incorrectly checked) and
CVE-2012-6150 (pam_winbind login without require_membership_of restrictions).
o CVE-2013-4408:
Samba versions 3.4.0 and above (versions 3.4.0 - 3.4...CVE-2013-4408 (DCE-RPC fragment length field is incorrectly checked) and
CVE-2012-6150 (pam_winbind login without require_membership_of restrictions).
o CVE-2013-4408:
Samba versions 3.4.0 and above (versions 3.4.0 - 3.4.17, 3.5.0 -
3.5.22, 3.6.0 - 3.6.21, 4.0.0 - 4.0.12 and including 4.1.2) are
vulnerable to buffer overrun exploits in the client processing of
DCE-RPC packets. This is due to incorrect checking of the DCE-RPC
fragment length in the client code.
This is a critical vulnerability as the DCE-RPC client code is part of
the winbindd authentication and identity mapping daemon, which is
commonly configured as part of many server installations (when joined
to an Active Directory Domain). A malicious Active Directory Domain
Controller or man-in-the-middle attacker impersonating an Active
Directory Domain Controller could achieve root-level access by
compromising the winbindd process.
Samba server versions 3.4.0 - 3.4.17 and versions 3.5.0 - 3.5.22 are
also vulnerable to a denial of service attack (server crash) due to a
similar error in the server code of those versions.
Samba server versions 3.6.0 and above (including all 3.6.x versions,
all 4.0.x versions and 4.1.x) are not vulnerable to this problem.
In addition range checks were missing on arguments returned from calls
to the DCE-RPC functions LookupSids (lsa and samr), LookupNames (lsa and samr)
and LookupRids (samr) which could also cause similar problems.
As this was found during an internal audit of the Samba code there are
no currently known exploits for this problem (as of December 9th 2013).
o CVE-2012-6150:
Winbind allows for the further restriction of authenticated PAM logins using
the require_membership_of parameter. System administrators may specify a list
of SIDs or groups for which an authenticated user must be a member of. If an
authenticated user does not belong to any of the entries, then login should
fail. Invalid group name entries are ignored.
Samba versions 3.3.10, 3.4.3, 3.5.0 and later incorrectly allow login from
authenticated users if the require_membership_of parameter specifies only
invalid group names.
This is a vulnerability with low impact. All require_membership_of group
names must be invalid for this bug to be encountered.
http://www.samba.org/samba/security/CVE-2013-4408
http://www.samba.org/samba/security/CVE-2012-6150
*(from redmine: issue id 2484, created on 2013-12-10, closed on 2013-12-14)*
* Relations:
* copied_to #2483
* parent #2480
* Changesets:
* Revision c814185629eb7f0e1166f5ba094e8402cefd1587 by Natanael Copa on 2013-12-10T11:56:57Z:
```
main/samba: security upgrade to 3.6.22 (CVE-2013-4408,CVE-2012-6150)
fixes #2484
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2497[v2.4] CVE-2013-4388: vlc2019-07-23T14:15:23ZAlexander Belous[v2.4] CVE-2013-4388: vlcBuffer overflow in the mp4a packetizer (modules/packetizer/mpeg4audio.c)
in VideoLAN VLC Media Player before 2.0.8 allows remote attackers to
cause a denial of service (crash) and possibly execute arbitrary code
via unspecified vectors.
...Buffer overflow in the mp4a packetizer (modules/packetizer/mpeg4audio.c)
in VideoLAN VLC Media Player before 2.0.8 allows remote attackers to
cause a denial of service (crash) and possibly execute arbitrary code
via unspecified vectors.
•MLIST:\[oss-security\] 20130930 Re: CVE request: VLC
•URL: http://www.openwall.com/lists/oss-security/2013/10/01/2
•CONFIRM:
http://git.videolan.org/?p=vlc.git;a=commitdiff;h=9794ec1cd268c04c8bca13a5fae15df6594dff3e
•CONFIRM: http://www.videolan.org/developers/vlc-branch/NEWS
•OVAL:oval:org.mitre.oval:def:18086
•URL:
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:18086
•SECTRACK:1029120
•URL: http://www.securitytracker.com/id/1029120
*(from redmine: issue id 2497, created on 2013-12-16, closed on 2013-12-18)*
* Relations:
* parent #2496
* Changesets:
* Revision cc3f4224ce7233f854665cf9d3cc1f5e69863de0 by Natanael Copa on 2013-12-17T15:46:25Z:
```
main/vlc: security upgrade to 2.0.8 (CVE-2013-4388)
fixes #2497
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2501[v2.4] MySQL: multiple vulnerabilities2019-07-23T14:15:19ZAlexander Belous[v2.4] MySQL: multiple vulnerabilitiesMariaDB 5.5.x before 5.5.30, 5.3.x before 5.3.13, 5.2.x before 5.2.15,
and 5.1.x before 5.1.68, and Oracle MySQL 5.1.69 and earlier, 5.5.31 and
earlier, and 5.6.11 and earlier allows remote attackers to cause a
denial of service (crash) ...MariaDB 5.5.x before 5.5.30, 5.3.x before 5.3.13, 5.2.x before 5.2.15,
and 5.1.x before 5.1.68, and Oracle MySQL 5.1.69 and earlier, 5.5.31 and
earlier, and 5.6.11 and earlier allows remote attackers to cause a
denial of service (crash) via a crafted geometry feature that specifies
a large number of points, which is not properly handled when processing
the binary representation of this feature, related to a numeric
calculation error.
