aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2019-07-16T11:20:06Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10668[3.8] squid: XSS via user_name or auth parameter in cachemgr.cgi (CVE-2019-13...2019-07-16T11:20:06ZAlicha CH[3.8] squid: XSS via user_name or auth parameter in cachemgr.cgi (CVE-2019-13345)The cachemgr.cgi web module of Squid through 4.7 has
XSS via the user\_name or auth parameter.
### References:
https://bugs.squid-cache.org/show\_bug.cgi?id=4957
https://github.com/squid-cache/squid/pull/429
*(from redmine: issue...The cachemgr.cgi web module of Squid through 4.7 has
XSS via the user\_name or auth parameter.
### References:
https://bugs.squid-cache.org/show\_bug.cgi?id=4957
https://github.com/squid-cache/squid/pull/429
*(from redmine: issue id 10668, created on 2019-07-09)*
* Relations:
* parent #10664
* Changesets:
* Revision 61747ef7247b4805f9881eedd113c538e156376d by Natanael Copa on 2019-07-11T17:01:07Z:
```
main/squid: fix CVE-2019-13345
fixes #10668
```3.8.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10657[3.8] irssi: Use after free when sending SASL login to the server (CVE-2019-1...2019-09-30T12:55:26ZAlicha CH[3.8] irssi: Use after free when sending SASL login to the server (CVE-2019-13045)Irssi before 1.0.8, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, when
SASL is enabled,
has a use after free when sending SASL login to the server.
### Fixed In Version:
Irssi 1.0.8, 1.1.3, 1.2.1
### References:
https://irssi.org/sec...Irssi before 1.0.8, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, when
SASL is enabled,
has a use after free when sending SASL login to the server.
### Fixed In Version:
Irssi 1.0.8, 1.1.3, 1.2.1
### References:
https://irssi.org/security/irssi\_sa\_2019\_06.txt
https://www.openwall.com/lists/oss-security/2019/06/29/1
*(from redmine: issue id 10657, created on 2019-07-04, closed on 2019-07-04)*
* Relations:
* parent #10653
* Changesets:
* Revision 470717992bc7a9e06596b94b80804747974518e7 by Natanael Copa on 2019-07-04T10:41:45Z:
```
main/irssi: security upgrade to 1.1.3 (CVE-2019-13045)
fixes #10657
```3.8.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10646[3.8] bzip2: out-of-bounds write in function BZ2_decompress (CVE-2019-12900)2019-07-23T11:06:17ZAlicha CH[3.8] bzip2: out-of-bounds write in function BZ2_decompress (CVE-2019-12900)BZ2\_decompress in decompress.c in bzip2 through 1.0.6 has an
out-of-bounds
write when there are many selectors.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-12900
https://security-tracker.debian.org/tracker/CVE-2019-1...BZ2\_decompress in decompress.c in bzip2 through 1.0.6 has an
out-of-bounds
write when there are many selectors.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-12900
https://security-tracker.debian.org/tracker/CVE-2019-12900
### Patch:
https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc
*(from redmine: issue id 10646, created on 2019-07-02, closed on 2019-07-09)*
* Relations:
* parent #10642
* Changesets:
* Revision 48ec283be13e799c70aae6c045c2c93e39d262a0 on 2019-07-04T19:26:46Z:
```
main/bzip2: add patch for CVE-2019-12900
Adding the upstream bzip2 security patch to fix the out of bounds security
vulnerability in bzip2.
fixes #10646
```3.8.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10632[3.8] expat: large number of colons in input makes parser consume high amount...2019-07-23T11:06:28ZAlicha CH[3.8] expat: large number of colons in input makes parser consume high amount of resources, leading to DoS (CVE-2018-20843)In libexpat in Expat before 2.2.7, XML input including XML names that
contain a large number of colons could make the XML
parser consume a high amount of RAM and CPU resources while processing
(enough to be usable for denial-of-service...In libexpat in Expat before 2.2.7, XML input including XML names that
contain a large number of colons could make the XML
parser consume a high amount of RAM and CPU resources while processing
(enough to be usable for denial-of-service attacks).
