alpine issueshttps://gitlab.alpinelinux.org/groups/alpine/-/issues2019-07-23T13:58:29Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3734[v3.0] pcre: heap buffer overflow (CVE-2014-8964)2019-07-23T13:58:29ZAlexander Belous[v3.0] pcre: heap buffer overflow (CVE-2014-8964)Heap-based buffer overflow in PCRE 8.36 and earlier allows remote
attackers to cause a denial of service (crash) or have other unspecified
impact via a crafted regular expression, related to an assertion that
allows zero repeats.
•MLIST...Heap-based buffer overflow in PCRE 8.36 and earlier allows remote
attackers to cause a denial of service (crash) or have other unspecified
impact via a crafted regular expression, related to an assertion that
allows zero repeats.
•MLIST:\[oss-security\] 20141121 Re: CVE request: heap buffer overflow
in PCRE
•URL: http://www.openwall.com/lists/oss-security/2014/11/21/6
•CONFIRM: http://bugs.exim.org/show\_bug.cgi?id=1546
•CONFIRM: http://www.exim.org/viewvc/pcre?view=revision&revision=1513
•CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1166147
•FEDORA:FEDORA-2014-15573
•URL:
http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145843.html
http://seclists.org/oss-sec/2014/q4/746
*(from redmine: issue id 3734, created on 2015-01-23, closed on 2015-08-07)*
* Relations:
* parent #3731
* Changesets:
* Revision 41732b78666fd19ade073152d29ebf8e01f32a7c by Natanael Copa on 2015-08-07T14:36:29Z:
```
main/pcre: security fix for CVE-2014-8964
ref #3731
fixes #3734
```3.0.7Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3733[v2.7] pcre: heap buffer overflow (CVE-2014-8964)2019-07-23T13:58:30ZAlexander Belous[v2.7] pcre: heap buffer overflow (CVE-2014-8964)Heap-based buffer overflow in PCRE 8.36 and earlier allows remote
attackers to cause a denial of service (crash) or have other unspecified
impact via a crafted regular expression, related to an assertion that
allows zero repeats.
•MLIST...Heap-based buffer overflow in PCRE 8.36 and earlier allows remote
attackers to cause a denial of service (crash) or have other unspecified
impact via a crafted regular expression, related to an assertion that
allows zero repeats.
•MLIST:\[oss-security\] 20141121 Re: CVE request: heap buffer overflow
in PCRE
•URL: http://www.openwall.com/lists/oss-security/2014/11/21/6
•CONFIRM: http://bugs.exim.org/show\_bug.cgi?id=1546
•CONFIRM: http://www.exim.org/viewvc/pcre?view=revision&revision=1513
•CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1166147
•FEDORA:FEDORA-2014-15573
•URL:
http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145843.html
http://seclists.org/oss-sec/2014/q4/746
*(from redmine: issue id 3733, created on 2015-01-23, closed on 2015-08-07)*
* Relations:
* parent #3731
* Changesets:
* Revision 75e0c2eedee7d425dde5ea121e5919bc9f00347e by Natanael Copa on 2015-08-07T14:55:46Z:
```
main/pcre: security fix for CVE-2014-8964
ref #3731
fixes #3733
Conflicts:
main/pcre/APKBUILD
```Alpine 2.7.10Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3732[v2.6] pcre: heap buffer overflow (CVE-2014-8964)2019-07-23T13:58:31ZAlexander Belous[v2.6] pcre: heap buffer overflow (CVE-2014-8964)Heap-based buffer overflow in PCRE 8.36 and earlier allows remote
attackers to cause a denial of service (crash) or have other unspecified
impact via a crafted regular expression, related to an assertion that
allows zero repeats.
•MLIST...Heap-based buffer overflow in PCRE 8.36 and earlier allows remote
attackers to cause a denial of service (crash) or have other unspecified
impact via a crafted regular expression, related to an assertion that
allows zero repeats.
•MLIST:\[oss-security\] 20141121 Re: CVE request: heap buffer overflow
in PCRE
•URL: http://www.openwall.com/lists/oss-security/2014/11/21/6
•CONFIRM: http://bugs.exim.org/show\_bug.cgi?id=1546
•CONFIRM: http://www.exim.org/viewvc/pcre?view=revision&revision=1513
•CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1166147
•FEDORA:FEDORA-2014-15573
•URL:
http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145843.html
http://seclists.org/oss-sec/2014/q4/746
*(from redmine: issue id 3732, created on 2015-01-23, closed on 2015-08-07)*
* Relations:
* parent #3731Alpine 2.6.7Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3731pcre: heap buffer overflow (CVE-2014-8964)2019-07-23T13:58:32ZAlexander Belouspcre: heap buffer overflow (CVE-2014-8964)Heap-based buffer overflow in PCRE 8.36 and earlier allows remote
attackers to cause a denial of service (crash) or have other unspecified
impact via a crafted regular expression, related to an assertion that
allows zero repeats.
•MLIST...Heap-based buffer overflow in PCRE 8.36 and earlier allows remote
attackers to cause a denial of service (crash) or have other unspecified
impact via a crafted regular expression, related to an assertion that
allows zero repeats.