•MLIST:\[Commits\] 20130305 Rev 3682: TODO-424 geometry query crashes
server. in file:///home/hf/wmar/todo-424/
•URL:
http://lists.askmonty.org/pipermail/commits/2013-March/004371.html
•MLIST:\[oss-security\] 20130513 CVE-2013-1861 for MySQL/MariaDB:
geometry query crashes mysqld
•URL: http://seclists.org/oss-sec/2013/q1/671
•MISC: https://bugzilla.redhat.com/show\_bug.cgi?id=919247
•CONFIRM: https://mariadb.atlassian.net/browse/MDEV-4252
•CONFIRM:
http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html
•SUSE:SUSE-SU-2013:1390
•URL:
http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00022.html
•SUSE:openSUSE-SU-2013:1335
•URL: http://lists.opensuse.org/opensuse-updates/2013-08/msg00024.html
•SUSE:openSUSE-SU-2013:1410
•URL: http://lists.opensuse.org/opensuse-updates/2013-09/msg00008.html
•SUSE:SUSE-SU-2013:1529
•URL:
http://lists.opensuse.org/opensuse-security-announce/2013-10/msg00001.html
•UBUNTU:USN-1909-1
•URL: http://www.ubuntu.com/usn/USN-1909-1
•BID:58511
•URL: http://www.securityfocus.com/bid/58511
•OSVDB:91415
•URL: http://www.osvdb.org/91415
•SECUNIA:52639
•URL: http://secunia.com/advisories/52639
•SECUNIA:54300
•URL: http://secunia.com/advisories/54300
•XF:mysql-mariadb-cve20131861-dos(82895)
•URL: http://xforce.iss.net/xforce/xfdb/82895
*(from redmine: issue id 2501, created on 2013-12-17, closed on 2014-01-15)*
* Relations:
* parent #2500
* Changesets:
* Revision ded73f38cb367c7750f158b96072458321250dcd on 2013-12-17T16:39:59Z:
```
main/mysql: security upgrade to 5.5.35 (CVE-2013-3783, CVE-2013-3793, CVE-2013-3802, CVE-2013-3804, CVE-2013-3809, CVE-2013-3812, CVE-2013-3839, CVE-2013-5807). Fixes #2501
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2504[v2.4] asterisk: (1) Buffer Overflow and (2) User Dialplan Permission Escalation2019-07-23T14:15:16ZAlexander Belous[v2.4] asterisk: (1) Buffer Overflow and (2) User Dialplan Permission EscalationAsterisk Project Security Advisory - AST-2013-006
http://seclists.org/fulldisclosure/2013/Dec/139
Asterisk Project Security Advisory - AST-2013-007
http://seclists.org/fulldisclosure/2013/Dec/140
See the parent task for details.
...Asterisk Project Security Advisory - AST-2013-006
http://seclists.org/fulldisclosure/2013/Dec/139
Asterisk Project Security Advisory - AST-2013-007
http://seclists.org/fulldisclosure/2013/Dec/140
See the parent task for details.
*(from redmine: issue id 2504, created on 2013-12-17, closed on 2013-12-17)*
* Relations:
* parent #2503
* Changesets:
* Revision 8ccfac3c19cfd1a2f80b64df75042ddc765c6863 by Timo Teräs on 2013-12-17T13:00:31Z:
```
main/asterisk: security upgrade to 10.12.4
fixes #2504
AST-2013-002, CVE-2013-2686: DoS in HTTP server
AST-2013-003, CVE-2013-2264: Username disclosure in SIP
AST-2013-004: Remote Crash From Late Arriving SIP ACK With SDP
AST-2013-005: Remote Crash when Invalid SDP is sent in SIP Request
AST-2013-006: Buffer Overflow when receiving odd length 16 bit SMS message
AST-2013-007: Asterisk Manager User Dialplan Permission Escalation
```Alpine 2.4.12Timo TeräsTimo Teräshttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2509[v2.4] openssl: RDRAND used directly when default engines loaded in openssl-1...2019-07-23T14:15:11ZAlexander Belous[v2.4] openssl: RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1eDetails: http://seclists.org/fulldisclosure/2013/Dec/99
Quote:
if you are using an application linked with openssl-1.0.1-beta1
through openssl-1.0.1e you should do one of the following:
a.) rebuild your OpenSSL with OPENSSL\_NO\_RD...Details: http://seclists.org/fulldisclosure/2013/Dec/99
Quote:
if you are using an application linked with openssl-1.0.1-beta1
through openssl-1.0.1e you should do one of the following:
a.) rebuild your OpenSSL with OPENSSL\_NO\_RDRAND defined.
b.) call RAND\_set\_rand\_engine(NULL) after
ENGINE\_load\_builtin\_engines().
c.) git pull latest openssl with commit: “Don’t use rdrand engine as
default unless explicitly requested.” - Dr. Stephen Henson
the OPENSSL\_NO\_RDRAND option is recommended; an inadvertent call to
load engines elsewhere could re-enable this bad rng behavior.
Links:
0. “FreeBSD Developer Summit: Security Working Group, /dev/random”
https://wiki.freebsd.org/201309DevSummit/Security
1. “Surreptitiously Tampering with Computer Chips”
https://www.schneier.com/blog/archives/2013/09/surreptitiously.html
2. “How does the NSA break SSL? … Weak random number generators”
http://blog.cryptographyengineering.com/2013/12/how-does-nsa-break-ssl.html
*(from redmine: issue id 2509, created on 2013-12-17, closed on 2013-12-17)*
* Relations:
* parent #2508
* Changesets:
* Revision ea7fd685cead398be4ff7646c8add4258a78a98a by Timo Teräs on 2013-12-17T13:05:59Z:
```
main/openssl: don't use rdrand engine as default
As security measure, do not rely solely on hardware random source.
fixes #2509
(cherry picked from commit 1fd915b81678c58d35bf63761c260efd5362a93d)
Conflicts:
main/openssl/APKBUILD
```Alpine 2.4.12Timo TeräsTimo Teräshttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2514[v2.4] php: CVE-2013-6420 - memory corruption in openssl_x509_parse2019-07-23T14:15:06ZAlexander Belous[v2.4] php: CVE-2013-6420 - memory corruption in openssl_x509_parseThe vulnerability allows remote attacker to execute any code on the
target system.