### Fixed In Version:
expat 2.2.7
### References:
https://github.com/libexpat/libexpat/issues/186
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931031
*(from redmine: issue id 10632, created on 2019-06-28, closed on 2019-07-02)*
* Relations:
* parent #10629
* Changesets:
* Revision abd03a5937dcef5fe1be86ae1f9efa05beb2d3c6 by Natanael Copa on 2019-06-30T12:23:19Z:
```
main/expat: security upgrade to 2.2.7 (CVE-2018-20843)
fixes #10632
```3.8.5Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10619[3.8] libvirt: Multiple vulnerabilities (CVE-2019-10161, CVE-2019-10166, CVE-...2019-07-23T11:06:36ZAlicha CH[3.8] libvirt: Multiple vulnerabilities (CVE-2019-10161, CVE-2019-10166, CVE-2019-10167, CVE-2019-10168)CVE-2019-10161: arbitrary file read/exec via virDomainSaveImageGetXMLDesc API
-----------------------------------------------------------------------------
It was discovered that libvirtd would permit readonly clients to use
the
virDo...CVE-2019-10161: arbitrary file read/exec via virDomainSaveImageGetXMLDesc API
-----------------------------------------------------------------------------
It was discovered that libvirtd would permit readonly clients to use
the
virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which
would be accessed with the permissions of the libvirtd process. An
attacker with access to the libvirtd socket could use this to probe
the
existence of arbitrary files, cause denial of service or cause
libvirtd
to execute arbitrary programs.
This vulnerability was first present in libvirt v0.9.4.
### Fixed In Version:
libvirt 4.10.1, libvirt 5.4.1
### References:
https://security-tracker.debian.org/tracker/CVE-2019-10161
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2019-10161
### Patch:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=aed6a032cead4386472afb24b16196579e239580
CVE-2019-10166: virDomainManagedSaveDefineXML API exposed to readonly clients
-----------------------------------------------------------------------------
It was discovered that libvirtd would permit readonly clients to use
the
virDomainManagedSaveDefineXML() API, which would permit them to modify
managed save state files. If a managed save had already been created
by
a privileged user, a local attacker could modify this file such that
libvirtd would execute an arbitrary program when the domain was resumed.
This vulnerability was first present in libvirt v3.6.1.
### Fixed In Version:
libvirt 4.10.1, libvirt 5.4.1
### References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2019-10166
https://security-tracker.debian.org/tracker/CVE-2019-10166
### Patch:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=db0b78457f183e4c7ac45bc94de86044a1e2056a
CVE-2019-10167: arbitrary command execution via virConnectGetDomainCapabilities API
-----------------------------------------------------------------------------------
The virConnectGetDomainCapabilities() libvirt API accepts an
“emulatorbin”
argument to specify the program providing emulation for a domain.
Since
v1.2.19, libvirt will execute that program to probe the domain’s
capabilities. Read-only clients could specify an arbitrary path for
this
argument, causing libvirtd to execute a crafted executable with its own
### Fixed In Version:
libvirt 4.10.1, libvirt 5.4.1
### References:
https://security-tracker.debian.org/tracker/CVE-2019-10167
### Patch:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=8afa68bac0cf99d1f8aaa6566685c43c22622f26
CVE-2019-10168: arbitrary command execution via virConnectBaselineHypervisorCPU and virConnectCompareHypervisorCPU APIs
-----------------------------------------------------------------------------------------------------------------------
The virConnectBaselineHypervisorCPU() and
virConnectCompareHypervisorCPU()
libvirt APIs accept an “emulator” argument to specify the program
providing
emulation for a domain. Since v1.2.19, libvirt will execute that program
to
probe the domain’s capabilities. Read-only clients could specify an
arbitrary
path for this argument, causing libvirtd to execute a crafted executable
with
its own privileges.