•MLIST:\[oss-security\] 20141121 Re: CVE request: heap buffer overflow
in PCRE
•URL: http://www.openwall.com/lists/oss-security/2014/11/21/6
•CONFIRM: http://bugs.exim.org/show\_bug.cgi?id=1546
•CONFIRM: http://www.exim.org/viewvc/pcre?view=revision&revision=1513
•CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1166147
•FEDORA:FEDORA-2014-15573
•URL:
http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145843.html
http://seclists.org/oss-sec/2014/q4/746
*(from redmine: issue id 3731, created on 2015-01-23, closed on 2015-08-07)*
* Relations:
* child #3732
* child #3733
* child #3734
* child #3735
* Changesets:
* Revision 656ff36b75f24b7f58cdc79362a8a975460fb1db by Natanael Copa on 2015-01-25T11:30:30Z:
```
main/pcre: security fix for CVE-2014-8964
ref #3731
```
* Revision 532e5884b65be54776bd7dbf51d207a3962e5694 by Natanael Copa on 2015-01-25T11:35:54Z:
```
main/pcre: security fix for CVE-2014-8964
ref #3731
fixes #3735
(cherry picked from commit 656ff36b75f24b7f58cdc79362a8a975460fb1db)
```
* Revision 41732b78666fd19ade073152d29ebf8e01f32a7c by Natanael Copa on 2015-08-07T14:36:29Z:
```
main/pcre: security fix for CVE-2014-8964
ref #3731
fixes #3734
```
* Revision 75e0c2eedee7d425dde5ea121e5919bc9f00347e by Natanael Copa on 2015-08-07T14:55:46Z:
```
main/pcre: security fix for CVE-2014-8964
ref #3731
fixes #3733
Conflicts:
main/pcre/APKBUILD
```https://gitlab.alpinelinux.org/alpine/aports/-/issues/3730[v3.0] icecast: remote leak and privileges gaining (CVE-2014-9018, CVE-2014-9...2019-07-12T14:53:49ZAlexander Belous[v3.0] icecast: remote leak and privileges gaining (CVE-2014-9018, CVE-2014-9091)CVE-2014-9018:
Icecast before 2.4.1 transmits the output of the on-connect script,
which might allow remote attackers to obtain sensitive information,
related to shared file descriptors.
•MLIST:\[oss-security\] 20141120 CVE request: i...CVE-2014-9018:
Icecast before 2.4.1 transmits the output of the on-connect script,
which might allow remote attackers to obtain sensitive information,
related to shared file descriptors.
•MLIST:\[oss-security\] 20141120 CVE request: icecast: possible leak of
on-connect scripts
•URL: http://www.openwall.com/lists/oss-security/2014/11/19/23
•MLIST:\[oss-security\] 20141120 Re: CVE request: icecast: possible leak
of on-connect scripts
•URL: http://www.openwall.com/lists/oss-security/2014/11/20/22
•CONFIRM: http://icecast.org/news/icecast-release-2\_4\_1/
•CONFIRM: https://trac.xiph.org/ticket/2087
•CONFIRM: https://trac.xiph.org/ticket/2089
•MANDRIVA:MDVSA-2014:231
•URL: http://www.mandriva.com/security/advisories?name=MDVSA-2014:231
•SUSE:openSUSE-SU-2014:1593
•URL: http://lists.opensuse.org/opensuse-updates/2014-12/msg00038.html
•BID:71312
•URL: http://www.securityfocus.com/bid/71312
•XF:icecast-cve20149091-priv-esc(98991)
•URL: http://xforce.iss.net/xforce/xfdb/98991
CVE-2014-9091:
Icecast before 2.4.0 does not change the supplementary group privileges
when <changeowner> is configured, which allows local users to gain
privileges via unspecified vectors.
•MLIST:\[oss-security\] 20141125 Re: Re: CVE request: icecast: possible
leak of on-connect scripts
•URL: http://seclists.org/oss-sec/2014/q4/794
•MLIST:\[oss-security\] 20141126 Re: CVE request: icecast: possible leak
of on-connect scripts
•URL: http://seclists.org/oss-sec/2014/q4/802
•CONFIRM: http://icecast.org/news/icecast-release-2\_4\_0/
•CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1168146
•CONFIRM: https://trac.xiph.org/changeset/19137/
•SUSE:openSUSE-SU-2014:1591
•URL: http://lists.opensuse.org/opensuse-updates/2014-12/msg00037.html
*(from redmine: issue id 3730, created on 2015-01-23, closed on 2017-08-07)*
* Relations:
* parent #37273.0.7Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3729[v2.7] icecast: remote leak and privileges gaining (CVE-2014-9018, CVE-2014-9...2019-07-12T14:53:48ZAlexander Belous[v2.7] icecast: remote leak and privileges gaining (CVE-2014-9018, CVE-2014-9091)CVE-2014-9018:
Icecast before 2.4.1 transmits the output of the on-connect script,
which might allow remote attackers to obtain sensitive information,
related to shared file descriptors.