Affected versions: PHP 5.3.27, 5.4.22, 5.5.6 and all earlier versions.
CONFIRM:
http://git.php.net/?p=php-src.git;a=commit;h=c1224573c773b6845e83505f717...The vulnerability allows remote attacker to execute any code on the
target system.
Affected versions: PHP 5.3.27, 5.4.22, 5.5.6 and all earlier versions.
CONFIRM:
http://git.php.net/?p=php-src.git;a=commit;h=c1224573c773b6845e83505f717fbf820fc18415
http://git.php.net/?p=php-src.git&a=search&h=HEAD&st=commit&s=Fix+CVE-2013-6420+-+memory+corruption+in+openssl\_x509\_parse
*(from redmine: issue id 2514, created on 2013-12-17, closed on 2013-12-18)*
* Relations:
* parent #2513
* Changesets:
* Revision 2c199d4b350b8684306b7df7858af39b1943aafb by Natanael Copa on 2013-12-17T16:17:08Z:
```
main/php: security upgrade to 5.3.28 (CVE-2013-6420)
fixes #2514
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2519[v2.4] X.Org security advisory: CVE-2013-4396: Use after free in Xserver hand...2019-07-23T14:15:01ZAlexander Belous[v2.4] X.Org security advisory: CVE-2013-4396: Use after free in Xserver handling of ImageText requestsX.Org Security Advisory: October 8, 2013 - CVE-2013-4396
Use after free in Xserver handling of ImageText requests
Description:
Pedro Ribeiro (pedrib at gmail.com) reported an issue to the X.Org
security
team in which an authenticat...X.Org Security Advisory: October 8, 2013 - CVE-2013-4396
Use after free in Xserver handling of ImageText requests
Description:
Pedro Ribeiro (pedrib at gmail.com) reported an issue to the X.Org
security
team in which an authenticated X client can cause an X server to use
memory
after it was freed, potentially leading to crash and/or memory
corruption.
Affected Versions =
This bug appears to have been introduced in RCS version 1.42 on
1993/09/18,
and is thus believed to be present in every X server release starting
with
X11R6.0 up to the current xorg-server 1.14.3. (Manual inspection shows
it
is present in the sources from the X11R6 tarballs, but not in those from
the
X11R5 tarballs.)
Fixes =
A fix is available via the attached patch, which is intended to be
included
in xorg-server 1.15.0 and 1.14.4.
http://lists.x.org/archives/xorg-announce/2013-October/002332.html
*(from redmine: issue id 2519, created on 2013-12-17, closed on 2013-12-18)*
* Relations:
* parent #2518
* Changesets:
* Revision 24a2fe88462346b514b5ba28480573f7436673e7 by Natanael Copa on 2013-12-17T16:38:57Z:
```
main/xorg-server: security fix (CVE-2013-4396)
fixes #2519
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2542[v2.4] kernel: memory leak (CVE-2013-4592)2019-07-23T14:14:46ZAlexander Belous[v2.4] kernel: memory leak (CVE-2013-4592)Memory leak in the \_\_kvm\_set\_memory\_region function in
virt/kvm/kvm\_main.c in the Linux kernel before 3.9 allows local users
to cause a denial of service (memory consumption) by leveraging
certain
device access to trigger mov...Memory leak in the \_\_kvm\_set\_memory\_region function in
virt/kvm/kvm\_main.c in the Linux kernel before 3.9 allows local users
to cause a denial of service (memory consumption) by leveraging
certain
device access to trigger movement of memory slots (CVE-2013-4592).
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4592
*(from redmine: issue id 2542, created on 2014-01-07, closed on 2014-06-04)*
* Relations:
* parent #2541Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2545[v2.4] kernel: multiple vulnerabilities2019-07-23T14:14:43ZAlexander Belous[v2.4] kernel: multiple vulnerabilitieshttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2929
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2930
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4511
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2...http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2929
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2930
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4511
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4512
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4514
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4515
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6378
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6380
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6381
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6383
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6763
*(from redmine: issue id 2545, created on 2014-01-07, closed on 2014-06-04)*
* Relations:
* parent #2544Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2551[v2.4] links: CVE-2013-60502019-07-23T14:14:38ZAlexander Belous[v2.4] links: CVE-2013-6050Integer overflow in Links before 2.8 allows remote attackers to cause a
denial of service (crash) via crafted HTML tables.
•MISC: http://links.twibright.com/download/ChangeLog
•DEBIAN:DSA-2807
•URL: http://www.debian.org/security/20...Integer overflow in Links before 2.8 allows remote attackers to cause a
denial of service (crash) via crafted HTML tables.
•MISC: http://links.twibright.com/download/ChangeLog
•DEBIAN:DSA-2807
•URL: http://www.debian.org/security/2013/dsa-2807
*(from redmine: issue id 2551, created on 2014-01-07, closed on 2014-01-17)*
* Relations:
* parent #2550
* Changesets:
* Revision 70463ed5403c6d48af291af6a5f44dd47c603727 by Natanael Copa on 2014-01-14T16:26:42Z:
```
main/links: security upgrade to 2.8 (CVE-2013-6050)
fixes #2551
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2555[v2.4] pixman: integer underflow2019-07-23T14:14:33ZAlexander Belous[v2.4] pixman: integer underflowPackage : pixman
Vulnerability : integer underflow
Problem type : remote
Debian-specific: no
CVE ID : CVE-2013-6425
Bryan Quigley discovered an integer underflow in Pixman which could
lead
to denial of service or the execution...Package : pixman
Vulnerability : integer underflow
Problem type : remote
Debian-specific: no
CVE ID : CVE-2013-6425
Bryan Quigley discovered an integer underflow in Pixman which could
lead
to denial of service or the execution of arbitrary code.