### Fixed In Version:
libvirt 4.10.1, libvirt 5.4.1
### References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2019-10168
https://security-tracker.debian.org/tracker/CVE-2019-10168
### Patch:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=bf6c2830b6c338b1f5699b095df36f374777b291
*(from redmine: issue id 10619, created on 2019-06-25, closed on 2019-07-04)*
* Relations:
* parent #10615
* Changesets:
* Revision 911332961e1fa7187cf3869595066bb18d226e27 by Francesco Colista on 2019-07-03T14:39:40Z:
```
main/libvirt: security upgrade to 5.5.0
(CVE-2019-10161, CVE-2019-10166, CVE-2019-10167, CVE-2019-10168)
Fixes #10619
```3.8.5Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10577[3.8] glib: file permission vulnerability (CVE-2019-12450)2019-07-23T11:06:54ZAlicha CH[3.8] glib: file permission vulnerability (CVE-2019-12450)file\_copy\_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1
does not properly restrict file
permissions while a copy operation is in progress. Instead, default
permissions are used.
### References:
https://nvd.nist.gov/vu...file\_copy\_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1
does not properly restrict file
permissions while a copy operation is in progress. Instead, default
permissions are used.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-12450
### Patch:
https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174
*(from redmine: issue id 10577, created on 2019-06-14, closed on 2019-06-20)*
* Relations:
* parent #10574
* Changesets:
* Revision a59a37b197c56022525bbdcbec2d0b98b048883b by Natanael Copa on 2019-06-17T09:38:05Z:
```
main/glib: security fix for CVE-2019-12450
fixes #10577
```3.8.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10570[3.8] dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749)2019-07-23T11:07:00ZAlicha CH[3.8] dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749)dbus is the reference implementation of D-Bus, an asynchronous
inter-process communication system commonly used for system services
or within a desktop session on Linux and other operating systems.
Joe Vennix of Apple Information Se...dbus is the reference implementation of D-Bus, an asynchronous
inter-process communication system commonly used for system services
or within a desktop session on Linux and other operating systems.
Joe Vennix of Apple Information Security discovered an implementation
flaw
in the DBUS\_COOKIE\_SHA1 authentication mechanism. A malicious client
with
write access to its own home directory could manipulate a
~/.dbus-keyrings
symlink to cause a DBusServer with a different uid to read and write
in unintended locations. In the worst case, this could result in the
DBusServer reusing a cookie that is known to the malicious client, and
treating that cookie as evidence that a subsequent client connection
came from an attacker-chosen uid, allowing authentication bypass.
This vulnerability does not normally affect the standard system
dbus-daemon, which only allows the EXTERNAL authentication mechanism.
In supported branches of dbus it also does not normally affect the
standard
session dbus-daemon, for the same reason.
However, this vulnerability can affect third-party users of DBusServer
(such as Upstart in Ubuntu 14.04 LTS), third-party dbus-daemon
instances,
standard dbus-daemon instances with non-standard configuration, and
the
session bus in older/unsupported dbus branches (such as dbus 1.6.x in
Ubuntu 14.04 LTS).
Vulnerable versions: all < 1.10.28, 1.12.x < 1.12.16, 1.13.x <
1.13.12
Fixed versions: all >= 1.13.12, 1.12.x >= 1.12.16, 1.10.x >=
1.10.28
### References:
https://gitlab.freedesktop.org/dbus/dbus/issues/269
http://www.openwall.com/lists/oss-security/2019/06/11/2
### Patch:
https://gitlab.freedesktop.org/dbus/dbus/commit/47b1a4c41004bf494b87370987b222c934b19016
*(from redmine: issue id 10570, created on 2019-06-13, closed on 2019-06-20)*
* Relations:
* parent #10567
* Changesets:
* Revision 7bcd4b5fb804992725b55d128d1c8f3dd87cb5c4 by Natanael Copa on 2019-06-17T09:54:14Z:
```
main/dbus: upgrade to 1.10.28 (CVE-2019-12749)
fixes #10570
```3.8.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10565[3.8] libcroco: Multiple vulnerabilities (CVE-2017-7960, CVE-2017-7961, CVE-2...2019-07-23T10:34:17ZAlicha CH[3.8] libcroco: Multiple vulnerabilities (CVE-2017-7960, CVE-2017-7961, CVE-2017-8834, CVE-2017-8871)CVE-2017-7960: The cr\_input\_new\_from\_uri function in cr-input.c in
libcroco 0.6.11 and 0.6.12 allows
remote attackers to cause a denial of service (heap-based buffer
over-read) via a crafted CSS file.