•MLIST:\[oss-security\] 20141120 CVE request: i...CVE-2014-9018:
Icecast before 2.4.1 transmits the output of the on-connect script,
which might allow remote attackers to obtain sensitive information,
related to shared file descriptors.
•MLIST:\[oss-security\] 20141120 CVE request: icecast: possible leak of
on-connect scripts
•URL: http://www.openwall.com/lists/oss-security/2014/11/19/23
•MLIST:\[oss-security\] 20141120 Re: CVE request: icecast: possible leak
of on-connect scripts
•URL: http://www.openwall.com/lists/oss-security/2014/11/20/22
•CONFIRM: http://icecast.org/news/icecast-release-2\_4\_1/
•CONFIRM: https://trac.xiph.org/ticket/2087
•CONFIRM: https://trac.xiph.org/ticket/2089
•MANDRIVA:MDVSA-2014:231
•URL: http://www.mandriva.com/security/advisories?name=MDVSA-2014:231
•SUSE:openSUSE-SU-2014:1593
•URL: http://lists.opensuse.org/opensuse-updates/2014-12/msg00038.html
•BID:71312
•URL: http://www.securityfocus.com/bid/71312
•XF:icecast-cve20149091-priv-esc(98991)
•URL: http://xforce.iss.net/xforce/xfdb/98991
CVE-2014-9091:
Icecast before 2.4.0 does not change the supplementary group privileges
when <changeowner> is configured, which allows local users to gain
privileges via unspecified vectors.
•MLIST:\[oss-security\] 20141125 Re: Re: CVE request: icecast: possible
leak of on-connect scripts
•URL: http://seclists.org/oss-sec/2014/q4/794
•MLIST:\[oss-security\] 20141126 Re: CVE request: icecast: possible leak
of on-connect scripts
•URL: http://seclists.org/oss-sec/2014/q4/802
•CONFIRM: http://icecast.org/news/icecast-release-2\_4\_0/
•CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1168146
•CONFIRM: https://trac.xiph.org/changeset/19137/
•SUSE:openSUSE-SU-2014:1591
•URL: http://lists.opensuse.org/opensuse-updates/2014-12/msg00037.html
*(from redmine: issue id 3729, created on 2015-01-23, closed on 2017-08-07)*
* Relations:
* parent #3727Alpine 2.7.10Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3728[v2.6] icecast: remote leak and privileges gaining (CVE-2014-9018, CVE-2014-9...2019-07-12T14:53:48ZAlexander Belous[v2.6] icecast: remote leak and privileges gaining (CVE-2014-9018, CVE-2014-9091)CVE-2014-9018:
Icecast before 2.4.1 transmits the output of the on-connect script,
which might allow remote attackers to obtain sensitive information,
related to shared file descriptors.
•MLIST:\[oss-security\] 20141120 CVE request: i...CVE-2014-9018:
Icecast before 2.4.1 transmits the output of the on-connect script,
which might allow remote attackers to obtain sensitive information,
related to shared file descriptors.
•MLIST:\[oss-security\] 20141120 CVE request: icecast: possible leak of
on-connect scripts
•URL: http://www.openwall.com/lists/oss-security/2014/11/19/23
•MLIST:\[oss-security\] 20141120 Re: CVE request: icecast: possible leak
of on-connect scripts
•URL: http://www.openwall.com/lists/oss-security/2014/11/20/22
•CONFIRM: http://icecast.org/news/icecast-release-2\_4\_1/
•CONFIRM: https://trac.xiph.org/ticket/2087
•CONFIRM: https://trac.xiph.org/ticket/2089
•MANDRIVA:MDVSA-2014:231
•URL: http://www.mandriva.com/security/advisories?name=MDVSA-2014:231
•SUSE:openSUSE-SU-2014:1593
•URL: http://lists.opensuse.org/opensuse-updates/2014-12/msg00038.html
•BID:71312
•URL: http://www.securityfocus.com/bid/71312
•XF:icecast-cve20149091-priv-esc(98991)
•URL: http://xforce.iss.net/xforce/xfdb/98991
CVE-2014-9091:
Icecast before 2.4.0 does not change the supplementary group privileges
when <changeowner> is configured, which allows local users to gain
privileges via unspecified vectors.
•MLIST:\[oss-security\] 20141125 Re: Re: CVE request: icecast: possible
leak of on-connect scripts
•URL: http://seclists.org/oss-sec/2014/q4/794
•MLIST:\[oss-security\] 20141126 Re: CVE request: icecast: possible leak
of on-connect scripts
•URL: http://seclists.org/oss-sec/2014/q4/802
•CONFIRM: http://icecast.org/news/icecast-release-2\_4\_0/
•CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1168146
•CONFIRM: https://trac.xiph.org/changeset/19137/
•SUSE:openSUSE-SU-2014:1591
•URL: http://lists.opensuse.org/opensuse-updates/2014-12/msg00037.html
*(from redmine: issue id 3728, created on 2015-01-23, closed on 2017-08-07)*
* Relations:
* parent #3727Alpine 2.6.7Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3726[v2.7] clamav: multiple security fixes (CVE 2013-6497, CVE-2014-9050)2019-07-12T14:53:47ZAlexander Belous[v2.7] clamav: multiple security fixes (CVE 2013-6497, CVE-2014-9050)ClamAV 0.98.5 has been released.