CONFIRM:
http://cgit.freedesktop.org/pixman/commit/?id=5e14da97f16e421d084a9e735be21b1025150f0c
http://seclists.org/oss-sec/2013/q4/399
*(from redmine: issue id 2555, created on 2014-01-07, closed on 2014-02-04)*
* Relations:
* parent #2554
* Changesets:
* Revision 25a0f4dddd65de1f4cd50b2bb3ec1b2fa8a74bb3 by Natanael Copa on 2014-01-14T15:55:46Z:
```
main/pixman: security fix for CVE-2013-6425
fixes #2555
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2562[v2.4] curl: gnutsl backend issue (CVE-2013-6422)2019-07-23T14:14:25ZAlexander Belous[v2.4] curl: gnutsl backend issue (CVE-2013-6422)The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling
digital signature verification (CURLOPT\_SSL\_VERIFYPEER), also disables
the CURLOPT\_SSL\_VERIFYHOST check for CN or SAN host name fields, which
makes it easier for rem...The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling
digital signature verification (CURLOPT\_SSL\_VERIFYPEER), also disables
the CURLOPT\_SSL\_VERIFYHOST check for CN or SAN host name fields, which
makes it easier for remote attackers to spoof servers and conduct
man-in-the-middle (MITM) attacks.
•CONFIRM: http://curl.haxx.se/docs/adv\_20131217.html
•DEBIAN:DSA-2824
•URL: http://www.debian.org/security/2013/dsa-2824
•UBUNTU:USN-2058-1
•URL: http://www.ubuntu.com/usn/USN-2058-1
*(from redmine: issue id 2562, created on 2014-01-08, closed on 2014-01-14)*
* Relations:
* parent #2561Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2572[v2.4] nss: Mis-issued ANSSI/DCSSI certificate2019-07-23T14:14:15ZAlexander Belous[v2.4] nss: Mis-issued ANSSI/DCSSI certificateImpact: High
Announced: December 10, 2013
Reporter: Google
Google notified Mozilla that an intermediate certificate, which chains
up to a root included in Mozilla’s root store, was loaded into a
man-in-the-middle (MITM) traffic mana...Impact: High
Announced: December 10, 2013
Reporter: Google
Google notified Mozilla that an intermediate certificate, which chains
up to a root included in Mozilla’s root store, was loaded into a
man-in-the-middle (MITM) traffic management device. This certificate was
issued by Agence nationale de la sécurité des systèmes d’information
(ANSSI), an agency of the French government and a certificate authority
in Mozilla’s root program. A subordinate certificate authority of ANSSI
mis-issued an intermediate certificate that they installed on a network
monitoring device, which enabled the device to act as a MITM proxy
performing traffic management of domain names or IP addresses that the
certificate holder did not own or control.
References:
http://www.mozilla.org/security/announce/2013/mfsa2013-117.html
https://hg.mozilla.org/projects/nss/rev/5a7944776645
https://rhn.redhat.com/errata/RHSA-2013-1861.html
*(from redmine: issue id 2572, created on 2014-01-08, closed on 2014-03-03)*
* Relations:
* parent #2571
* Changesets:
* Revision 474e2665c36421fbdf81f35c7e14a019195e6b9b by Natanael Copa on 2014-03-03T15:05:03Z:
```
main/nss: distrust mis-issued ANSSI/DCSSI cert
fixes #2572
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2577[v2.4] ruby-i18n: CVE-2013-44922019-07-23T14:14:09ZAlexander Belous[v2.4] ruby-i18n: CVE-2013-4492Cross-site scripting (XSS) vulnerability in exceptions.rb in the i18n
gem before 0.6.6 for Ruby allows remote attackers to inject arbitrary
web script or HTML via a crafted I18n::MissingTranslationData.new call.
•MLIST:\[ruby-security-a...Cross-site scripting (XSS) vulnerability in exceptions.rb in the i18n
gem before 0.6.6 for Ruby allows remote attackers to inject arbitrary
web script or HTML via a crafted I18n::MissingTranslationData.new call.