### References:
https://nvd....CVE-2017-7960: The cr\_input\_new\_from\_uri function in cr-input.c in
libcroco 0.6.11 and 0.6.12 allows
remote attackers to cause a denial of service (heap-based buffer
over-read) via a crafted CSS file.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2017-7960
https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/
### Patch:
https://git.gnome.org/browse/libcroco/commit/?id=898e3a8c8c0314d2e6b106809a8e3e93cf9d4394
CVE-2017-7961: The cr\_tknzr\_parse\_rgb function in cr-tknzr.c in
libcroco 0.6.11 and 0.6.12 has an “outside the range
of representable values of type long” undefined behavior issue, which
might allow remote attackers to cause a denial
of service (application crash) or possibly have unspecified other impact
via a crafted CSS file.
### References:
https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/
### Patch:
https://git.gnome.org/browse/libcroco/commit/?id=9ad72875e9f08e4c519ef63d44cdbd94aa9504f7
CVE-2017-8834: The cr\_tknzr\_parse\_comment function in cr-tknzr.c in
libcroco 0.6.12 allows remote
attackers to cause a denial of service (memory allocation error) via a
crafted CSS file.
### References:
https://bugzilla.gnome.org/show\_bug.cgi?id=782647
https://nvd.nist.gov/vuln/detail/CVE-2017-8834
CVE-2017-8871: The cr\_parser\_parse\_selector\_core function in
cr-parser.c in libcroco 0.6.12 allows remote
attackers to cause a denial of service (infinite loop and CPU
consumption) via a crafted CSS file.
### References:
https://bugzilla.gnome.org/show\_bug.cgi?id=782649
https://nvd.nist.gov/vuln/detail/CVE-2017-8871
*(from redmine: issue id 10565, created on 2019-06-13)*
* Relations:
* parent #105633.8.5LeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10560[3.8] py-django: AdminURLFieldWidget XSS (CVE-2019-12308)2019-07-23T11:07:07ZAlicha CH[3.8] py-django: AdminURLFieldWidget XSS (CVE-2019-12308)An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9,
and 2.2 before 2.2.2. The clickable Current URL
value displayed by the AdminURLFieldWidget displays the provided value
without validating it as a safe URL. Thus, ...An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9,
and 2.2 before 2.2.2. The clickable Current URL
value displayed by the AdminURLFieldWidget displays the provided value
without validating it as a safe URL. Thus, an unvalidated
value stored in the database, or a value provided as a URL query
parameter payload, could result in an clickable JavaScript link.
### Fixed In Version:
Django 2.2.2, Django 2.1.9, Django 1.11.21
### References:
https://docs.djangoproject.com/en/dev/releases/1.11.21/
https://www.openwall.com/lists/oss-security/2019/06/03/2
### Patch:
https://github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b
*(from redmine: issue id 10560, created on 2019-06-13, closed on 2019-06-26)*
* Relations:
* parent #10557
* Changesets:
* Revision ece4776819ab6ba9289ec3478766b5298bbcfa86 by Natanael Copa on 2019-06-25T21:08:37Z:
```
main/py-django: security upgrade to 1.11.21 (CVE-2019-12308)
fixes #10560
```3.8.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10554[3.8] heimdal: man-in-the-middle attack in function krb5_init_creds_step in l...2019-07-16T11:24:11ZAlicha CH[3.8] heimdal: man-in-the-middle attack in function krb5_init_creds_step in lib/krb5/init_creds_pw.c (CVE-2019-12098)In the client side of Heimdal before 7.6.0, failure to verify anonymous
PKINIT PA-PKINIT-KX key exchange permits a
man-in-the-middle attack. This issue is in krb5\_init\_creds\_step in
lib/krb5/init\_creds\_pw.c.
### References:
http...In the client side of Heimdal before 7.6.0, failure to verify anonymous
PKINIT PA-PKINIT-KX key exchange permits a
man-in-the-middle attack. This issue is in krb5\_init\_creds\_step in
lib/krb5/init\_creds\_pw.c.