Among the new features and fixes there are several security fixes:
• Security fix for ClamAV crash when using ‘clamscan -a’. This issue was
identified by Kurt Siefried of Red Hat (CVE-2013-6497).
• S...ClamAV 0.98.5 has been released.
Among the new features and fixes there are several security fixes:
• Security fix for ClamAV crash when using ‘clamscan -a’. This issue was
identified by Kurt Siefried of Red Hat (CVE-2013-6497).
• Security fix for ClamAV crash when scanning maliciously crafted yoda’s
crypter files. This issue, as well as several other bugs fixed in this
release, were identified by Damien Millescamp of Oppida (CVE-2014-9050).
References:
http://seclists.org/oss-sec/2014/q4/673
http://blog.clamav.net/2014/11/clamav-0985-has-been-released.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6497
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9050
*(from redmine: issue id 3726, created on 2015-01-23, closed on 2017-09-05)*
* Relations:
* parent #3724Alpine 2.7.10Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3725[v2.6] clamav: multiple security fixes (CVE 2013-6497, CVE-2014-9050)2019-07-12T14:53:47ZAlexander Belous[v2.6] clamav: multiple security fixes (CVE 2013-6497, CVE-2014-9050)ClamAV 0.98.5 has been released.
Among the new features and fixes there are several security fixes:
• Security fix for ClamAV crash when using ‘clamscan -a’. This issue was
identified by Kurt Siefried of Red Hat (CVE-2013-6497).
• S...ClamAV 0.98.5 has been released.
Among the new features and fixes there are several security fixes:
• Security fix for ClamAV crash when using ‘clamscan -a’. This issue was
identified by Kurt Siefried of Red Hat (CVE-2013-6497).
• Security fix for ClamAV crash when scanning maliciously crafted yoda’s
crypter files. This issue, as well as several other bugs fixed in this
release, were identified by Damien Millescamp of Oppida (CVE-2014-9050).
References:
http://seclists.org/oss-sec/2014/q4/673
http://blog.clamav.net/2014/11/clamav-0985-has-been-released.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6497
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9050
*(from redmine: issue id 3725, created on 2015-01-23, closed on 2017-09-05)*
* Relations:
* parent #3724Alpine 2.6.7Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3723[v3.1] lsyncd: command injection (CVE-2014-8990)2019-07-23T13:58:33ZAlexander Belous[v3.1] lsyncd: command injection (CVE-2014-8990)default-rsyncssh.lua in Lsyncd 2.1.5 and earlier allows remote attackers
to execute arbitrary commands via shell metacharacters in a filename.
References:
•CONFIRM: http://seclists.org/oss-sec/2014/q4/699
•MLIST:\[oss-security\] 201...default-rsyncssh.lua in Lsyncd 2.1.5 and earlier allows remote attackers
to execute arbitrary commands via shell metacharacters in a filename.
References:
•CONFIRM: http://seclists.org/oss-sec/2014/q4/699
•MLIST:\[oss-security\] 20141119 CVE request: lsyncd command injection
•URL: http://www.openwall.com/lists/oss-security/2014/11/19/1
•MLIST:\[oss-security\] 20141120 Re: CVE request: lsyncd command
injection
•URL: http://www.openwall.com/lists/oss-security/2014/11/20/5
•CONFIRM:
https://github.com/axkibe/lsyncd/commit/18f02ad013b41a72753912155ae2ba72f2a53e52
•CONFIRM:
https://github.com/axkibe/lsyncd/commit/e6016b3748370878778b8f0b568d5281cc248aa4
•CONFIRM: https://github.com/axkibe/lsyncd/issues/220
•FEDORA:FEDORA-2014-15373
•URL:
http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145131.html
•FEDORA:FEDORA-2014-15393
•URL:
http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145114.html
•BID:71179
•URL: http://www.securityfocus.com/bid/71179
*(from redmine: issue id 3723, created on 2015-01-23, closed on 2017-05-17)*
* Relations:
* parent #3719
* Changesets:
* Revision cf8d2d1f0ae199d0febfc6b95f80b4e071fe2a7e by Natanael Copa on 2015-01-23T14:19:05Z:
```
main/lsyncd: fix CVE-2014-8990
fixes #3723
(cherry picked from commit 655d521104ae64806748d619c3e3394c4974aa55)
```3.1.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3722[v3.0] lsyncd: command injection (CVE-2014-8990)2019-07-12T14:53:45ZAlexander Belous[v3.0] lsyncd: command injection (CVE-2014-8990)default-rsyncssh.lua in Lsyncd 2.1.5 and earlier allows remote attackers
to execute arbitrary commands via shell metacharacters in a filename.
References:
•CONFIRM: http://seclists.org/oss-sec/2014/q4/699
•MLIST:\[oss-security\] 201...default-rsyncssh.lua in Lsyncd 2.1.5 and earlier allows remote attackers
to execute arbitrary commands via shell metacharacters in a filename.