•MLIST:\[ruby-security-ann\] 20131203 \[CVE-2013-4491\] Reflective XSS
Vulnerability in Ruby on Rails
•URL:
https://groups.google.com/forum/message/raw?msg=ruby-security-ann/pLrh6DUw998/bLFEyIO4k\_EJ
•CONFIRM:
http://weblog.rubyonrails.org/2013/12/3/Rails\_3\_2\_16\_and\_4\_0\_2\_have\_been\_released/
•CONFIRM:
https://github.com/svenfuchs/i18n/commit/92b57b1e4f84adcdcc3a375278f299274be62445
•DEBIAN:DSA-2830
•URL: http://www.debian.org/security/2013/dsa-2830
•SUSE:openSUSE-SU-2013:1930
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00093.html
*(from redmine: issue id 2577, created on 2014-01-08, closed on 2014-06-04)*
* Relations:
* parent #2576Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2582[v2.4] openssl: CVE-2013-4353 CVE-2013-6449 CVE-2013-64502019-07-23T14:14:04ZAlexander Belous[v2.4] openssl: CVE-2013-4353 CVE-2013-6449 CVE-2013-6450The following revision fixes the issues mentioned below. Now it has been
applied only for v2.7 branch. To be applied also to the other ones:
https://bugs.alpinelinux.org/projects/alpine/repository/revisions/daf1071258d41b2e18b9603aab13...The following revision fixes the issues mentioned below. Now it has been
applied only for v2.7 branch. To be applied also to the other ones:
https://bugs.alpinelinux.org/projects/alpine/repository/revisions/daf1071258d41b2e18b9603aab13a0812dcc5a03
Issues description:
TLS record tampering issue can lead to OpenSSL crash (CVE-2013-4353)
The ssl\_get\_algorithm2 function in ssl/s3\_lib.c in OpenSSL before
1.0.2 obtains a certain version number from an incorrect data structure,
which allows remote attackers to cause a denial of service (daemon
crash) via crafted traffic from a TLS 1.2 client. (CVE-2013-6449)
•CONFIRM:
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=ca989269a2876bae79393bd54c3e72d49975fc75
•CONFIRM:
http://rt.openssl.org/Ticket/Display.html?id=3200&user=guest&pass=guest
•CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1045363
•CONFIRM: https://issues.apache.org/jira/browse/TS-2355
The DTLS retransmission implementation in OpenSSL through 0.9.8y and 1.x
through 1.0.1e does not properly maintain data structures for digest and
encryption contexts, which might allow man-in-the-middle attackers to
trigger the use of a different context by interfering with packet
delivery, related to ssl/d1\_both.c and ssl/t1\_enc.c. (CVE-2013-6450)
•CONFIRM:
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=34628967f1e65dc8f34e000f0f5518e21afbfc7b
•CONFIRM: https://security-tracker.debian.org/tracker/CVE-2013-6450
*(from redmine: issue id 2582, created on 2014-01-08, closed on 2014-02-04)*
* Relations:
* parent #2581
* Changesets:
* Revision 566868b54f5934c3805e86a40fb1ac254e22409e by Natanael Copa on 2014-01-14T14:53:07Z:
```
main/openssl: security upgrade to 1.0.1f (CVE-2013-4353,CVE-2013-6449,CVE-2013-6450)
fixes #2582
```Alpine 2.4.12Timo TeräsTimo Teräshttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2586[v2.4] libxfont: Stack buffer overflow in parsing of BDF font files (CVE-2013...2019-07-23T14:14:00ZAlexander Belous[v2.4] libxfont: Stack buffer overflow in parsing of BDF font files (CVE-2013-6462)Scanning of the libXfont sources with the cppcheck static analyzer
included a report of:
\[lib/libXfont/src/bitmap/bdfread.c:341\]: (warning)
scanf without field width limits can crash with huge input data.
Evaluation of this rep...Scanning of the libXfont sources with the cppcheck static analyzer
included a report of:
\[lib/libXfont/src/bitmap/bdfread.c:341\]: (warning)
scanf without field width limits can crash with huge input data.
Evaluation of this report by X.Org developers concluded that a BDF
font
file containing a longer than expected string could overflow the
buffer
on the stack. Testing in X servers built with Stack Protector resulted
in an immediate crash when reading a user-provided specially crafted
font.
As libXfont is used to read user-specified font files in all X servers
distributed by X.Org, including the Xorg server which is often run
with
root privileges or as setuid-root in order to access hardware, this
bug
may lead to an unprivileged user acquiring root privileges in some
systems.
Affected Versions =
This bug appears to have been introduced in the initial RCS version
1.1
checked in on 1991/05/10, and is thus believed to be present in every
X11
release starting with X11R5 up to the current libXfont 1.4.6.
(Manual inspection shows it is present in the sources from the X11R5
tarballs, but not in those from the X11R4 tarballs.)
Fixes =
A fix is available via the attached patch, which is also included in
libXfont 1.4.7, released today, and available in the libXfont git
repo:
http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=4d024ac10f964f6bd372ae0dd14f02772a6e5f63
References:
http://lists.x.org/archives/xorg-announce/2014-January/002389.html
http://seclists.org/bugtraq/2014/Jan/15
*(from redmine: issue id 2586, created on 2014-01-08, closed on 2014-02-04)*
* Relations:
* parent #2585
* Changesets:
* Revision a7ad4c16ff22a06c88ee37050fd0a82ea857734c by Natanael Copa on 2014-01-14T14:46:07Z:
```
main/libxfont: security upgrade to 1.4.7 (CVE-2013-6462)
fixes #2586
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2598[v2.4] kernel: multiple vulnerabilities (before 3.12)2019-07-23T14:13:50ZAlexander Belous[v2.4] kernel: multiple vulnerabilities (before 3.12)Multiple vulnerabilities in kernel found (see the parent for details):
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6368
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6367
http://cve.mitre.org/cgi-bin/cvename.cgi?...Multiple vulnerabilities in kernel found (see the parent for details):
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6368
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6367
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6382
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4587
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7266
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7267
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7268
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7269
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7270
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7263
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7264
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7265
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7281
*(from redmine: issue id 2598, created on 2014-01-14, closed on 2014-04-17)*
* Relations:
* parent #2597Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2605[v2.4] bind: defect in handling queries for NSEC3-signed zones (CVE-2014-0591)2019-07-23T14:13:43ZAlexander Belous[v2.4] bind: defect in handling queries for NSEC3-signed zones (CVE-2014-0591)The query\_findclosestnsec3 function in query.c in named in ISC BIND
9.6, 9.7, and 9.8 before 9.8.6-P2 and 9.9 before 9.9.4-P2, and 9.6-ESV
before 9.6-ESV-R10-P2, allows remote attackers to cause a denial of
service (INSIST assertion fai...The query\_findclosestnsec3 function in query.c in named in ISC BIND
9.6, 9.7, and 9.8 before 9.8.6-P2 and 9.9 before 9.9.4-P2, and 9.6-ESV
before 9.6-ESV-R10-P2, allows remote attackers to cause a denial of
service (INSIST assertion failure and daemon exit) via a crafted DNS
query to an authoritative nameserver that uses the NSEC3 signing
feature.