### References:
http://www.h5l.org/pipermail/heimdal-announce/2019-May/000009.html
https://nvd.nist.gov/vuln/detail/CVE-2019-12098
### Patch:
Fixed by:
https://github.com/heimdal/heimdal/commit/2f7f3d9960aa6ea21358bdf3687cee5149aa35cf
(7.6.0)
Introduced by:
https://github.com/heimdal/heimdal/commit/a1ef548600c5bb51cf52a9a9ea12676506ede19f
(1.4.0)
*(from redmine: issue id 10554, created on 2019-06-12)*
* Relations:
* parent #10551
* Changesets:
* Revision e8ebbb3123154e0d2dfd574d9eea59dd51ffe205 by Natanael Copa on 2019-07-11T16:12:06Z:
```
main/heimdal: security fix for CVE-2019-12098
fixes #10554
```3.8.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10539[3.8] sqlite: Multiple vulnerabilities (CVE-2019-5018, CVE-2019-8457)2019-07-24T06:57:17ZAlicha CH[3.8] sqlite: Multiple vulnerabilities (CVE-2019-5018, CVE-2019-8457)CVE-2019-5018: use-after-free in window function leading to remote code execution
---------------------------------------------------------------------------------
An exploitable use after free vulnerability exists in the window
functio...CVE-2019-5018: use-after-free in window function leading to remote code execution
---------------------------------------------------------------------------------
An exploitable use after free vulnerability exists in the window
function functionality of Sqlite3 3.26.0. A specially crafted SQL
command can cause a use
after free vulnerability, potentially resulting in remote code
execution. An attacker can send a malicious SQL command to trigger this
vulnerability.
### References:
https://www.talosintelligence.com/vulnerability\_reports/TALOS-2019-0777
https://nvd.nist.gov/vuln/detail/CVE-2019-5018
CVE-2019-8457: heap out-of-bound read in function rtreenode()
-------------------------------------------------------------
SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap
out-of-bound
read in the rtreenode() function when handling invalid rtree tables.
### References:
https://www.sqlite.org/releaselog/3\_28\_0.html
https://nvd.nist.gov/vuln/detail/CVE-2019-8457
### Patch:
https://www.sqlite.org/src/info/90acdbfce9c08858
*(from redmine: issue id 10539, created on 2019-06-05)*
* Relations:
* parent #105373.8.5LeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10528publish proj4 version 5.2.0 to main channel2019-11-24T20:08:12ZJonas Liljestrandpublish proj4 version 5.2.0 to main channelHi,
We have been fetching proj4 version 5.2.0 from the testing channel.
This version was removed by this commit
https://git.alpinelinux.org/aports/commit/?id=86d8d20e2565125c3ddce628f3dedd7c5aa5dfda
I’m wondering if it’s possible to ...Hi,
We have been fetching proj4 version 5.2.0 from the testing channel.
This version was removed by this commit
https://git.alpinelinux.org/aports/commit/?id=86d8d20e2565125c3ddce628f3dedd7c5aa5dfda
I’m wondering if it’s possible to publish version 5.2.0 in the main
channel? And can I help to make that happen?
*(from redmine: issue id 10528, created on 2019-05-31)*3.8.5https://gitlab.alpinelinux.org/alpine/aports/-/issues/10520[3.8] libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memor...2019-07-24T10:30:45ZAlicha CH[3.8] libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion (CVE-2018-1000654)The ASN.1 library used in GNUTLS (libtasn1) through versions 4.13 allows
for an infinite loop due to an issue in the
\_asn1\_expand\_object\_id(p\_tree) function.
An attacker could exploit this via a crafted ASN.1 structure to causing
...The ASN.1 library used in GNUTLS (libtasn1) through versions 4.13 allows
for an infinite loop due to an issue in the
\_asn1\_expand\_object\_id(p\_tree) function.
An attacker could exploit this via a crafted ASN.1 structure to causing
high CPU usage until a resultant out-of-memory error.