References:
•CONFIRM: http://seclists.org/oss-sec/2014/q4/699
•MLIST:\[oss-security\] 20141119 CVE request: lsyncd command injection
•URL: http://www.openwall.com/lists/oss-security/2014/11/19/1
•MLIST:\[oss-security\] 20141120 Re: CVE request: lsyncd command
injection
•URL: http://www.openwall.com/lists/oss-security/2014/11/20/5
•CONFIRM:
https://github.com/axkibe/lsyncd/commit/18f02ad013b41a72753912155ae2ba72f2a53e52
•CONFIRM:
https://github.com/axkibe/lsyncd/commit/e6016b3748370878778b8f0b568d5281cc248aa4
•CONFIRM: https://github.com/axkibe/lsyncd/issues/220
•FEDORA:FEDORA-2014-15373
•URL:
http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145131.html
•FEDORA:FEDORA-2014-15393
•URL:
http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145114.html
•BID:71179
•URL: http://www.securityfocus.com/bid/71179
*(from redmine: issue id 3722, created on 2015-01-23, closed on 2017-09-05)*
* Relations:
* parent #37193.0.7Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3721[v2.7] lsyncd: command injection (CVE-2014-8990)2019-07-12T14:53:45ZAlexander Belous[v2.7] lsyncd: command injection (CVE-2014-8990)default-rsyncssh.lua in Lsyncd 2.1.5 and earlier allows remote attackers
to execute arbitrary commands via shell metacharacters in a filename.
References:
•CONFIRM: http://seclists.org/oss-sec/2014/q4/699
•MLIST:\[oss-security\] 201...default-rsyncssh.lua in Lsyncd 2.1.5 and earlier allows remote attackers
to execute arbitrary commands via shell metacharacters in a filename.
References:
•CONFIRM: http://seclists.org/oss-sec/2014/q4/699
•MLIST:\[oss-security\] 20141119 CVE request: lsyncd command injection
•URL: http://www.openwall.com/lists/oss-security/2014/11/19/1
•MLIST:\[oss-security\] 20141120 Re: CVE request: lsyncd command
injection
•URL: http://www.openwall.com/lists/oss-security/2014/11/20/5
•CONFIRM:
https://github.com/axkibe/lsyncd/commit/18f02ad013b41a72753912155ae2ba72f2a53e52
•CONFIRM:
https://github.com/axkibe/lsyncd/commit/e6016b3748370878778b8f0b568d5281cc248aa4
•CONFIRM: https://github.com/axkibe/lsyncd/issues/220
•FEDORA:FEDORA-2014-15373
•URL:
http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145131.html
•FEDORA:FEDORA-2014-15393
•URL:
http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145114.html
•BID:71179
•URL: http://www.securityfocus.com/bid/71179
*(from redmine: issue id 3721, created on 2015-01-23, closed on 2017-09-05)*
* Relations:
* parent #3719Alpine 2.7.10Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3720[v2.6] lsyncd: command injection (CVE-2014-8990)2019-07-12T14:53:44ZAlexander Belous[v2.6] lsyncd: command injection (CVE-2014-8990)default-rsyncssh.lua in Lsyncd 2.1.5 and earlier allows remote attackers
to execute arbitrary commands via shell metacharacters in a filename.
References:
•CONFIRM: http://seclists.org/oss-sec/2014/q4/699
•MLIST:\[oss-security\] 201...default-rsyncssh.lua in Lsyncd 2.1.5 and earlier allows remote attackers
to execute arbitrary commands via shell metacharacters in a filename.
References:
•CONFIRM: http://seclists.org/oss-sec/2014/q4/699
•MLIST:\[oss-security\] 20141119 CVE request: lsyncd command injection
•URL: http://www.openwall.com/lists/oss-security/2014/11/19/1
•MLIST:\[oss-security\] 20141120 Re: CVE request: lsyncd command
injection
•URL: http://www.openwall.com/lists/oss-security/2014/11/20/5
•CONFIRM:
https://github.com/axkibe/lsyncd/commit/18f02ad013b41a72753912155ae2ba72f2a53e52
•CONFIRM:
https://github.com/axkibe/lsyncd/commit/e6016b3748370878778b8f0b568d5281cc248aa4
•CONFIRM: https://github.com/axkibe/lsyncd/issues/220
•FEDORA:FEDORA-2014-15373
•URL:
http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145131.html
•FEDORA:FEDORA-2014-15393
•URL:
http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145114.html
•BID:71179
•URL: http://www.securityfocus.com/bid/71179
*(from redmine: issue id 3720, created on 2015-01-23, closed on 2017-09-05)*
* Relations:
* parent #3719Alpine 2.6.7Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3718[v3.1] xen: Missing privilege level checks in x86 emulation of far branches (...2019-07-23T13:58:34ZAlexander Belous[v3.1] xen: Missing privilege level checks in x86 emulation of far branches (CVE-2014-8595)The emulation of far branch instructions (CALL, JMP, and RETF in Intel
assembly syntax, LCALL, LJMP, and LRET in AT&T assembly syntax)
incompletely performs privilege checks.