CONFIRM: https://kb.isc.org/article/AA-01085
CONFIRM: https://kb.isc.org/article/AA-01078
CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1051717
References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0591
*(from redmine: issue id 2605, created on 2014-01-15, closed on 2014-02-04)*
* Relations:
* parent #2604
* Changesets:
* Revision ee78239969c5f8cd04ada611b76ac64eee6c3e9c by Natanael Copa on 2014-01-15T14:22:04Z:
```
main/bind: security upgrade to 9.9.4_p2 (CVE-2014-0591)
fixes #2605
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2619[v2.4] nagios: remote DoS and leak (CVE-2013-7108 CVE-2013-7205)2019-07-23T14:13:30ZAlexander Belous[v2.4] nagios: remote DoS and leak (CVE-2013-7108 CVE-2013-7205)Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and
Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow
remote authenticated users to obtain sensitive information from process
memory or cause a denial...Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and
Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow
remote authenticated users to obtain sensitive information from process
memory or cause a denial of service (crash) via a long string in the
last key value in the variable list to the process\_cgivars function in
(1) avail.c, (2) cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c,
(6) notifications.c, (7) outages.c, (8) status.c, (9) statusmap.c, (10)
summary.c, and (11) trends.c in cgi/, which triggers a heap-based buffer
over-read (CVE-2013-7108).
•MLIST:\[oss-security\] 20131224 Re: CVE request: denial of service in
Nagios (process\_cgivars())
•URL: http://www.openwall.com/lists/oss-security/2013/12/24/1
•CONFIRM:
http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/
•CONFIRM: https://dev.icinga.org/issues/5251
•CONFIRM:
https://www.icinga.org/2013/12/17/icinga-security-releases-1-10-2-1-9-4-1-8-5/
•SUSE:openSUSE-SU-2014:0016
•URL: http://lists.opensuse.org/opensuse-updates/2014-01/msg00010.html
•SUSE:openSUSE-SU-2014:0039
•URL: http://lists.opensuse.org/opensuse-updates/2014-01/msg00028.html
•SUSE:openSUSE-SU-2014:0069
•URL: http://lists.opensuse.org/opensuse-updates/2014-01/msg00046.html
•SECUNIA:55976
•URL: http://secunia.com/advisories/55976
•SECUNIA:56316
•URL: http://secunia.com/advisories/56316
Off-by-one error in the process\_cgivars function in contrib/daemonchk.c
in Nagios Core 3.5.1, 4.0.2, and earlier allows remote authenticated
users to obtain sensitive information from process memory or cause a
denial of service (crash) via a long string in the last key value in the
variable list, which triggers a heap-based buffer over-read
(CVE-2013-7205).
•MLIST:\[oss-security\] 20131224 Re: CVE request: denial of service in
Nagios (process\_cgivars())
•URL: http://www.openwall.com/lists/oss-security/2013/12/24/1
•CONFIRM:
http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/
•SECUNIA:55976
•URL: http://secunia.com/advisories/55976
*(from redmine: issue id 2619, created on 2014-02-04, closed on 2014-04-18)*
* Relations:
* parent #2618
* Changesets:
* Revision ea378e00bf8b68874150bc606edc6818b9ff233f by Natanael Copa on 2014-04-17T11:21:05Z:
```
main/nagios: security fix for CVE-2013-7108, CVE-2013-7205
fixes #2619
(cherry picked from commit 0fc285b2ea702c82941928cdfa4e521addba1705)
Conflicts:
main/nagios/APKBUILD
```Alpine 2.4.12Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2625[v2.4] memcached: remote DoS (CVE-2013-0179 CVE-2013-7239 CVE-2013-7290 CVE-2...2019-07-23T14:13:24ZAlexander Belous[v2.4] memcached: remote DoS (CVE-2013-0179 CVE-2013-7239 CVE-2013-7290 CVE-2013-7291)The process\_bin\_delete function in memcached.c in memcached 1.4.4 and
other versions before 1.4.17, when running in verbose mode, allows
remote attackers to cause a denial of service (segmentation fault) via a
request to delete a key, ...The process\_bin\_delete function in memcached.c in memcached 1.4.4 and
other versions before 1.4.17, when running in verbose mode, allows
remote attackers to cause a denial of service (segmentation fault) via a
request to delete a key, which does not account for the lack of a null
terminator in the key and triggers a buffer over-read when printing to
stderr (CVE-2013-0179).
memcached before 1.4.17 allows remote attackers to bypass authentication
by sending an invalid request with SASL credentials, then sending
another request with incorrect SASL credentials (CVE-2013-7239).
The do\_item\_get function in items.c in memcached 1.4.4 and other
versions before 1.4.17, when running in verbose mode, allows remote
attackers to cause a denial of service (segmentation fault) via a
request to delete a key, which does not account for the lack of a null
terminator in the key and triggers a buffer over-read when printing to
stderr, a different vulnerability than CVE-2013-0179 (CVE-2013-7290).
memcached before 1.4.17, when running in verbose mode, allows remote
attackers to cause a denial of service (crash) via a request that
triggers an unbounded key print during logging, related to an issue that
was quickly grepped out of the source tree, a different vulnerability
than CVE-2013-0179 and CVE-2013-7290 (CVE-2013-7291).