### References:
https://gitlab.com/gnutls/libtasn1/issues/4
https://nvd.nist.gov/vuln/detail/CVE-2018-1000654
*(from redmine: issue id 10520, created on 2019-05-31)*
* Relations:
* parent #105173.8.5LeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10513[3.8] heimdal: S4U2Self with unkeyed checksum (CVE-2018-16860)2019-07-23T11:07:22ZAlicha CH[3.8] heimdal: S4U2Self with unkeyed checksum (CVE-2018-16860)S4U2Self is an extension to Kerberos used in Active Directory to allow
a service to request a kerberos ticket to itself from the Kerberos Key
Distribution Center (KDC) for a non-Kerberos authenticated user
(principal in Kerboros pa...S4U2Self is an extension to Kerberos used in Active Directory to allow
a service to request a kerberos ticket to itself from the Kerberos Key
Distribution Center (KDC) for a non-Kerberos authenticated user
(principal in Kerboros parlance). This is useful to allow internal
code paths to be standardized around Kerberos.
S4U2Proxy (constrained-delegation) is an extension of this mechanism
allowing this impersonation to a second service over the network. It
allows a privileged server that obtained a S4U2Self ticket to itself
to then assert the identity of that principal to a second service and
present itself as that principal to get services from the second
service.
There is a flaw in Samba’s AD DC in the Heimdal KDC. When the Heimdal
KDC checks the checksum that is placed on the S4U2Self packet by the
server to protect the requested principal against modification, it
does not confirm that the checksum algorithm that protects the user
name (principal) in the request is keyed. This allows a
man-in-the-middle attacker who can intercept the request to the KDC to
modify the packet by replacing the user name (principal) in the
request with any desired user name (principal) that exists in the KDC
and replace the checksum protecting that name with a CRC32 checksum
(which requires no prior knowledge to compute).
This would allow a S4U2Self ticket requested on behalf of user name
(principal) user@EXAMPLE.COM to any service to be changed to a
S4U2Self ticket with a user name (principal) of
Administrator@EXAMPLE.COM. This ticket would then contain the PAC of
the modified user name (principal).
### Affected Versions:
All releases of Heimdal from 0.8 including 7.5.0
### Reference:
https://github.com/heimdal/heimdal/commit/c6257cc2c842c0faaeb4ef34e33890ee88c4cbba
https://www.samba.org/samba/security/CVE-2018-16860.html
### Patch:
https://github.com/heimdal/heimdal/commit/c6257cc2c842c0faaeb4ef34e33890ee88c4cbba
*(from redmine: issue id 10513, created on 2019-05-30, closed on 2019-06-05)*
* Relations:
* parent #10510
* Changesets:
* Revision 5ee28b356b1b4aebf9d9fafa32c82c7519cbecd9 on 2019-06-04T14:27:17Z:
```
main/heimdal: security fix (CVE-2018-16860)
Fixes #10513
Remove unused patch, clarify license
```3.8.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10508[3.8] samba: S4U2Self with unkeyed checksum (CVE-2018-16860)2019-07-23T11:07:26ZAlicha CH[3.8] samba: S4U2Self with unkeyed checksum (CVE-2018-16860)S4U2Self is an extension to Kerberos used in Active Directory to allow
a service to request a kerberos ticket to itself from the Kerberos Key
Distribution Center (KDC) for a non-Kerberos authenticated user
(principal in Kerboros pa...S4U2Self is an extension to Kerberos used in Active Directory to allow
a service to request a kerberos ticket to itself from the Kerberos Key
Distribution Center (KDC) for a non-Kerberos authenticated user
(principal in Kerboros parlance). This is useful to allow internal
code paths to be standardized around Kerberos.
S4U2Proxy (constrained-delegation) is an extension of this mechanism
allowing this impersonation to a second service over the network. It
allows a privileged server that obtained a S4U2Self ticket to itself
to then assert the identity of that principal to a second service and
present itself as that principal to get services from the second
service.
There is a flaw in Samba’s AD DC in the Heimdal KDC. When the Heimdal
KDC checks the checksum that is placed on the S4U2Self packet by the
server to protect the requested principal against modification, it
does not confirm that the checksum algorithm that protects the user
name (principal) in the request is keyed. This allows a
man-in-the-middle attacker who can intercept the request to the KDC to
modify the packet by replacing the user name (principal) in the
request with any desired user name (principal) that exists in the KDC
and replace the checksum protecting that name with a CRC32 checksum
(which requires no prior knowledge to compute).