However these instructions are not usually handled by the emu...The emulation of far branch instructions (CALL, JMP, and RETF in Intel
assembly syntax, LCALL, LJMP, and LRET in AT&T assembly syntax)
incompletely performs privilege checks.
However these instructions are not usually handled by the emulator.
Exceptions to this are
\- - when a memory operand lives in (emulated or passed through) memory
mapped IO space,
\- - in the case of guests running in 32-bit PAE mode, when such an
instruction is (in execution flow) within four instructions of one doing
a page table update,
\- - when an Invalid Opcode exception gets raised by a guest
instruction, and the guest then (likely maliciously) alters the
instruction to become one of the affected ones,
- - when the guest is in real mode (in which case there are no privilege
checks anyway).
IMPACT ==
Malicious HVM guest user mode code may be able to elevate its privileges
to guest supervisor mode, or to crash the guest.
VULNERABLE SYSTEMS ==
Xen 3.2.1 and onward are vulnerable on x86 systems. ARM systems are not
vulnerable.
Only user processes in x86 HVM guests can take advantage of this
vulnerability.
MITIGATION ==
Running only PV guests will avoid this issue. There is no mitigation
available for HVM guests.
RESOLUTION ==
Applying the appropriate attached patch resolves this issue.
[http://seclists.org/oss-sec/2014/q4/att-665/xsa110.patch](http://seclists.org/oss-sec/2014/q4/att-665/xsa110.patch)
xen-unstable, Xen 4.4.x
[http://seclists.org/oss-sec/2014/q4/att-665/xsa110-4\_3-and-4\_2.patch](http://seclists.org/oss-sec/2014/q4/att-665/xsa110-4\_3-and-4\_2.patch)
Xen 4.3.x, Xen 4.2.x
*(from redmine: issue id 3718, created on 2015-01-23, closed on 2017-05-17)*
* Relations:
* parent #37143.1.2Ariadne Conillariadne@ariadne.spaceAriadne Conillariadne@ariadne.spacehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3717[v3.0] xen: Missing privilege level checks in x86 emulation of far branches (...2019-07-12T14:53:43ZAlexander Belous[v3.0] xen: Missing privilege level checks in x86 emulation of far branches (CVE-2014-8595)The emulation of far branch instructions (CALL, JMP, and RETF in Intel
assembly syntax, LCALL, LJMP, and LRET in AT&T assembly syntax)
incompletely performs privilege checks.
However these instructions are not usually handled by the emu...The emulation of far branch instructions (CALL, JMP, and RETF in Intel
assembly syntax, LCALL, LJMP, and LRET in AT&T assembly syntax)
incompletely performs privilege checks.
However these instructions are not usually handled by the emulator.
Exceptions to this are
\- - when a memory operand lives in (emulated or passed through) memory
mapped IO space,
\- - in the case of guests running in 32-bit PAE mode, when such an
instruction is (in execution flow) within four instructions of one doing
a page table update,
\- - when an Invalid Opcode exception gets raised by a guest
instruction, and the guest then (likely maliciously) alters the
instruction to become one of the affected ones,
- - when the guest is in real mode (in which case there are no privilege
checks anyway).
IMPACT ==
Malicious HVM guest user mode code may be able to elevate its privileges
to guest supervisor mode, or to crash the guest.
VULNERABLE SYSTEMS ==
Xen 3.2.1 and onward are vulnerable on x86 systems. ARM systems are not
vulnerable.
Only user processes in x86 HVM guests can take advantage of this
vulnerability.
MITIGATION ==
Running only PV guests will avoid this issue. There is no mitigation
available for HVM guests.
RESOLUTION ==
Applying the appropriate attached patch resolves this issue.
[http://seclists.org/oss-sec/2014/q4/att-665/xsa110.patch](http://seclists.org/oss-sec/2014/q4/att-665/xsa110.patch)
xen-unstable, Xen 4.4.x
[http://seclists.org/oss-sec/2014/q4/att-665/xsa110-4\_3-and-4\_2.patch](http://seclists.org/oss-sec/2014/q4/att-665/xsa110-4\_3-and-4\_2.patch)
Xen 4.3.x, Xen 4.2.x
*(from redmine: issue id 3717, created on 2015-01-23, closed on 2017-09-05)*
* Relations:
* parent #37143.0.7Ariadne Conillariadne@ariadne.spaceAriadne Conillariadne@ariadne.spacehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3716[v2.7] xen: Missing privilege level checks in x86 emulation of far branches (...2019-07-12T14:53:43ZAlexander Belous[v2.7] xen: Missing privilege level checks in x86 emulation of far branches (CVE-2014-8595)The emulation of far branch instructions (CALL, JMP, and RETF in Intel
assembly syntax, LCALL, LJMP, and LRET in AT&T assembly syntax)
incompletely performs privilege checks.
However these instructions are not usually handled by the emu...The emulation of far branch instructions (CALL, JMP, and RETF in Intel
assembly syntax, LCALL, LJMP, and LRET in AT&T assembly syntax)
incompletely performs privilege checks.