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7239
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7290
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7291
https://code.google.com/p/memcached/wiki/ReleaseNotes1417
*(from redmine: issue id 2625, created on 2014-02-04, closed on 2014-04-18)*
* Relations:
* parent #2624
* Changesets:
* Revision 4f87afbb1812c23f84b54f5cebde5a4d1e0f1aae by Natanael Copa on 2014-04-17T11:30:01Z:
```
main/memcached: security upgrade to 1.4.17 (CVE-2013-0179,CVE-2013-7239,CVE-2013-7290,CVE-2013-7291)
fixes #2625
(cherry picked from commit 01c5af01dadb92ad64c468444fcd4b58e00ccdc9)
Conflicts:
main/memcached/APKBUILD
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2634[v2.4] libvirt: DoS (CVE-2013-6458 CVE-2014-1447)2019-07-23T14:13:19ZAlexander Belous[v2.4] libvirt: DoS (CVE-2013-6458 CVE-2014-1447)Multiple race conditions in the (1) virDomainBlockStats, (2)
virDomainGetBlockInf, (3) qemuDomainBlockJobImpl, and (4)
virDomainGetBlockIoTune functions in libvirt before 1.2.1 do not
properly verify that the disk is attached, which allo...Multiple race conditions in the (1) virDomainBlockStats, (2)
virDomainGetBlockInf, (3) qemuDomainBlockJobImpl, and (4)
virDomainGetBlockIoTune functions in libvirt before 1.2.1 do not
properly verify that the disk is attached, which allows remote read-only
attackers to cause a denial of service (libvirtd crash) via the
virDomainDetachDeviceFlags command (CVE-2013-6458).
•CONFIRM: http://libvirt.org/news.html
•CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1043069
•DEBIAN:DSA-2846
•URL: http://www.debian.org/security/2014/dsa-2846
•SECUNIA:56186
•URL: http://secunia.com/advisories/56186
•SECUNIA:56446
•URL: http://secunia.com/advisories/56446
Race condition in the virNetServerClientStartKeepAlive function in
libvirt before 1.2.1 allows remote attackers to cause a denial of
service (libvirtd crash) by closing a connection before a keepalive
response is sent (CVE-2014-1447).
•CONFIRM: http://libvirt.org/news.html
•CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1047577
•DEBIAN:DSA-2846
•URL: http://www.debian.org/security/2014/dsa-2846
•SECUNIA:56321
•URL: http://secunia.com/advisories/56321
•SECUNIA:56446
•URL: http://secunia.com/advisories/56446
*(from redmine: issue id 2634, created on 2014-02-04, closed on 2014-06-04)*
* Relations:
* parent #2633Alpine 2.4.12Leonardo ArenaLeonardo Arenahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2644[v2.4] nss: man-in-the-middle SSL spoofing (CVE-2013-1740)2019-07-23T14:13:14ZAlexander Belous[v2.4] nss: man-in-the-middle SSL spoofing (CVE-2013-1740)The ssl\_Do1stHandshake function in sslsecur.c in libssl in Mozilla
Network Security Services (NSS) before 3.15.4, when the TLS False Start
feature is enabled, allows man-in-the-middle attackers to spoof SSL
servers by using an arbitrary...The ssl\_Do1stHandshake function in sslsecur.c in libssl in Mozilla
Network Security Services (NSS) before 3.15.4, when the TLS False Start
feature is enabled, allows man-in-the-middle attackers to spoof SSL
servers by using an arbitrary X.509 certificate during certain handshake
traffic.
•CONFIRM: https://bugs.gentoo.org/show\_bug.cgi?id=498172
•CONFIRM: https://bugzilla.mozilla.org/show\_bug.cgi?id=919877
•CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1053725
•CONFIRM:
https://developer.mozilla.org/docs/NSS/NSS\_3.15.4\_release\_notes
•XF:mozilla-nss-cve20131740-info-disc(90394)
•URL: http://xforce.iss.net/xforce/xfdb/90394
*(from redmine: issue id 2644, created on 2014-02-04, closed on 2014-03-03)*
* Relations:
* parent #2643Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2649[v2.4] php: remote DoS (CVE-2013-6712)2019-07-23T14:13:08ZAlexander Belous[v2.4] php: remote DoS (CVE-2013-6712)The scan function in ext/date/lib/parse\_iso\_intervals.c in PHP through
5.5.6 does not properly restrict creation of DateInterval objects, which
might allow remote attackers to cause a denial of service (heap-based
buffer over-read) via...The scan function in ext/date/lib/parse\_iso\_intervals.c in PHP through
5.5.6 does not properly restrict creation of DateInterval objects, which
might allow remote attackers to cause a denial of service (heap-based
buffer over-read) via a crafted interval specification.
•MISC: https://bugs.php.net/bug.php?id=66060
•CONFIRM:
http://git.php.net/?p=php-src.git;a=commit;h=12fe4e90be7bfa2a763197079f68f5568a14e071
•SUSE:openSUSE-SU-2013:1963
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00125.html
•SUSE:openSUSE-SU-2013:1964
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00126.html
*(from redmine: issue id 2649, created on 2014-02-04, closed on 2014-03-05)*
* Relations:
* parent #2648
* Changesets:
* Revision 4bac042f438038d28cfeec08b87ed83b44c4be04 on 2014-03-05T11:35:58Z:
```
main/php: security fix CVE-2013-6712. Fixes #2649
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2654[v2.4] cups: local leak (CVE-2013-6891)2019-07-23T14:13:03ZAlexander Belous[v2.4] cups: local leak (CVE-2013-6891)lppasswd in CUPS before 1.7.1, when running with setuid privileges,
allows local users to read portions of arbitrary files via a modified
HOME environment variable and a symlink attack involving
.cups/client.conf.
•CONFIRM: http://www.c...lppasswd in CUPS before 1.7.1, when running with setuid privileges,
allows local users to read portions of arbitrary files via a modified
HOME environment variable and a symlink attack involving
.cups/client.conf.