This would allow a S4U2Self ticket requested on behalf of user name
(principal) user@EXAMPLE.COM to any service to be changed to a
S4U2Self ticket with a user name (principal) of
Administrator@EXAMPLE.COM. This ticket would then contain the PAC of
the modified user name (principal).
### Fixed In Version:
samba 4.8.12, samba 4.9.8 and samba 4.10.3
### References:
https://www.samba.org/samba/security/CVE-2018-16860.html
https://www.samba.org/samba/history/security.html
*(from redmine: issue id 10508, created on 2019-05-30, closed on 2019-06-05)*
* Relations:
* parent #10506
* Changesets:
* Revision 62d88ba3b7c2ed610aaf68d2a5a5956f6e702708 on 2019-06-05T06:27:09Z:
```
main/samba: security upgrade to 4.8.12 (CVE-2018-16860)
Fixes #10508
```3.8.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10498[3.8] curl: Multiple vulnerabilities (CVE-2019-5435, CVE-2019-5436)2019-07-12T15:48:25ZAlicha CH[3.8] curl: Multiple vulnerabilities (CVE-2019-5435, CVE-2019-5436)CVE-2019-5435: Integer overflows in curl\_url\_set()
----------------------------------------------------
libcurl contains two integer overflows in the curl\_url\_set() function
that if triggered, can lead to
a too small buffer alloca...CVE-2019-5435: Integer overflows in curl\_url\_set()
----------------------------------------------------
libcurl contains two integer overflows in the curl\_url\_set() function
that if triggered, can lead to
a too small buffer allocation and a subsequent heap buffer overflow.
Affected versions: libcurl 7.62.0 to and including 7.64.1
Not affected versions: libcurl < 7.62.0 and >= libcurl 7.65.0
### Reference:
https://curl.haxx.se/docs/CVE-2019-5435.html
### Patch:
https://github.com/curl/curl/commit/5fc28510a4664f4
CVE-2019-5436: TFTP receive buffer overflow
-------------------------------------------
libcurl contains a heap buffer overflow in the function
(tftp\_receive\_packet()) that recevives data from
a TFTP server. It calls recvfrom() with the default size for the buffer
rather than with the size that was
used to allocate it. Thus, the content that might overwrite the heap
memory is entirely controlled by the server.
The flaw exists if the user selects to use a “blksize” of 504 or smaller
(default is 512). The smaller size that is used,
the larger the possible overflow becomes. Users chosing a smaller size
than default should be rare as the primary
use case for changing the size is to make it larger.
Affected versions: libcurl 7.19.4 to and including 7.64.1
Not affected versions: libcurl < 7.19.4 and >= libcurl 7.65.0
### Reference:
https://curl.haxx.se/docs/CVE-2019-5436.html
### Patch:
https://github.com/curl/curl/commit/2576003415625d7b5f0e390902f8097830b82275
*(from redmine: issue id 10498, created on 2019-05-28, closed on 2019-06-05)*
* Relations:
* parent #104963.8.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10495Backport HylafaxPlus2019-07-23T11:07:37ZFrancesco ColistaBackport HylafaxPlusPlease backport this to 3.8 and 3.9, since I need to use this in
production, and I cannot upgrade to edge.
Moreover, I’m available to maintain longer than the latest release.
*(from redmine: issue id 10495, created on 2019-05-28, clo...Please backport this to 3.8 and 3.9, since I need to use this in
production, and I cannot upgrade to edge.
Moreover, I’m available to maintain longer than the latest release.
*(from redmine: issue id 10495, created on 2019-05-28, closed on 2019-05-28)*3.8.5Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10493[3.8] monit: Multiple vulnerabilities (CVE-2019-11454, CVE-2019-11455)2019-07-23T11:07:39ZAlicha CH[3.8] monit: Multiple vulnerabilities (CVE-2019-11454, CVE-2019-11455)CVE-2019-11454: cross-site scripting (XSS) in http/cervlet.c
------------------------------------------------------------
Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash
Monit before 5.25.3 allows a remote unauthen...CVE-2019-11454: cross-site scripting (XSS) in http/cervlet.c
------------------------------------------------------------
Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash
Monit before 5.25.3 allows a remote unauthenticated attacker to
introduce arbitrary JavaScript
via manipulation of an unsanitized user field of the Authorization
header for HTTP Basic Authentication, which is mishandled during an
\_viewlog operation.