However these instructions are not usually handled by the emulator.
Exceptions to this are
\- - when a memory operand lives in (emulated or passed through) memory
mapped IO space,
\- - in the case of guests running in 32-bit PAE mode, when such an
instruction is (in execution flow) within four instructions of one doing
a page table update,
\- - when an Invalid Opcode exception gets raised by a guest
instruction, and the guest then (likely maliciously) alters the
instruction to become one of the affected ones,
- - when the guest is in real mode (in which case there are no privilege
checks anyway).
IMPACT ==
Malicious HVM guest user mode code may be able to elevate its privileges
to guest supervisor mode, or to crash the guest.
VULNERABLE SYSTEMS ==
Xen 3.2.1 and onward are vulnerable on x86 systems. ARM systems are not
vulnerable.
Only user processes in x86 HVM guests can take advantage of this
vulnerability.
MITIGATION ==
Running only PV guests will avoid this issue. There is no mitigation
available for HVM guests.
RESOLUTION ==
Applying the appropriate attached patch resolves this issue.
[http://seclists.org/oss-sec/2014/q4/att-665/xsa110.patch](http://seclists.org/oss-sec/2014/q4/att-665/xsa110.patch)
xen-unstable, Xen 4.4.x
[http://seclists.org/oss-sec/2014/q4/att-665/xsa110-4\_3-and-4\_2.patch](http://seclists.org/oss-sec/2014/q4/att-665/xsa110-4\_3-and-4\_2.patch)
Xen 4.3.x, Xen 4.2.x
*(from redmine: issue id 3716, created on 2015-01-23, closed on 2017-09-05)*
* Relations:
* parent #3714Alpine 2.7.10Ariadne Conillariadne@ariadne.spaceAriadne Conillariadne@ariadne.spacehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3715[v2.6] xen: Missing privilege level checks in x86 emulation of far branches (...2019-07-12T14:53:42ZAlexander Belous[v2.6] xen: Missing privilege level checks in x86 emulation of far branches (CVE-2014-8595)The emulation of far branch instructions (CALL, JMP, and RETF in Intel
assembly syntax, LCALL, LJMP, and LRET in AT&T assembly syntax)
incompletely performs privilege checks.
However these instructions are not usually handled by the emu...The emulation of far branch instructions (CALL, JMP, and RETF in Intel
assembly syntax, LCALL, LJMP, and LRET in AT&T assembly syntax)
incompletely performs privilege checks.
However these instructions are not usually handled by the emulator.
Exceptions to this are
\- - when a memory operand lives in (emulated or passed through) memory
mapped IO space,
\- - in the case of guests running in 32-bit PAE mode, when such an
instruction is (in execution flow) within four instructions of one doing
a page table update,
\- - when an Invalid Opcode exception gets raised by a guest
instruction, and the guest then (likely maliciously) alters the
instruction to become one of the affected ones,
- - when the guest is in real mode (in which case there are no privilege
checks anyway).
IMPACT ==
Malicious HVM guest user mode code may be able to elevate its privileges
to guest supervisor mode, or to crash the guest.
VULNERABLE SYSTEMS ==
Xen 3.2.1 and onward are vulnerable on x86 systems. ARM systems are not
vulnerable.
Only user processes in x86 HVM guests can take advantage of this
vulnerability.
MITIGATION ==
Running only PV guests will avoid this issue. There is no mitigation
available for HVM guests.
RESOLUTION ==
Applying the appropriate attached patch resolves this issue.
[http://seclists.org/oss-sec/2014/q4/att-665/xsa110.patch](http://seclists.org/oss-sec/2014/q4/att-665/xsa110.patch)
xen-unstable, Xen 4.4.x
[http://seclists.org/oss-sec/2014/q4/att-665/xsa110-4\_3-and-4\_2.patch](http://seclists.org/oss-sec/2014/q4/att-665/xsa110-4\_3-and-4\_2.patch)
Xen 4.3.x, Xen 4.2.x
*(from redmine: issue id 3715, created on 2015-01-23, closed on 2017-09-05)*
* Relations:
* parent #3714Alpine 2.6.7Ariadne Conillariadne@ariadne.spaceAriadne Conillariadne@ariadne.spacehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3713[v3.1] php: multiple fixes (CVE-2015-0231, CVE-2014-9427, CVE-2015-0232 etc.)2019-07-23T13:58:35ZAlexander Belous[v3.1] php: multiple fixes (CVE-2015-0231, CVE-2014-9427, CVE-2015-0232 etc.)The PHP development team announces the immediate availability of PHP
5.4.37, 5.5.21 and 5.6.5. These releases fixes several bugs as well as
CVE-2015-0231, CVE-2014-9427 and CVE-2015-0232.
All PHP users are encouraged to upgrade to the ...The PHP development team announces the immediate availability of PHP
5.4.37, 5.5.21 and 5.6.5. These releases fixes several bugs as well as
CVE-2015-0231, CVE-2014-9427 and CVE-2015-0232.
All PHP users are encouraged to upgrade to the appropriate version.