•CONFIRM: http://www.cups.org/blog.php?L704
•CONFIRM: http://www.cups.org/str.php?L4319
•UBUNTU:USN-2082-1
•URL: http://www.ubuntu.com/usn/USN-2082-1
•SECUNIA:56531
•URL: http://secunia.com/advisories/56531
*(from redmine: issue id 2654, created on 2014-02-04, closed on 2014-06-04)*
* Relations:
* parent #2653Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2659[v2.4] net-snmp: remote DoS (CVE-2012-6151)2019-07-23T14:12:57ZAlexander Belous[v2.4] net-snmp: remote DoS (CVE-2012-6151)Net-SNMP 5.7.1 and earlier, when AgentX is registering to handle a MIB
and processing GETNEXT requests, allows remote attackers to cause a
denial of service (crash or infinite loop, CPU consumption, and hang) by
causing the AgentX subage...Net-SNMP 5.7.1 and earlier, when AgentX is registering to handle a MIB
and processing GETNEXT requests, allows remote attackers to cause a
denial of service (crash or infinite loop, CPU consumption, and hang) by
causing the AgentX subagent to timeout.
•MLIST:\[oss-security\] 20131202 NMPD DoS \#2411 snmpd crashes/hangs
when AgentX subagent times-out
•URL: http://seclists.org/oss-sec/2013/q4/398
•MLIST:\[oss-security\] 20131202 Re: SNMPD DoS \#2411 snmpd
crashes/hangs when AgentX subagent times-out
•URL: http://seclists.org/oss-sec/2013/q4/415
•MISC: http://sourceforge.net/p/net-snmp/bugs/2411/
•CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1038007
•BID:64048
•URL: http://www.securityfocus.com/bid/64048
•XF:netsnmp-cve20126151-dos(89485)
•URL: http://xforce.iss.net/xforce/xfdb/89485
*(from redmine: issue id 2659, created on 2014-02-04, closed on 2014-03-05)*
* Relations:
* parent #2658
* Changesets:
* Revision e760d56c82e3b69f4ee2bc3f3790a63f01cdae49 on 2014-03-04T14:53:24Z:
```
main/net-snmp: security fix CVE-2012-6151. Fixes #2659
```Alpine 2.4.12Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2664[v2.4] elinks: does not properly verify SSL certificates2019-07-23T14:12:51ZAlexander Belous[v2.4] elinks: does not properly verify SSL certificatesWhen verifying SSL certificates, elinks fails to warn the user if the
hostname of the certificate does not match the hostname of the
website.
Elinks 0.11.7 should be patched or upgraded to 0.12\_pre6.
References:
https://bugs.mageia...When verifying SSL certificates, elinks fails to warn the user if the
hostname of the certificate does not match the hostname of the
website.
Elinks 0.11.7 should be patched or upgraded to 0.12\_pre6.
References:
https://bugs.mageia.org/show\_bug.cgi?id=11460
http://repo.or.cz/w/elinks.git/shortlog/refs/tags/elinks-0.11.7
COMMIT: http://repo.or.cz/w/elinks.git/commitdiff/0c3f3e09
*(from redmine: issue id 2664, created on 2014-02-04, closed on 2014-03-05)*
* Relations:
* parent #2663
* Changesets:
* Revision 4fba92816c0e71757a88cc344de763867564d734 on 2014-03-04T13:42:25Z:
```
main/elinks: secuirty fix. Fixes #2664
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2667[v2.4] augeas: CVE-2012-0786 CVE-2012-0787 CVE-2013-64122019-07-23T14:12:47ZAlexander Belous[v2.4] augeas: CVE-2012-0786 CVE-2012-0787 CVE-2013-6412Multiple flaws were found in the way Augeas handled configuration files
when updating them. An application using Augeas to update configuration
files in a directory that is writable to by a different user (for
example, an application run...Multiple flaws were found in the way Augeas handled configuration files
when updating them. An application using Augeas to update configuration
files in a directory that is writable to by a different user (for
example, an application running as root that is updating files in a
directory owned by a non-root service user) could have been tricked into
overwriting arbitrary files or leaking information via a symbolic link
or mount point attack (CVE-2012-0786, CVE-2012-0787).
A flaw was found in the way Augeas handled certain umask settings when
creating new configuration files. This flaw could result in
configuration files being created as world writable, allowing
unprivileged local users to modify their content (CVE-2013-6412).
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0786
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0787
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6412
https://rhn.redhat.com/errata/RHSA-2013-1537.html
https://rhn.redhat.com/errata/RHSA-2014-0044.html
*(from redmine: issue id 2667, created on 2014-02-04, closed on 2014-03-03)*
* Relations:
* parent #2666
* Changesets:
* Revision 934da98b301e08141380811b39affba078ff7118 by Natanael Copa on 2014-03-03T14:36:15Z:
```
main/augeas: security fix for CVE-2012-0786 and CVE-2012-0787
fixes #2667
```Alpine 2.4.12Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/2672[v2.4] curl: can allow unauthorized disclosure and modification (CVE-2014-0015)2019-07-23T14:12:42ZAlexander Belous[v2.4] curl: can allow unauthorized disclosure and modification (CVE-2014-0015)curl and libcurl 7.10.6 through 7.34.0, when more than one
authentication method is enabled, re-uses NTLM connections, which might
allow context-dependent attackers to authenticate as other users via a
request.
CONFIRM: http://curl.haxx...curl and libcurl 7.10.6 through 7.34.0, when more than one
authentication method is enabled, re-uses NTLM connections, which might
allow context-dependent attackers to authenticate as other users via a
request.
CONFIRM: http://curl.haxx.se/docs/adv\_20140129.html
DSA-2849: http://www.debian.org/security/2014/dsa-2849
SECUNIA: http://secunia.com/advisories/56734;
http://secunia.com/advisories/56728
*(from redmine: issue id 2672, created on 2014-02-04, closed on 2014-02-07)*
* Relations:
* parent #2671
* Changesets:
* Revision 1e27a0849ea60751372631fcc67912ba730269de by Natanael Copa on 2014-02-04T16:47:07Z:
```
main/curl: fix CVE-2014-0015
fixes #2672
```Alpine 2.4.12Natanael CopaNatanael Copa