### References:
https://github.com/dzflack/exploits/blob/master/unix/monit\_xss.py
https://nvd.nist.gov/vuln/detail/CVE-2019-11454
### Patches:
https://bitbucket.org/tildeslash/monit/commits/1a8295eab6815072a18019b668fe084945b751f3
https://bitbucket.org/tildeslash/monit/commits/328f60773057641c4b2075fab9820145e95b728c
CVE-2019-11455: buffer over-read in function Util\_urlDecode in util.c
----------------------------------------------------------------------
A buffer over-read in Util\_urlDecode in util.c in Tildeslash Monit
before 5.25.3 allows a remote authenticated attacker to retrieve the
contents of adjacent memory via manipulation of GET or POST parameters.
The attacker can also cause a denial of service (application outage).
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-11455
### Patch:
https://bitbucket.org/tildeslash/monit/commits/f12d0cdb42d4e74dffe1525d4062c815c48ac57a
*(from redmine: issue id 10493, created on 2019-05-28, closed on 2019-06-05)*
* Relations:
* parent #10491
* Changesets:
* Revision 8ae19acb1269f568cc856f52a50234227872b0bd on 2019-06-05T13:42:06Z:
```
main/monit: upgrade to 5.25.2, security fixes
CVE-2019-11454, CVE-2019-11455
Fixes #10493
```3.8.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10436[3.8] libjpeg-turbo: denial of service in get_8bit_row in rdbmp.c (CVE-2018-1...2019-07-23T10:32:30ZAlicha CH[3.8] libjpeg-turbo: denial of service in get_8bit_row in rdbmp.c (CVE-2018-14498)get\_8bit\_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG
through 3.3.1 allows attackers to cause a denial of service (heap-based
buffer over-read
and application crash) via a crafted 8-bit BMP in which one or more of
the c...get\_8bit\_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG
through 3.3.1 allows attackers to cause a denial of service (heap-based
buffer over-read
and application crash) via a crafted 8-bit BMP in which one or more of
the color indices is out of range for the number of palette entries.
### References:
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/258
https://nvd.nist.gov/vuln/detail/CVE-2018-14498
### Patch:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9c78a04df4e44ef6487eee99c4258397f4fdca55
*(from redmine: issue id 10436, created on 2019-05-09)*
* Relations:
* parent #103063.8.5LeoLeohttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10433[3.8] perl-email-address: DOS vulnerability in perl module Email::Address (CV...2019-07-23T11:10:04ZAlicha CH[3.8] perl-email-address: DOS vulnerability in perl module Email::Address (CVE-2018-12558)The parse() method in the Email::Address module through 1.909 for Perl
is vulnerable
to Algorithmic complexity on specially prepared input, leading to Denial
of Service. Prepared
special input that caused this problem contained 30 fo...The parse() method in the Email::Address module through 1.909 for Perl
is vulnerable
to Algorithmic complexity on specially prepared input, leading to Denial
of Service. Prepared
special input that caused this problem contained 30 form-field
characters (“\\f”).
### References:
https://nvd.nist.gov/vuln/detail/CVE-2018-12558
https://www.openwall.com/lists/oss-security/2018/06/19/3
### Patch:
https://github.com/Perl-Email-Project/Email-Address/commit/aeaf0d7f1b0897b54cb246b8ac15d3ef177e5cae
*(from redmine: issue id 10433, created on 2019-05-09, closed on 2019-06-06)*
* Relations:
* parent #10430
* Changesets:
* Revision 7def72e88762d07dcb50382ca5266d0f83b38cce on 2019-06-05T12:33:34Z:
```
main/perl-email-address: security upgrade to 1.912 (CVE-2018-12558)
Fixes #10433
```3.8.5Natanael CopaNatanael Copa