References:
http://php.net/archive/2015.php\#id2015-01-22-3
CVE-2015-0231:
https://bugs.php.net/bug.php?id=68710
CVE-2014-9427:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9427
CVE-2015-0232:
https://bugs.php.net/bug.php?id=68799
*(from redmine: issue id 3713, created on 2015-01-23, closed on 2015-08-06)*
* Relations:
* parent #37093.1.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3712[v3.0] php: multiple fixes (CVE-2015-0231, CVE-2014-9427, CVE-2015-0232 etc.)2019-07-23T13:58:36ZAlexander Belous[v3.0] php: multiple fixes (CVE-2015-0231, CVE-2014-9427, CVE-2015-0232 etc.)The PHP development team announces the immediate availability of PHP
5.4.37, 5.5.21 and 5.6.5. These releases fixes several bugs as well as
CVE-2015-0231, CVE-2014-9427 and CVE-2015-0232.
All PHP users are encouraged to upgrade to the ...The PHP development team announces the immediate availability of PHP
5.4.37, 5.5.21 and 5.6.5. These releases fixes several bugs as well as
CVE-2015-0231, CVE-2014-9427 and CVE-2015-0232.
All PHP users are encouraged to upgrade to the appropriate version.
References:
http://php.net/archive/2015.php\#id2015-01-22-3
CVE-2015-0231:
https://bugs.php.net/bug.php?id=68710
CVE-2014-9427:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9427
CVE-2015-0232:
https://bugs.php.net/bug.php?id=68799
*(from redmine: issue id 3712, created on 2015-01-23, closed on 2015-08-06)*
* Relations:
* parent #3709
* Changesets:
* Revision e4539845c0eb7d829e71905cade09da9557075a4 by Natanael Copa on 2015-05-05T08:06:44Z:
```
main/php: security upgrade to 5.5.24
5.5.24:
- CVE-2015-1351
- CVE-2015-1352
- CVE-2015-2783
- CVE-2015-3329
- CVE-2015-3330
5.5.23:
- CVE-2015-2305
- CVE-2015-2331
- CVE-2015-2348
- CVE-2015-2787
5.5.22:
- CVE-2014-9705
- CVE-2015-0235 (migitation)
- CVE-2015-0273
- CVE-2015-2301
5.5.21:
- CVE-2014-9425
- CVE-2014-9427
- CVE-2014-9652
- CVE-2014-9709
- CVE-2015-0231
- CVE-2015-0232
5.5.20:
- CVE-2014-8142
5.5.19:
- CVE-2014-3710
5.5.18:
- CVE-2014-3669
- CVE-2014-3670
- CVE-2014-3668
5.5.17:
- no CVE
fixes #3712
fixes #4113
```3.0.7Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/3711[v2.7] php: multiple fixes (CVE-2015-0231, CVE-2014-9427, CVE-2015-0232 etc.)2019-07-23T13:58:36ZAlexander Belous[v2.7] php: multiple fixes (CVE-2015-0231, CVE-2014-9427, CVE-2015-0232 etc.)The PHP development team announces the immediate availability of PHP
5.4.37, 5.5.21 and 5.6.5. These releases fixes several bugs as well as
CVE-2015-0231, CVE-2014-9427 and CVE-2015-0232.
All PHP users are encouraged to upgrade to the ...The PHP development team announces the immediate availability of PHP
5.4.37, 5.5.21 and 5.6.5. These releases fixes several bugs as well as
CVE-2015-0231, CVE-2014-9427 and CVE-2015-0232.
All PHP users are encouraged to upgrade to the appropriate version.
References:
http://php.net/archive/2015.php\#id2015-01-22-3
CVE-2015-0231:
https://bugs.php.net/bug.php?id=68710
CVE-2014-9427:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9427
CVE-2015-0232:
https://bugs.php.net/bug.php?id=68799
*(from redmine: issue id 3711, created on 2015-01-23, closed on 2015-08-06)*
* Relations:
* parent #3709
* Changesets:
* Revision a1416c914f36dd164236ee3852285e3464e36307 by Natanael Copa on 2015-05-05T07:30:51Z:
```
main/php: security upgrade to 5.5.24
5.5.24:
- CVE-2015-1351
- CVE-2015-1352
- CVE-2015-2783
- CVE-2015-3329
- CVE-2015-3330
5.5.23:
- CVE-2015-2305
- CVE-2015-2331
- CVE-2015-2348
- CVE-2015-2787
5.5.22:
- CVE-2014-9705
- CVE-2015-0235 (migitation)
- CVE-2015-0273
- CVE-2015-2301
5.5.21:
- CVE-2014-9425
- CVE-2014-9427
- CVE-2014-9652
- CVE-2014-9709
- CVE-2015-0231
- CVE-2015-0232
5.5.20:
- CVE-2014-8142
5.5.19:
- CVE-2014-3710
5.5.18:
- CVE-2014-3669
- CVE-2014-3670
- CVE-2014-3668
5.5.17:
- no CVE
fixes #3711
fixes #4112
```Alpine 2.7.10Natanael CopaNatanael Copa